Hello Internet people,
It’s been awhile since I’ve had a chance to update this blog. Back in March, I had a new job and a couple of significant life events (which I won’t go into) that interfered with my ability to regularly update a blog. I’ve decided that I’ve left this blog hanging around, devoid of new content, for long enough. It’s time to dive back into the world of technology law.
Fortunately, the US Third Circuit Court of Appeals gave the technology law world a juicy case to start the week. Since 2012, the Federal Trade Commission (FTC) has been conducting ongoing litigation against the Wyndham Worldwide Corporation (Wyndham) due to breaches of Wyndham’s internal network that resulted in many customers’ credit card numbers and personal information getting leaked to the wider internet. In prosecuting Wyndham, the FTC claimed the legal authority to prosecute companies for poor cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” (Fed. Trade Comm. v. Wyndham Worldwide Corp., No. 14-3514, 3rd Cir., 2015 at pg 8). Wyndham claimed otherwise, and sued.
First, let’s discuss Wyndham’s data protection practices. The Third Circuit almost certainly made their ruling with the scope of Wyndham’s digital negligence in mind, so the level of shoddiness is worth noting. Wyndham’s employees stored guest payment information in plain text (as opposed to encrypting the credit card numbers), allowed employees to use easy passwords (the court cites a case where both the user ID and password were both “micros”), and didn’t use a firewall between their franchises and their corporate network. In addition, Wyndham did not restrict third parties’ access to their network (or make such access temporary when such access was necessary), did not have any measures in place to detect intrusions, and did not have proper incident response procedures. On that last point, hackers were able to get into Wyndham’s systems repeatedly using the same methods. The FTC also added in a deception claim, noting that Wyndham’s published security policy vastly overstated the cybersecurity policies protecting information shared with Wyndham.
So what are the implications of this case? The most basic effect is that the FTC’s case against Wyndham for their poor data security practices can go forward. Wyndham will have to defend themselves on the merits of the case rather than seeking to dismiss the matter entirely. The other short-term result is that fewer companies are likely going to fight the FTC’s consent orders regarding data breaches the way Wyndham has. The longer term implications are a little more interesting. The FTC having regulatory authority to police cybersecurity practices when companies get hacked will result in some companies taking sterner security measures, with the FTC’s Protecting Personal Information: A Guide for Businesses serving as a guideline. In addition, the case will open up new case law regarding cybersecurity law and consumer rights. Previous legislation mostly focused on the “security” aspect of cybersecurity (the Cybersecurity Act of 2012, for example, focused on sharing information between government and the private sector as well as critical infrastructure security requirements). The case will also likely provide some guidance as to what security practices are “unreasonable” for purposes of liability. The FTC’s attorneys can now cite plain text information storage and the lack of any firewall as unreasonable practices, for example. In the still young realm of cybersecurity law (especially as it relates to consumer data), that is a major step forward.
That’s it for this week. I’ll try to nail down a schedule going forward. In the meantime, enjoy the rest of the day.