On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in Federal Trade Commission v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the FTC to regulate data security standards. Although the decision dealt most directly with the hospitality industry, it is a wakeup call for every company that is subject to FTC jurisdiction.
We know that cybercrime is big. In 2014, there were 42,800,000 detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom.
The decision should be a wake-up call to hotel owners because, as described below, hotel owners may ultimately bear the cost of data breaches involving their hotels. Companies should look at the Wyndham decision as an opportunity to consider whether they and their vendors have taken the steps necessary to protect company and customer information and, ultimately, the companies themselves.
Background
The case arose out of a suit brought by the FTC against Wyndham, a global hotel company, for failing to adequately safeguard its computer network, allowing hackers to access customer information, resulting in the compromise of more than 600,000 credit card records and financial losses in excess of $10 million. The FTC noted that Wyndham had made numerous promises that it maintained the security of the data it collected in its website privacy policy, which promises the FTC determined were false. On August 24, 2015, the Third Circuit affirmed the district court, upholding the FTC’s data protection authority. The result – for the first time, the United States has what amounts to a data security regulator, namely, the FTC.
What did Wyndham Do Wrong?
The Wyndham decision is particularly helpful because it identifies clearly what Wyndham did – or did not do – that violates the FTC’s standards. Specifically, the FTC found that Wyndham:
- failed to use readily available security measures, such as firewalls;
- stored of credit card information in clear text;
- failed to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;
- failed to address known security vulnerabilities on servers;
- used of default user names and passwords for access to servers;
- failed to require employees to use complex user IDs and passwords to access company servers;
- failed to inventory computers to appropriately manage the network;
- failed to maintain reasonable security measures to monitor unauthorized computer access;
- failed to conduct security investigations; and
- failed to reasonably limit third-party access to company networks and computers.
Security professionals recognize that this list is a fair representation of minimum security requirements for any information system – any company that does not consider these requirements is likely to experience a breach. This list also amounts to an inventory of violations of Section 5 of the FTC Act – engaging in unfair or deceptive trade practices – and any firm that collects and maintains data and is guilty of these failures can expect that they, too, will be subject to action by the FTC, as well as private plaintiffs.
A Call to Action
Many companies don’t consider the impact of data security on their operations (including operations they outsource). But they should, and need, to be concerned, because they are responsible if they fail to protect personal information. To put it simply, if there is a breach, the company will pay the bill.
The situation is more serious because most companies have websites that include privacy policies – the laws of many states, including California, require that websites do so. These websites often make broad statements assuring customers and website visitors that they can rely on the security systems put into place by the sponsoring company. However, if that assurance turns out not to be true, the company will be held to task. And if there is a breach, the promises made in the privacy policy can become evidence of wrongdoing by the company.
Companies must become more sensitive to the fact that they hold and maintain sensitive personal information, whether it is in the form of employment records, health information, financial data or business secrets, and they, too, have a legal obligation to protect that information. More than that, companies must not only protect their information; they must ensure that their business associates to do the same.
Companies should also consider one additional factor that isn’t addressed in the Wyndham decision, but permeates almost every data breach: The human factor.
At least 95% of reported data breaches can be traced to an intentional or unintentional act by a person within or associated with the affected organization. A company can comply with all of the deficiencies noted by the FTC and still be subject to a breach, because an individual employee or contractor can, effectively, bypass all technological protections, simply by responding to the wrong email or clicking on the wrong website. Any plan to protect sensitive information and comply with the law needs to incorporate training for all company personnel, ranging from the most senior officer to the most junior employee, and consider not only regular personnel, but contractors, vendors and others who provide services in today’s on-demand economy.
Robert E. Braun is a corporate lawyer and the co-chair of the Cybersecurity and Privacy Group at Jeffer Mangels Butler & Mitchell LLP in Los Angeles. He and his team represent clients in a wide range of industries, covering all substantive areas of data security and privacy including information technology, financial, health, employment and personal privacy, litigation and technology transactions. He is experienced in a full range of cybersecurity and privacy matters including data breach issues, development of security incident response plans, crisis management, development of data security and retention policies, forensic investigations of information systems, internal investigations and audits, and internet privacy matters. Contact Bob at RBraun@jmbm.com or +1.310.785.5331.