A federal judge has refused to dismiss a lawsuit filed by the Federal Trade Commission against Wyndham Worldwide Corp. in which the agency charged the hotel chain with failing to maintain adequate data security for consumers' sensitive personal information.

Parsippany, N.J.-based Wyndham charged in its lawsuit seeking to dismiss the case that the FTC, which had filed its complaint against the chain in June 2012, did not have the authority to assert an unfairness claim in the data security context; that it must formally promulgate regulations before bringing its unfairness claim; and that its allegations are insufficiently pleaded, according to the ruling by U.S. District Court Judge Esther Salas in Newark, N.J. in Federal Trade Commission v. Wyndham Worldwide Corp. et al.

According to its lawsuit, the FTC charged that since at least April 2008, Wyndham has “failed to provide reasonable and appropriate security for the personal information collected and maintained” by its hotels.

The FTC says because of these failures, intruders gained unauthorized access on three separate occasions between April 2008 and January 2010 to its hotels and resorts unit's computer network, and used similar techniques on each occasion to access personal information stored on its property management system services, including customers' payment card account numbers, expiration dates and security codes.

The FTC also charged that Wyndham “failed to take appropriate steps in a reasonable time frame to prevent further compromise” of the network after the first two breaches.

%%BREAK%%

The ruling also states that according to the FTC, Wyndham failed to employ firewalls, permitted storage of payment card information in clear, readable text; failed to make sure its hotels implemented adequate information security procedures prior to connecting their local computer networks to its hotels and resorts unit's computer network; and permitted Wyndham hotels to connect in secure servers to the hotels and resorts unit's networks, including servers using outdated operating systems that could not receive updates or patches to address security vulnerabilities, among other issues.

Judge Salas on Monday dismissed all Wyndham's charges in her ruling. “The court is guided by precedent that compels rejecting (Wyndham's) request to carve out a data-security exception to the FTC's authority,” says the ruling.

She also states she is not persuaded that the FTC must formally issue rules and regulations before it can file an unfairness claim. The decision also holds that the FTC sufficiently pleaded its unfairness claim.

Judge Salas said in her ruling that her decision resolves a motion to dismiss a complaint and is not a judgment on Wyndham's potential liability. She states also that the ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”

“Instead, the Court denies a motion to dismiss given the allegations in this complaint — which must be taken as true at this stage — in view of binding and persuasive precedent,” said Judge Salas.