Understanding the Implications of FTC v. Wyndham on Data Security Practices

Understanding the Implications of FTC v. Wyndham on Data Security Practices

The Federal Trade Commission (FTC) is very active and interested in data breaches and other cyber security incidents. The federal government and many state governments are slowly adding legislation that specifically addresses issues of cyber security and data breach reporting, but while those efforts slowly produce narrowly focused legislation, the FTC is trail blazing by using its existing and broad authority to regulate unfair business practices. 1)See 15 USC § 45(a). Using this broad authority granted by congress over a century ago, the FTC is actively bringing regulatory actions and filing suits against companies whose cyber security practices are inadequate and result in data breaches. These actions often result in consent decrees which have long term consequences for the companies that settle with the commission. Occasionally, a company will dig in for an extended legal battle. One such case is the FTC v. Wyndham action which recently produced an appellate decision from the Third Circuit which has significant implications for cyber security practices. 2)See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015).

I read Court opinions so you don’t have to, thus this post will discuss (1) a brief summary of the Wyndham data breaches, (2) the FTC’s authority under the “unfairness” prong, and (3) the importance of the Third Circuit opinion as a contour of likely future FTC actions. I will conclude by discussing future liability concerns in the wake of data breaches especially in the context of the FTC.

WYNDHAM DATA BREACHES

In the FTC’s complaint, it lays out what it contends are the salient facts behind three data breaches of Wyndham’s networks. 3)See FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1. Essentially, the systems in question consist of (1) the terminals at the hotels (“Property Management System”), (2) servers in a datacenter located in Phoenix, AZ (“Central Reservation System”), and (3) connections between the local hotel network and the Wyndham corporate networks. 4)Id. at ¶¶ 14-9.

First Breach

The FTC contends that Wyndham was first breached in April 2008 when attackers gained access to a Property Management System at one of the hotel locations. 5)Id. at ¶ 26. From the initial ingress point, the attackers brute forced user accounts over a few days in May 2008 until they compromised an administrator account. 6)Id. at ¶¶ 26-8. In the process, they also locked out hundreds of user accounts due to too many failed logins which would have been a red flag an attack was in progress. 7)Id.

The Wyndham systems were not compartmentalized (by firewall, access control policy, etc) such that once they had access to an admin account, they were able to access the local systems at any of the other hotels. 8)Id. at ¶¶ 28-9 (also complaining the hotel was using unsupported operating system versions that were no longer being patched as of three years prior). The attackers deployed malware that scraped credit card information from the processing systems as credit card transactions were processed. 9)Id. at ¶ 30; note that this is a similar technique to the Target and Home Depot breaches. The attackers were also able to again access to payment information that was stored in plaint-text on the Property Management Systems due to a misconfiguration. 10)Id. at ¶ 31. In toto, more than 500,000 credit cards were compromised. 11)Id. at ¶ 32.

 

Second Breach

Wyndham’s systems were breached again in March 2009 via a, “service provider’s administrator account in the Phoenix data center”. 12)Id. at ¶33. This is a fairly unclear allegation, but it seems to imply it was a third party vendor that had administrative access. 13)Also, note that the vendor attack vector used to penetrate the corporate network edge was also present in the Home Depot breach. Payment processors notified Wyndham of fraudulent charges stemming from cards used to pay for nights at the hotel chain, and Wyndham eventually searched for and detected the same malware used in the first breach. 14)Id. at ¶ 34. Wyndham also determined the attackers reconfigured their Property Management Systems to revert to the old behavior of storing payment information in plain text. 15)Id. at ¶ 35. Around 50,000 cards were compromised. 16)Id. at ¶ 36.

 

Third Breach

The systems were compromised a third time in, “late 2009” and Wyndham learned of the breach when a credit card issuer contacted them in January 2010. 17)Id. at ¶¶ 37-8. The attackers again gained access to an administrator account, but the complaint does not indicate how. 18)Id. at ¶ 37. Again, the same type of malware was used and around 69,000 cards were compromised. 19)Id. at ¶¶ 38-9.

