Category: Information Technology

The Consumer Financial Protection Bureau (“CFPB”) filed an interesting consent order in re: Dwolla, Inc. concerning their cyber security practices. 1)See “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices”, available at http://www.consumerfinance.gov/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/.)) The order begins with CFPB identifying that it found, “deceptive acts and practices relating to false representations regarding [Dwolla’s] data-security practices”. 3)In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf. As I’ve covered in other blog posts regarding the FTC enforcement actions, the deceptive argument is not new, and other agencies are expanding their enforcement actions even where there is no deception or misrepresentation. ((Compare FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1 (asserting claims under both the deceptive and unfairness prongs of its authority). The interesting part with this CFBP consent order is the continuing expansion of regulators taking companies to task for bad cyber-security practices, and that vague claims that might otherwise be considered puffery are being interpreted as a misrepresentation (at least at the agency level).

The CFPB findings can be grouped into two broad categories: discrete specific failures, and more generally vague descriptions of its services. The specific failures are obviously bad and deceptive practices. For example, Dwolla claimed a certain set of information it collected was stored encrypted, but it did not in fact, encrypt all of that information. It also claimed to be PCI compliant, but was not in fact PCI compliant. Those are not controversial for deceptive practices.

The more generalized description of some services as “safe” or “secure”, or describing security practices as surpassing or leading industry standards becomes more dicey. What does it mean to be secure? What constitutes “safe”? The problem with cyber-security is that safe and secure is a relative term that must be judged on an ever changing basis. 100% safety and security is simply not possible. In sales terms, these might be asserted as “puffery”, but regulators are not taking them that way. The CFPB also took Dwolla to task for not “implement[ing] data-security policies and procedures reasonable and appropriate for the organization”. 2)In re: Dwolla at 7.

Many of the specific failures (such as not maintaining a written data-security plan) are becoming more important as regulators are forcing companies to defend their practices after security incidents or data breaches. The defensibility requires documentation to really be persuasive that such incidents were not because of bad practices. Like in Dwolla, criticisms for not conducting ongoing risk assessments, penetration testing, and employee training are becoming common in regulatory actions. There is one certainty – rigorous data security practices are not a luxury, and treating them as optional or an afterthought creates significant exposure.

References   [ + ]

1.See “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices”, available at http://www.consumerfinance.gov/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/.)) The order begins with CFPB identifying that it found, “deceptive acts and practices relating to false representations regarding [Dwolla’s] data-security practices”. ((In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf.
2.In re: Dwolla at 7.
3.In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf. As I’ve covered in other blog posts regarding the FTC enforcement actions, the deceptive argument is not new, and other agencies are expanding their enforcement actions even where there is no deception or misrepresentation. ((Compare FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1 (asserting claims under both the deceptive and unfairness prongs of its authority).

On February 16, 2016, a magistrate judge in the Central District of California issued an order, under the All Writs Act, compelling Apple to assist the FBI in searching an iPhone 5C that belonged to Syed Rizwan Farook. Farook was one of the terrorists participating in the December 2, 2015 mass shooting at the Inland Regional Center in San Bernadino, California. 1)See “Memorandum of Points and Authorities” included with “Government’s Ex Parte Application for Order Compelling Apple Inc to Assist Agents in Search” at 1 [Rec Doc not available] Case No. ED 15-CR-0451M.

Within less than 24 hours, many articles and blog posts materialized dissecting the order and pondering its implications. 2)See “EFF to Support Apple in Encryption Battle” available at https://www.eff.org/deeplinks/2016/02/eff-support-apple-encryption-battle; See “Some note on Apple decryption San Bernadino Phone” available at http://blog.erratasec.com/2016/02/some-notes-on-apple-decryption-san.html; See “No, A Judge Did Not Just Order Apple To Break Encryption On San Bernadino Shooter’s iPhone, But To Create A New Backdoor” available at https://www.techdirt.com/articles/20160216/17393733617/no-judge-did-not-just-order-apple-to-break-encryption-san-bernardino-shooters-iphone-to-create-new-backdoor.shtml The public commentary and outrage even resulted in Tim Cook, CEO of Apple, posting an open letter on Apple’s website restating the case for encryption technology and vowing to fight the order. 3)See “A Message to Our Customers” available at http://www.apple.com/customer-letter/ Commentators have varied from describing what the FBI is seeking from a “Master Key” to a design flaw to a non-issue. I have a more concerning thought, which is the purpose of this blog post.

Observe this language from the order:

“Providing the FBI with a signed iPhone … Software Image File (“SIF”) that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory (“RAM”) and will not modify the iOS on the actual phone, the user data partition or system partition on the device’s flash memory. … The SIF will be loaded via Device Firmware Upgrade (“DFU”) mode, recovery mode, or other applicable mode available to the FBI.” 4)Order Compelling Apple, Inc. to Assist Agents In Search at 2 [Rec Doc not available] Case No. ED 15-CR-0451M (emphasis added).

The language mirrors that in the Declaration of Christopher Pluhar which was submitted in support of the government’s motion. The suggested purpose of this assistance is to (1) circumvent the phone’s wipe-after-10-failed-lock-code-entries feature, (2) remove software delays between lock code attempts, and (3) allow unlock codes to be transmitted programmatically to the device. Essentially, the FBI wants help being able to brute forth the 4 digit pin code that locks the iPhone so they can get at its data. (Brute forcing a 4 digit lock code is trivial if the erase after 10 failures feature is disabled.) That, however, is not the danger that this order represents.

