FTC v. Wyndham Produces Cybersecurity Important Ruling

Hello Internet people,

It’s been awhile since I’ve had a chance to update this blog.  Back in March, I had a new job and a couple of significant life events (which I won’t go into) that interfered with my ability to regularly update a blog.  I’ve decided that I’ve left this blog hanging around, devoid of new content, for long enough.  It’s time to dive back into the world of technology law.

Fortunately, the US Third Circuit Court of Appeals gave the technology law world a juicy case to start the week.  Since 2012, the Federal Trade Commission (FTC) has been conducting ongoing litigation against the Wyndham Worldwide Corporation (Wyndham) due to breaches of Wyndham’s internal network that resulted in many customers’ credit card numbers and personal information getting leaked to the wider internet.  In prosecuting Wyndham, the FTC claimed the legal authority to prosecute companies for poor cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” (Fed. Trade Comm. v. Wyndham Worldwide Corp., No. 14-3514, 3rd Cir., 2015 at pg 8). Wyndham claimed otherwise, and sued.

First, let’s discuss Wyndham’s data protection practices.  The Third Circuit almost certainly made their ruling with the scope of Wyndham’s digital negligence in mind, so the level of shoddiness is worth noting.  Wyndham’s employees stored guest payment information in plain text (as opposed to encrypting the credit card numbers), allowed employees to use easy passwords (the court cites a case where both the user ID and password were both “micros”), and didn’t use a firewall between their franchises and their corporate network.  In addition, Wyndham did not restrict third parties’ access to their network (or make such access temporary when such access was necessary), did not have any measures in place to detect intrusions, and did not have proper incident response procedures.  On that last point, hackers were able to get into Wyndham’s systems repeatedly using the same methods.  The FTC also added in a deception claim, noting that Wyndham’s published security policy vastly overstated the cybersecurity policies protecting information shared with Wyndham.

However, Wyndham’s awful cybersecurity practices were not the crux of the ruling.  The issue at hand, instead, was the FTC’s ability to regulate a company’s cybersecurity practices.  The Third Circuit ruled that the FTC does possess the authority to regulate a company’s cybersecurity practices, derived from the FTC’s regulatory authority under the Federal Trade Commission Act of 1914 (1914 Act).  The 1914 Act prohibits “unfair standards of commerce”.  While the opinion provides a nice summary, the current definition for unfair standards of commerce is codified in 15 U.S.C. § 45(n).  In this statute, the FTC cannot regulate unless the practice on the grounds of it being unfair unless “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”  In other words, Wyndham’s actions had to engage in practices that caused or likely caused harm to consumers that consumers could not reasonably avoid themselves (and were on the balance negatively affecting the consumers).  The FTC’s argument was that Wyndham’s privacy policy rendered the harm caused to consumers by the hack to not be reasonably avoidable.  Wyndham’s arguments primarily revolve around the scope of the FTC’s authority as granted by Congress, while claiming that scope does not include cybersecurity regulation.  Wyndham tried to claim that the FTC was claiming too broad an authority, that Congress had provided the FTC with specially tailored cybersecurity regulatory authority in the past (thus denying it broader authority), and that the FTC’s claim to cybersecurity regulatory authority resulted in a lack of sufficient notice.  The Third Circuit ultimately rejected all of these claims.

So what are the implications of this case?  The most basic effect is that the FTC’s case against Wyndham for their poor data security practices can go forward.  Wyndham will have to defend themselves on the merits of the case rather than seeking to dismiss the matter entirely.  The other short-term result is that fewer companies are likely going to fight the FTC’s consent orders regarding data breaches the way Wyndham has.  The longer term implications are a little more interesting.  The FTC having regulatory authority to police cybersecurity practices when companies get hacked will result in some companies taking sterner security measures, with the FTC’s Protecting Personal Information: A Guide for Businesses serving as a guideline.  In addition, the case will open up new case law regarding cybersecurity law and consumer rights.  Previous legislation mostly focused on the “security” aspect of cybersecurity (the Cybersecurity Act of 2012, for example, focused on sharing information between government and the private sector as well as critical infrastructure security requirements).  The case will also likely provide some guidance as to what security practices are “unreasonable” for purposes of liability.  The FTC’s attorneys can now cite plain text information storage and the lack of any firewall as unreasonable practices, for example.  In the still young realm of cybersecurity law (especially as it relates to consumer data), that is a major step forward.

That’s it for this week.  I’ll try to nail down a schedule going forward.  In the meantime, enjoy the rest of the day.

Advertisements