For many months, the compliance and legal officers had been waiting to see what sort of enforcement authority the Federal Trade Commission might actually have over companies’ data security practices.
Now we know: The FTC has a lot, which opens up a new front of cyber-security compliance and legal risks for Corporate America.
The 3rd Circuit Court of Appeals in August unanimously upheld the FTC’s authority to enforce poor data security practices under Section 5 of the Federal Trade Commission Act, which broadly prohibits “unfair or deceptive acts or practices” that cause consumer harm. Although the FTC began bringing administrative actions against companies for inadequate cyber-security practices since 2005, the vast majority ended in settlements—until now.
The ruling, FTC v. Wyndham Worldwide, broadly affects all companies under FTC jurisdiction. “Many organizations may wait and see if the FTC ramps up its enforcement efforts in terms of frequency and range of industries,” says Cordero Delgadillo, an associate of law firm Husch Blackwell. “Prudent organizations will ensure their practices align with the FTC’s history of enforcement proceedings.”
A federal judge in New Jersey denied Wyndham’s motion to dismiss. The appeals court agreed to review two main issues: whether the FTC can enforce inadequate data security practices as “unfair” under Section 5 and, if so, whether the FTC gave Wyndham “fair notice” through any regulation that its data security practices potentially fell short of Section 5.
“Prudent organizations will ensure their practices align with the FTC’s history of enforcement proceedings.”
Cordero Delgadillo, Associate, Husch Blackwell.
Wyndham argued that Congress intended to exclude cyber-security from the FTC’s Section 5 authority, citing federal privacy laws (the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act, for example) that give the FTC tailored authority to regulate data security. In rejecting this argument, the appeals court held that Congress enacted such laws to complement—not merely to establish—the FTC’s authority over cyber-security practices.
The court said companies are not immune from cyber-security liability even in the absence of any actual consumer harm. “Basically, if consumers trust you with data, you need to use reasonable business efforts to maintain and honor that trust by securing that data appropriately,” says Alysa Hutnik, a partner with the law firm Kelley Drye.
In addressing “fair notice,” the court said Section 5 gives companies adequate notice about the importance of conducting a cost-benefit analysis to determine the adequacy of cyber-security measures, including “the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cyber-security,” the court said. “[C]ertainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.”
Wyndham has reiterated its intent to defend its position. “[W]e continue to contend the FTC lacks the authority to pursue this type of case against American businesses and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” says Michael Valentino, a spokesman for Wyndham.
The appeals court issued its decision “solely upon our motion to dismiss the FTC’s complaint, which requires the 3rd Circuit to take the FTC’s allegations at face value,” Valentino adds. “Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded.”
In a brief filed with the 3rd Circuit in support of Wyndham, several business groups—the U.S. Chamber of Commerce, the American Hotel & Lodging Association, and National Federation of Independent Business—said the court’s ruling has serious implications for all companies.
The following excerpt from FTC v. Wyndham outlines the FTC’s allegations of Wyndham’s poor cyber-security practices.
The FTC alleges that, at least since April 2008, Wyndham engaged in unfair cyber-security practices that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” This claim is fleshed out as follows.
1. The company allowed Wyndham-branded hotels to store payment card information in clear readable text.
2. Wyndham allowed the use of easily guessed passwords to access the property management systems.
3. Wyndham failed to use “readily available security measures”—such as firewalls—to “limit access between [the] hotels’ property management systems, corporate network, and the Internet.”
4. Wyndham allowed hotel property management systems to connect to its network without taking appropriate cyber-security precautions. It did not ensure that the hotels implemented “adequate information security policies and procedures.” Also, it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham’s network even though “default user IDs and passwords were enabled . . ., which were easily available to hackers through simple Internet searches.”
5. Wyndham failed to “adequately restrict” the access of third-party vendors to its network and the servers of Wyndham-branded hotels.
6. It failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.”
7. It did not follow “proper incident response procedures.”
Source: FTC v. Wyndham.
“Permitting the FTC to proceed on a theory that suffering a data breach is an ‘unfair’ trade practice would expose most businesses in America to the potential for a government enforcement action whenever that business suffers a cyber-attack or other incident that potentially compromises personal data,” the groups wrote.
The FTC has “fairly broad jurisdiction,” Hutnik says, over companies that maintain consumer data. That means the ruling could disrupt industries such as retail, food, energy, healthcare, pharmaceuticals, certain high-tech industries, and more.
And unlike the Justice Department, whose focus is on bringing criminal charges against the hackers and organized crime groups for cyber-attacks, the FTC’s focus is on the companies that maintain consumer data and whether they employed reasonable data security measures leading up to a breach, Hutnik says. That’s a lot of enforcement ground the FTC might plow.
“It is the most active federal agency enforcing in this area,” Hutnik adds.
The Wyndham case reinforces the need for companies to reevaluate their cyber-security practices. Many companies still struggle with taking an overall inventory of the data they hold, assessing how much of it is personally identifiable information or sensitive business information, and pinpointing where the data is stored and what business purpose it serves. Only after the company has a grasp on its data inventory can it begin to establish a cyber-security plan.
The FTC’s cyber-security guidance is a good starting point. Among the measures the FTC recommends:
Factor security into the decision making in every department. Collecting and maintaining information “just because” is no longer a sound business strategy.
Put controls in place to make sure employees have access only on a need-to-know basis.
Require employees to choose complex passwords, and train them not to use the same or similar passwords for both business and personal accounts.
Use strong cryptography to secure confidential material during storage and transmission.
Consider using intrusion detection and prevention tools to monitor your network for malicious activity.
“The hackers are not the smartest guys in the room, but they are incredibly opportunistic,” says Melodi Gates, a senior associate of law firm Squire Patton Boggs. “We have to be hyper-vigilant and on our game 100 percent of the time.”
Companies should refer to the National Institute of Standards and Technology’s cyber-security framework, Gates says. The framework is a way for companies to see where its cyber-security program stands in comparison to industry-standard best practices, and where it needs to be, she says.
Another hurdle to overcome is the knowledge gap between the business people—those who make business decisions and set business strategy—and the IT department that deals with data and information security issues on a daily basis. “Cyber-security is difficult to grasp,” Gates says. The business people can’t always recognize or appreciate the technical details, she says, such as: “What does a cyber-attack look like? How do I know it is happening? What are the steps I should be taking?”
Compliance officers can play a role in closing that knowledge gap by translating those highly technical issues in a way that those who manage risk at a corporate level can understand. Specifically, they should be able to articulate what the cyber-security practices mean for the business from a risk mitigation standpoint and how inadequate cyber-security practices could affect the business.
That requires compliance officers “become conversant in some of these technical issues,” Gates says. “You need to learn enough to be able to carry on a good risk conversation with your IT staff and IT leadership.”
“Don’t wait until you have a breach to make [cyber-security] a priority,” Hutnik says. Being active and thoughtful about understanding where you store consumer data within your systems, how that data is accessed and shared, and ensuring that you have reasonable protections around each of those touch points, she says, will put the company in much better standing than a reactionary mode.