By Fred H. Cate and Andrew A. Proia

A decision is expected any day now from the U.S. District Court in New Jersey in the Federal Trade Commission’s lawsuit against Wyndham Hotels for allegedly shoddy information security practices. Judge Esther Salas’ decision promises to have far-reaching consequences for information security throughout the nation.

The case began in 2008 when Russian hackers broke into the Phoenix data center of Wyndham, one of the nation’s largest hotel chains, headquartered in Parsippany. Over the next 20 months, the hackers invaded Wyndham’s systems twice more and stole information, including credit card data, for hundreds of thousands of customers, resulting in more than $10 million in fraudulent purchases.

Last June, the FTC sued Wyndham, under the commission’s general authority under Section 5 of the FTC Act, to target "deceptive" or "unfair" practices affecting commerce.

Over the past decade, the commission has brought 46 similar cases. In all of the prior cases, however, the targets of the FTC’s suits settled — agreements that usually involve no fine or admission of wrongdoing, but subject the companies to 20 years of FTC oversight.

Wyndham, however, decided to stand and fight, thus presenting the first legal test of whether the FTC has the authority to bring cases for supposedly inadequate security protections.

Both sides have compelling arguments. The commission points to 10 basic "data security failures" by Wyndham that allowed the hackers to penetrate Wyndham’s systems not once but three times.

For its part, Wyndham responds that its security practices were reasonable, given what was known about security threats from 2008 to 2010, and that no customers were injured. Because U.S. federal law has long shifted responsibility for fraudulent charges away from cardholders to merchants and banks, Wyndham notes that businesses paid the cost of fraudulent charges, not customers.

Moreover, given that the security practices the FTC now believes should have been in place are expensive, Wyndham argues they would have far outweighed the "trivial" inconvenience suffered by consumers who had to report fraudulent charges or were issued new credit cards.

Wyndham makes a series of broader and more ambitious arguments, as well — namely that the commission, which focuses on antitrust and consumer protection issues, lacks the authority to establish security standards. Even if it had that authority, Wyndham argues it would have to announce security standards in advance, before seeking to enforce them, rather than after the fact, relying on a century-old statute.

The commission argues the FTC Act was intended to be flexible to address unanticipated applications. More to the point, the FTC has emerged as the nation’s primary information security regulator, filling an urgent and otherwise unmet need to incentivize better security practices by U.S. businesses.

This is why the case has attracted the attention of groups such as the U.S. Chamber of Commerce, which filed an amicus brief on Wyndham’s behalf. Much is at stake.

If Salas buys the FTC’s argument, her decision will mark the first judicial endorsement of its role as a cybersecurity regulator. If she sides with Wyndham, however, the nation could lose its only effective cybersecurity regulator.

Our gridlocked Congress is unlikely to meet the resulting urgent need to enact legislation empowering the FTC or some other agency to provide tangible incentives for better security practices to protect the public.

Given the massive data breaches in recent years and the growing threat of sophisticated cyberattacks, the role the FTC is currently playing is crucial, even if imperfect.

Fred H. Cate is director of the Indiana University Center for Applied Cybersecurity Research. Andrew Proia is a postdoctoral fellow in Information Security Law & Policy at the Indiana University Maurer School of Law.