Managing Cybersecurity in the Wake of FTC v. Wyndham
By Dov H. Scherzer and Joseph D. McClendon
In a long-anticipated decision handed down on August 24, 2015, the US Third Circuit Court of Appeals held that the Federal Trade Commission (FTC) does have the authority to regulate cybersecurity and that the failure to take proper measures to protect consumer data can rise to the level of an unfair trade practice under the FTC Act. The decision also serves as a cautionary tale about how not to handle data collection and information security. This alert provides a brief overview of the Wyndham ruling and some practical guidance for staying out of the FTC’s crosshairs.
Wyndham Worldwide Corporation (Wyndham) is a hotel and vacation management company comprised of three subsidiaries and approximately 90 independently-owned hotels that license the Wyndham brand. According to the FTC’s complaint, each branded hotel is required to purchase and configure, to Wyndham’s specifications, a property management system which, among other things, processes and stores personal consumer information such as names, addresses, and credit card account numbers. Wyndham manages these systems and each of them is also connected to Wyndham’s corporate data center based in Phoenix, Arizona.
Cybercriminals breached the Wyndham corporate network and numerous individual branded hotel property management systems three times during 2008 and 2009:
In 2008, cybercriminals breached an independent hotel’s network which, as noted above, was connected to the corporate network. The cybercriminals downloaded consumer information from over 500,000 accounts and subsequently sold all of it on the black market.
In 2009, cybercriminals gained access to the Wyndham corporate network again by using the same malware to attack the network that was used in the first attack. Because Wyndham didn’t install adequate systems to monitor the network after the first breach, the attackers were able to scrape even more consumer data off of Wyndham’s network. The criminals stole information from an additional 50,000 accounts, including payment information, from thirty-nine hotels. Wyndham discovered the existence of the second breach nearly two months after it occurred only because Wyndham customers were filing fraudulent charge complaints.
The third attack came at the end of 2009 when attackers breached the Wyndham corporate network again using default network administrator usernames and passwords. According to the complaint, “[b]ecause Wyndham “had still not adequately limited access between . . . the Wyndham-branded hotels’ property management systems, [Wyndham’s network], and the Internet,” the hackers had access to the property management servers of multiple hotels.” Over 69,000 accounts were downloaded from the property management systems at twenty-eight hotels and exposed to the black market.
The damage to consumers after all three breaches totaled nearly $11 million in fraudulent charges.
The FTC filed suit in 2012 alleging that Wyndham failed “to maintain reasonable and appropriate data security for consumers’ sensitive personal information” and that Wyndham “operated as a common business enterprise while engaging in . . . unfair and deceptive” business practices.
FTC’s Regulatory Authority
The FTC has the authority to enforce Section 5 of the FTC Act (15 U.S.C. § 45), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” “Unfair” and “deception” are separate prongs of Section 5 under which the FTC can file a claim against a company. It is the “unfairness” prong that was at issue in this case.
This case addressed the more controversial application of the “unfairness” prong of Section 5 to cybersecurity practices. More specifically, the FTC has been filing more actions against companies like Wyndham, alleging that a company’s inadequate cybersecurity may be “unfair” under Section 5. For example, failing to adequately train employees on information security practices, not encrypting data in certain circumstances, and not monitoring the corporate network to prevent known and foreseeable cyber attacks have all been construed to be “unfair” business practices under Section 5.
Until Wyndham, every company the FTC sued has folded and entered into consent orders whereby they typically agreed, among other things, to submit to annual or semi-annual security auditing from a third party for a period of twenty years and document their compliance efforts.
Third Circuit Decision
In this case, the FTC alleged that Wyndham’s cybersecurity and business practices were both deceptive and unfair to consumers. As noted above, Wyndham’s appeal to the Third Circuit only addressed the issue of whether or not the FTC could regulate cybersecurity under the unfairness prong, and argued that, even if the court found that the FTC did have such authority, Wyndham did not have notice that its security practices could fail to meet the requirements of that prong.
The court opened its decision with a thorough review of the history of the FTC’s regulatory authority under the Section 5 unfairness prong. After finding that the FTC has been regulating a wide variety of unspecified business practices under the unfairness prong since 1914 and that the FTC could regulate cybersecurity under the same, the court then addressed whether or not the FTC could regulate cybersecurity under the unfairness prong in light of other more specific laws that regulate cybersecurity and privacy.
Here, the court found that, even though Congress enacted the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA), all of which included privacy and information security guidelines written by the FTC, the FTC was not barred from regulating cybersecurity by virtue of “enacting these measures.” Citing an example involving the tobacco industry, the court examined “congressional intent based on post-enactment legislative activity” where the FDA “disclaimed regulatory authority over tobacco products for decades.” When the FDA tried to claim authority after Congress enacted legislation that regulated tobacco, the Supreme Court found that Congress intended to exclude the FDA from regulating tobacco because holding otherwise “would contradict congressional intent to regulate rather than ban tobacco products outright.”
In this case, the court rejected Wyndham’s argument that ”Congress lacked reason to pass the recent legislation if the FTC already had regulatory authority over some cybersecurity issues.” FCRA, GLB, and COPPA, as enacted by Congress, required the FTC to draft and issue security regulations, all of which specifically call out the FTC’s ability to regulate cybersecurity under the unfairness prong.
The court moved on to address whether or not Wyndham had fair notice of the FTC’s cybersecurity requirements. Here, the court wrote that Wyndham “was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question . . . is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.” The court went on to find that “Wyndham is only entitled to notice of the meaning of the statute and not to the agency’s interpretation of the statute.”
Having found that Wyndham had fair notice, the court dismissed Wyndham’s arguments that it had no reasonable way of knowing that its information security practices fell short of what the FTC Act requires. Here, the court noted that the FTC had published a guidebook in 2007 that “described a checklist of practices that form a sound data security plan” and that even though “[t]he guidebook does not state that any particular practice is required by § 45(a) . . . it does counsel against many of the specific practices [the FTC] allege[s] here.”
The case now heads back to the Federal district court for further proceedings.
Minimizing Risk of FTC Regulation
This case should serve as an important reminder to business owners, attorneys, and CISOs that even unregulated industries can fall under the purview of government scrutiny. Neither the FTC Act nor the FTC itself provide much by way of solid guidelines that companies must follow in order to stay out of trouble, however, this case does outline a great list of things not to do when building an information security policy:
Storing consumer credit card information in clear text files
Not changing the default passwords for network equipment or appliances
Allowing vendors to connect to a business’s corporate infrastructure without first vetting the vendor’s own information security practices
Not keeping an inventory of computers that connect to the business’s corporate network
Not restricting third party vendor access to the corporate network or corporate data
Did not following standard incident response procedures
Business owners and information security professionals should also read and be familiar with the FTC’s “Start with Security: A Guide for Business” publication (last updated June 2015) for what the FTC considers to be the minimum practices a business should use to protect consumer information.
If nothing else, business owners and information security professionals should always strive to use industry best security practices and to follow its own established privacy policies. While these should be considered the bare minimum for a company’s information security practices, embracing these two concepts will put a company in a much better position to protect consumer information.
Summary and Takeaways
Wyndham was breached three times during 2008 and 2009
The FTC sued Wyndham using the “deception” and “unfairness” prongs of Section 5 of the FTC Act
The Third Circuit Court of Appeals found that the FTC does have authority to regulate cybersecurity under the “unfairness” prong
A cautionary tale about how NOT to handle data collection and information security, and suggested approach.
For More Information
Polsinelli attorneys understand how important protecting customer personal information should be to a business. For more information, please contact the authors, a member of the Privacy and Data Security practice, or your Polsinelli attorney.