 

DECEPTIVE & UNFAIR BUSINESS PRACTICES

The FTC brought two counts in its initial complaint. The first count alleges that Wyndham’s business practices are deceptive because they represented that the hotel chain, “had implemented reasonable and appropriate measures to protect personal information against unauthorized access”, but that they had not done so. 20)Id. at ¶¶ 44-5. This is not novel, the FTC is very active in bringing actions against companies who do not comply with their stated privacy policies etc. Count two, however, alleges that failing to employ reasonable security measures to protect personal information is per se an unfair practice within the meaning of the FTC’s existing authority under 15 USC § 45(a). 21)Id. at ¶¶ 47-9.

Therein is the subtle change which is quite important. Count I alleges Wyndham promised something that it did not do, and thus its practices were deceptive. Count II alleges that simply the fact that they did not do those things, irrespective of whether they promised to do them, makes their business practices unfair because they posed a substantial injury to consumers that consumers cannot reasonably avoid themselves.

Motion to Dismiss

Wyndham brought a motion to dismiss under Fed. R. Civ. P. 12(b)(6) – failure to state a claim upon which relief can be granted. This is the legal equivalent of saying, “meh. So what?”. The District Court received extensive briefing from both the parties as well as amici curiae before denying the motion to dismiss. 22)See FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 at n. 3 (D.N.J. 2014). Given the gravity of the issues, the District Court certified its decision for interlocutory appeal after denying the motion to dismiss, which the Third Circuit granted.

THIRD CIRCUIT OPINION

The U.S. Court of Appeals for the Third Circuit framed the questions before it as two discrete issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision”. 23)See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015) at 6-7.

Cybersecurity under the unfairness prong

The FTC’s authority under § 45(a) is quite broad, and the Appellate Court goes through a concise, though dense, summary of its development. 24)Id. at 12-5 (describing the legislative and jurisprudential development of the “unfairness” prong from the initial act in 1914 through the development of § 45(n) in 1994. What is “unfair” within the meaning of § 45(a) is informed by limitations on the FTC imposed by § 45(n) which precludes the FTC from declaring an act or practice unlawful due to being unfair unless it, “is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition”.

Wyndham’s arguments on appeal had two main thrusts: (1) its conduct cannot be unfair; and (2) subsequent legislative action divested the FTC of authority to regulate cybersecurity under § 45. 25)Id. at 16-25. The Court was not persuaded that Wyndham’s conduct could not be unfair because, in part, of its failure to comply with promises in its privacy policy and the foreseeability of the second and third breaches. The Court was also unpersuaded that subsequent narrowly tailored legislation indicated the FTC did not have the authority to regulate cybersecurity practices under the unfairness prong, but instead that those legislations required the FTC to establish regulations in certain spheres rather than granting them narrowly tailored permissive authority to do so. Effectively, the cited legislation were acts where Congress forced the FTC to act.

Fair notice

The second question regarded whether Wyndham had fair notice for the purposes of the Constitution’s Due Process Clause. As the Court discussed, the level of required notice varies by the circumstance and who interprets the statute. 26)Id. at 26-32. Wyndham averred that it was entitled to, “ascertainable certainty” as to how the FTC interpreted what cybersecurity practices would be considered unfair. The Court decided it was only entitled to, “fair notice that its conduct could fall within the meaning of the statute”. 27)Id. at 38.

Because the statue the FTC derived its authority from imposed civil rather than criminal penalties, and regulates economic activity, Wyndham was only entitled to a low level of notice “not so vague as to be no rule or standard at all”. 28)Id. at 39 (internal quotes omitted). Given the text of the statute, specifically § 45(n), the Court identified, “that the relevant inquiry here is a cost-benefit analysis”. 29)Id.

Given the allegations in the complaint, the Court had little trouble finding that Wyndham had fair notice. What is very interesting, however, is a reference made to a booklet produced by the FTC entitled, Protecting Personal Information: A Guide for Business, which describes a checklist counseling against many of the inadequate cybersecurity practices Wyndham is alleged to have engaged in. 30)Id. at 41 and n. 21 (noting that the booklets do not provide ascertainable certainty, but that such is not the relevant inquiry). Indeed, the Court specifically calls attention to the fact such booklets outline what the agency views as reasonable practices and thus would have informed Wyndham’s understanding that, “its conduct might not survive the cost-benefit analysis”. 31)Id. at 42.

