The FTC brought an administrative action against LabMD, a Georgia based medical testing lab, because of a security incident occurring within the company. A decision by the administrative law judge came out recently essentially saying the FTC failed to carry their burden in proving actual or likely substantial harm to consumers.1) The dismissal is, of course, now on appeal to the commission, but I think LabMD is not very important because it is based on bad facts for an enforcement action. The only thing LabMD might stand for is the severe financial consequences of having to fight an FTC action even if your company’s failure did not actually hurt anyone (LabMD is essentially out of business now, and winding up operations). Wyndham, on the other hand, is a clear warning of the terrible consequences that come when the FTC takes issue with your cybersecurity failures – consequences which may include having the FTC looking over your shoulder for decades should you lose or settle.
As I wrote previously, the Wyndham case is a much more important precedent with implications for cybersecurity practices and data breach responses.2) In fact, the FTC and Wyndham have proposed a settlement that is now awaiting court approval.3) The Settlement terms give a glimpse into what standards the FTC will be holding other companies to in the aftermath of a data breach.4)
The settlement imposes a rigorous set of actions that Wyndham must take over the next twenty (20) years.5)
Wyndham will be required to establish a “comprehensive information security program” that is “fully documented in writing” and consisting of “administrative, technical, and physical safeguards” appropriate to its size, complexity, the scope of its activities, and the sensitivity of data it holds.6) This program will also mandate designated employees that are accountable for its implementation and oversight, ongoing risk assessments, implementing safeguards to control risk identified in the assessments, to enforce similar requirements on vendors it uses, and to continuously update its program based on results from mandated monitoring/testing.7)
Wyndham must also conduct annual assessments using qualified assessors to ensure its compliance with relevant security standards “at least as thorough as Version 2.0 of the PCI DSS Risk Assessment Guidelines.” 8) In the event of a sufficiently large breach, they will be obligated to commission, “a PCI Forensic Investigator Final Incident Report”.9)
Ongoing reporting and recordkeeping requirements are imposed including notification requirements.10) The most problematic requirement, however, is that the order would permit the Commission, “to seek discovery, without further leave of Court” under the various Federal Rules of Civil Procedure that deal with discovery for a period of at least 23 years.11)
The settlement’s prescribed “comprehensive information security program” is something Wyndham should have had in place regardless. These programs and their constituent policies are reasonable and necessary efforts that all companies should have. The requirements in that portion of the proposed order are very much in line with recommendations being drafted by the data breach response brainstorming group in the Sedona Conference Working Group 11 (disclosure statement: I am part of the brainstorming group drafting those recommendations). The unfortunateness of Wyndham’s position is the loss of some control over its policies and the additional requirements imposed on it by the remainder of the proposed order.
In my opinion, Wyndham stands for the proposition that the innocent age when cybersecurity issues could be glossed over has passed. The numerous high profile data breaches over the past two years alone have raised public awareness and concern. Regulators have clearly taken notice on both the state and federal levels, and enforcement actions are going to become more common when companies do not take reasonable steps to address cybersecurity, data breach response planning, and consumer protection. People may hate paying lawyers, but an ounce of prevention is definitely worth at least a pound of litigation later in the cybersecurity and data breach arena.
1. ↑ See “Initial Decision Docket No. 9357” at 88, available at https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf.
2. ↑ See “Understanding the Implications of FTC v. Wyndham on Data Security Practices, available at http://hanrylaw.com/2015/09/11/understanding-the-implications-of-ftc-v-wyndham-on-data-security-practices/ .
3. ↑ See “Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk”, available at https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment .
4. ↑ See “Wyndham’s settlement with the FTC: What it means for businesses – and consumers”, available at https://www.ftc.gov/news-events/blogs/business-blog/2015/12/wyndhams-settlement-ftc-what-it-means-businesses-consumers .
5. ↑ See “Proposed Stipulated Order For Injunction”, available at https://www.ftc.gov/system/files/documents/cases/wyndhamproposedstiporderfullyexecuted.pdf
6. ↑ Id. at 4-5.
7. ↑ Id. at 5-6.
8. ↑ Id. at 7.
9. ↑ Id. at 8.
10. ↑ Id. at 11-12.
11. ↑ Id. at 13 (describing section VI. “Compliance Monitoring” applies as long as Wyndham is subject to any obligations in parts I or II of the order plus three years thereafter, and part I has a 20 year duration).