The FTC alleged in a 2012 lawsuit that Wyndham engaged in an unfair business practice by failing to take reasonable security measures, such as using firewalls, encrypt credit card information and encrypting credit-card information.
But Wyndham says that it is the victim in this case, and shouldn't now face charges due to the actions of fraudsters.
“As a matter of law and common sense, a business cannot be deemed to have engaged in an 'unfair' practice where, as here, that business itself was the victim of criminal conduct by others,” Wyndham argues in papers filed this week with the 3rd Circuit Court of Appeals.
The company is asking that court to reverse a ruling issued earlier this year by U.S. District Court Judge Esther Salas in New Jersey, who rejected Wyndham's request to dismiss the charges.
“There is no allegation here (nor could there plausibly be) that Wyndham sought to take advantage of its customers, or had any incentive to tolerate or encourage the hackers’ crimes,” Wyndham argues in its appellate papers.
The hotel chain says the FTC can't impose security requirements retroactively, especially when it has never promulgated standards for data security. “The Commission has simply anointed itself a roving cybersecurity prosecutor -- but, unlike other prosecutors, one that seeks to define the offense and to do so after the fact,” Wyndham says in its brief.
The legal battle has drawn interest by outside groups, including the U.S. Chamber of Commerce, which sided with Wyndham) and Public Citizen, which backed the FTC.
Since 2011, the FTC has brought dozens of enforcement actions charging companies with violating consumers' privacy or mishandling their data. Unlike Wyndham, most of the companies settled with the FTC.