A few months ago we wrote about the FTC’s decision to launch a Consumer Privacy Bill of Rights. One of the more interesting things about the Bill of Rights was that the FTC seemed to be setting up a regime where a company’s voluntary decision to "opt-in" to the regime could become the basis for FTC enforcement, if the voluntary policy was breached. In fact, Commissioner J. Thomas Rosch dissented from that portion of the FTC’s privacy report and recommendations.
What particularly seems to have upset the FTC in this case is the fact that one breach allegedly facilitated other breaches. The hotel group learned in 2008 of a data breach to its system through one property. The FTC claims the security flaws exploited in that breach were not corrected, allowing two other breaches to occur. In those two subsequent breaches, the FTC says that approximately 120,000 consumer payment card records were stolen. Those records were supposedly used by crime syndicates–including some in Russia–to make fraudulent purchases.