New Potential Liability for Data Security

By Mitchell E. Widom

The U.S. Court of Appeals for the Third Circuit announced that the Federal Trade Commission (FTC) has the authority to scrutinize a business’s data security protocol -- and to file a complaint if the FTC finds that protocol is lacking. In FTC v. Wyndham, the court secured the FTC’s role as cybersecurity watchdog, and placed companies on notice that insufficient privacy protections for consumers could lead to liability.

Background

In June, 2012, the FTC filed suit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. The FTC alleged that insufficient data security led to the theft of customer’s personal and credit card information and millions of dollars in fraud losses. As the FTC put it, the complaint was “part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.”

The FTC argued that Wyndham and its subsidiaries failed to take adequate security measures, all of which created the environment in which customer data was stolen.

What kind of errors were at play?

• Storing credit card information in clear, readable text
• Using easily-guessed passwords. For instance, access to the property management system for more than one hotel was “micros,” which was the name of the developer of the property management program
• Failing to use firewalls
• Maintaining permissive networking protocols, including non-updated security programs, inadequate password protection, and even default user IDs and passwords
• Allowing easy access to networks and servers for third party vendors
• Instituting insufficient incident response protocols, which were often not followed - hackers used similar methods for each hack
• Promising to consumers that their security was taken seriously. Despite being detailed, the promises were not kept

Because of Wyndham’s inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham’s Hotels and Resorts subsidiary, and the property management system servers at Wyndham properties.

Ultimately, Wyndham was hacked three separate times, leading to the compromise of more than 600,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia. The FTC’s arguments suggest that it was Wyndham’s failure to revise its data-security protocols in response to the first hack that made its conduct the subject of a complaint.

Rather than settle with the FTC, Wyndham moved to dismiss the complaint. It argued that Congress never intended for the FTC to establish data-security standards for the private sector, and that it lacked fair notice that its conduct could expose it to liability with the FTC. The District Court and the Third Circuit both disagreed.

The Court's Decision

In affirming the District Court, the Third Circuit ruled that the FTC has authority over unfair acts or practices that “cause[] or [are] likely to cause substantial injury to consumers which [are] not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). In this case, the court determined that Wyndham’s failure to create and abide by a reasonable data-security protocol constituted an unfair act. FTC v. Wyndham Worldwide Corp., No. 14-3514, Aug. 24, 2015 (slip op.) at 12-21.

The Third Circuit also concluded that Wyndham had adequate notice that its conduct might give rise to liability. It explained that Wyndham was entitled to a low level of statutory notice because the FTC Act is a civil, rather than a criminal statute, because the conduct at issue is economic, and because Wyndham had been hacked “not one or two, but three, times.” Id. at 39-41. In the light of its repeated issues with hacking, the court reasoned that Wyndham could have read the FTC’s 2007 book “Protecting Personal Information: A Guide for Business,” which describes a “checklist[]” of practices that form a “sound data security plan.” Id. at 41.

Potential Impact of the Decision

This decision is noteworthy on multiple levels. First, it highlights the need for an updated, legally-sound set of data-security protocols. What would have been best practices three years ago could be deficient today, and an ongoing familiarity with the FTC’s benchmarks is a business necessity. Second, the case demonstrates the FTC’s increasing boldness in bringing suits based on privacy concerns. Even though Wyndham was the subject of repeated cyber-attacks, the FTC’s complaint casts the hotel chain as the wrongdoer, and hacked businesses must be aware of the regulatory liability they face even as they prepare for lawsuits from consumers.

Finally, the Third Circuit’s ruling demonstrates once again the flexibility of the FTC Act, and a judicial willingness to expand the FTC’s remit in the digital age. While there are carveouts for other agencies to oversee some limited privacy issues (like HIPPA, COPPA, or Gramm-Leach-Bliley), the FTC is solidifying its ability to regulate the security of consumers’ personal and financial data. Given the spate of recent data breaches at nationwide chains and online service providers, there are sure to be a more complaints like FTC v. Wyndham. Any business that does not want to be on the wrong side of the “v.” should work with counsel to conduct a thorough review of their data security protocols and policies.