A legal bid to rein in the Federal Trade Commission's cybersecurity authority has ended in defeat for the business community, leaving the FTC as an undisputed enforcer of cyberstandards.
For many companies, particularly those in the retail and hospitality industries, the FTC has served as a de facto cybersecurity regulator.
Now, with the announcement last week that the commission and Wyndham Hotels and Resorts have settled a closely watched customer data breach case, the FTC's legal authority to enforce somewhat ambiguous cybersecurity standards has a firm legal stamp of approval.
The settlement comes several months after a U.S. court of appeals rejected the hotel operator's argument that the FTC lacked legal authority to bring the case in the first place. Wyndham declined to appeal to the Supreme Court and instead entered settlement negotiations with the commission.
That's a far cry from how business leaders and industry lawyers expected to see this one play out.
The U.S. Chamber of Commerce and other members of the business community saw the case as an opportunity to take on the FTC and impose some limits on its cybersecurity enforcement authority.
But the business-sector argument didn't fly at a federal district court or at the U.S. Third Circuit Court of Appeals, and Wyndham ultimately decided to cut its losses.
"Under the terms of the settlement, the company will establish a comprehensive information security program designed to protect cardholder data — including payment card numbers, names and expiration dates," according to an FTC statement. "In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees' servers."
Wyndham must follow the terms of the settlement for 20 years, which FTC enforcement chief Jessica Rich told reporters was a substantial obligation for the company.
"There will be very strong protections for consumers going forward," Rich said.
Wyndham put a positive spin on the outcome. "We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief," the company said in a statement.
The FTC didn't impose monetary penalties because it doesn't have such authority. It's a regulatory gap that commission leaders have repeatedly asked Congress to address.
Wyndham added, "We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC's position could have had a negative impact on the franchise business model."
Now, the company said, "This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information."
The FTC believes the standard has been clearly stated for some time, and is "reaffirmed" by the two court rulings and Wyndham's willingness to settle rather than fight it out.
"We're proud of this case but don't believe it sets a new standard," Rich said. "It reaffirms our standard."
Industry sources have long complained about the ambiguity, and regulatory expansiveness, in the FTC's approach. Data breach notification legislation could address that, but measures have stalled in Congress. Lawmakers are hoping the issue gets more traction next year.
Rich and the FTC point to the "enormous amount of guidance" the commission has released on companies' consumer data protection responsibilities since 2001. The guidance documents, including a "Start with Security" series, spell out the "reasonable" steps the private sector should take.
Industry attorneys may be busy taking a second look at those documents following the Wyndham outcome.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.