FUTURE REGULATORY IMPLICATIONS

The penultimate question: Why is all of this important?

FTC v. Wyndham Worldwide Corp. now stands for the proposition that the FTC already has authority to regulate cybersecurity practices, and the standard of notice is not very forgiving when a company suffers a data breach. The FTC was already active in going after companies with deceptive privacy policies, but now it is potentially unfettered by a company having made a deceptive promise. Under a deceptive view, a policy that says “we make no promises whatsoever about your privacy” would not be deceptive – off putting perhaps, but certainly honest enough. That may not, however, preclude an FTC action for the practices being unfair. 32)Note: the Appellate Court did not reach whether the absence of a published policy might shift the balance because of the overlap in this specific case with a published privacy policy.

The nuances of where the dividing line is for these issues were not discussed in this decision because the alleged facts are so terribly against Wyndham. However, these sort of lopsided factual cases are generally the starting point for long lasting precedents as we saw with warrantless searches of electronic devices up until the Reilly decision. It is undoubtable the FTC will be citing this opinion in all future litigation it brings against companies for inadequate cybersecurity practices in the aftermath of a data breach.

CONCLUSION

The ultimate question: How does this impact you?

This impacts everyone. Every company in every industry. Cybersecurity and Data breaches are not industry specific, and not specific to companies of any particular size. Cybersecurity has only recently started to be a mainstream topic in non-technical circles, but the potential for greater FTC regulatory action against those who are hacked makes it more pressing.

There is now a tension between competing internal interests as to how to respond to a data breach. As the victim of a crime, a corporation suffering a data breach might want to involve law enforcement as quickly as possible, but that has the potential to attract unwanted attention from the FTC or another regulator. It is clear that businesses must be proactive with their cybersecurity practices, forearm themselves with legally defensible procedures for dealing with the aftermath of an incident, and carefully consider their legal responsibilities before, during, and after a breach to avoid practices that might be considered “unfair”.

I will leave, for another time, discussion of how regulations in other jurisdictions like the European Union complicate these matters even further.

References   [ + ]

1.See 15 USC § 45(a).
2.See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015).
3.See FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1.
4.Id. at ¶¶ 14-9.
5.Id. at ¶ 26.
6.Id. at ¶¶ 26-8.
7, 29.Id.
8.Id. at ¶¶ 28-9 (also complaining the hotel was using unsupported operating system versions that were no longer being patched as of three years prior).
9.Id. at ¶ 30; note that this is a similar technique to the Target and Home Depot breaches.
10.Id. at ¶ 31.
11.Id. at ¶ 32.
12.Id. at ¶33.
13.Also, note that the vendor attack vector used to penetrate the corporate network edge was also present in the Home Depot breach.
14.Id. at ¶ 34.
15.Id. at ¶ 35.
16.Id. at ¶ 36.
17.Id. at ¶¶ 37-8.
18.Id. at ¶ 37.
19.Id. at ¶¶ 38-9.
20.Id. at ¶¶ 44-5.
21.Id. at ¶¶ 47-9.
22.See FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 at n. 3 (D.N.J. 2014).
23.See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015) at 6-7.
24.Id. at 12-5 (describing the legislative and jurisprudential development of the “unfairness” prong from the initial act in 1914 through the development of § 45(n) in 1994.
25.Id. at 16-25.
26.Id. at 26-32.
27.Id. at 38.
28.Id. at 39 (internal quotes omitted).
30.Id. at 41 and n. 21 (noting that the booklets do not provide ascertainable certainty, but that such is not the relevant inquiry).
31.Id. at 42.
32.Note: the Appellate Court did not reach whether the absence of a published policy might shift the balance because of the overlap in this specific case with a published privacy policy.

You May Also Like