The form of assistance specified in the order, as suggested by the FBI, is that Apple should provide a modified version of iOS that can be loaded onto the device which will render the three assistances requested. That method, if possible, will result in a jurisprudential work around to the legislative process and the present debate over phone security and the limits of government backdoors. The key to understanding this is the language describing the Signed SIF’s characteristics. It must (1) be loaded via, inter alia, recovery mode, (2) be loaded and run from RAM, and (3) not modify any of the flash memory. The FBI just requested that the court compel Apple into creating a method of live booting iOS on an iPhone. Let’s call this fbiOS.

What is live booting? In simple terms, a Live Boot environment boots an entire operating system into a computer system’s memory rather than installing it to storage. 5)See generally “Live CD” available at https://en.wikipedia.org/wiki/Live_CD These types of environments are very common in Linux distributions to let users test or experience Linux without having to commit to installing it – and many specialized distributions dedicated to forensics, penetration testing, or recovery functionality also exist. 6)See e.g. https://livecdlist.com/

Why does the FBI seem to want this? The key element, is the specification of DFU or Recovery Mode as one of the ways the hypothetical live bootable custom fbiOS must be loadable. (See “iOS Security” September 2015, available at https://www.apple.com/business/docs/iOS_Security_Guide.pdf )) Ordinarily, these two modes are used for restoring an iPhone (or other iOS device) that has become inoperable – and importantly without the lock code.

“When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code, known as the hardware root of trust, is laid down during chip fabrication, and is implicitly trusted. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load. This is the first step in the chain of trust where each step ensures that the next is signed by Apple. When the LLB finishes its tasks, it verifies and runs the next-stage bootloader, iBoot, which in turn verifies and runs the iOS kernel.” 7) Id. at p 5 (discussing the “Secure boot chain” of an iOS device).

If any stage of the secure boot chain fails, it triggers Recovery Mode which permits the iOS install to be updated or restored. If the Boot ROM fails (the first step) it enters DFU mode. Recovery Mode allows either attempting to “update” which reinstalls iOS without loss of data or “restore” which results in loss of data – think of it as the difference between reinstalling an operating system over itself to repair corruption of the operating system and having to do a clean install because the file system became corrupted. 8)See “If you can’t update or restore your iPhone, iPad, or iPod touch” available at https://support.apple.com/en-us/HT201263

Let’s put these pieces together. Restore Mode will let you reinstall iOS without deleting the device’s data and without inputting the lock code. The FBI wants to be able to put its proposed fbiOS on the device in this mode – while leaving the data undisturbed. It wants its fbiOS to disable all software based security measures and provide a way for it to programmatically brute force lock codes. Finally, it wants fbiOS to load and run completely in memory.

If it successfully compels Apple to do these discrete things, it will be able to argue to future courts in future cases that Apple should make any number of features available to assist in investigations because it already demonstrated being able to do the hard part – creating fbiOS that can live boot a phone from recovery mode with custom modifications – so any other changes are trivial and not burdensome.

Imagine this one step further – since this proposed fbiOS is a validly signed version of iOS, the FBI could slip fbiOS onto any investigatory target – and that installation would leave no trace once the phone was rebooted. The ability to surreptitiously install fbiOS on an iPhone or other iOS device gives the FBI exactly what it has been craving – its own bespoke backdoor. Imagine instead of allowing them to brute force your passcode, it simply waited for the next time you entered it before cheerfully texting it to the FBI – or waited until you unlocked your phone to begin streaming its contents to them as those contents became readable to the application processor. If this parade of horribles came to be, you can be sure every other government would want their own version of fbiOS – and the security progress made over the last few years would vanish in a heartbeat.

The first item of good news is, what the FBI requested may not be possible. Whether it is technologically plausible to boot an iPhone from recovery mode with a modified version of iOS is a question only someone with much more in-depth knowledge of iPhone hardware than I possess can answer – if the answer is no (or becomes no for future iPhones) then the parade of horribles is called off for bad weather. Although, it would be a more murky question if DFU mode was used to modify the Low-Level Bootloader first, and then the modified LLB used to facilitate an fbiOS style live boot from Recovery Mode.

The second item of good news is, the FBI’s request to disable the delay between passcode attempts may only be possible, if at all, in this particular case because it is an older iPhone. The phone here is an iPhone 5C which has the older A6 processor. “On devices with an A7 or later A-series processor, the delays are enforced by the Secure Enclave. If the device is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period.” 9)Id. at p 12; See also Id. at p 7 (explaining the Secure Enclave). The A7 chip, with the Secure Enclave feature, debuted in the iPhone 5S in 2013. Apple’s continued emphasis on building in hardware based security mechanisms may have headed this entire problem off before it started.

The third item of good news is we can expect rigorous briefing of the issues present in this case from Apple itself, and a plethora of Amici Curiae.

The opinions expressed in this blog post are mine alone, and are not the opinions of my firm. Likewise, this post is not intended as nor conveyed for the purpose of providing legal advice. I am a lawyer, but I am not your lawyer.

References   [ + ]

1.See “Memorandum of Points and Authorities” included with “Government’s Ex Parte Application for Order Compelling Apple Inc to Assist Agents in Search” at 1 [Rec Doc not available] Case No. ED 15-CR-0451M.
2.See “EFF to Support Apple in Encryption Battle” available at https://www.eff.org/deeplinks/2016/02/eff-support-apple-encryption-battle; See “Some note on Apple decryption San Bernadino Phone” available at http://blog.erratasec.com/2016/02/some-notes-on-apple-decryption-san.html; See “No, A Judge Did Not Just Order Apple To Break Encryption On San Bernadino Shooter’s iPhone, But To Create A New Backdoor” available at https://www.techdirt.com/articles/20160216/17393733617/no-judge-did-not-just-order-apple-to-break-encryption-san-bernardino-shooters-iphone-to-create-new-backdoor.shtml
3.See “A Message to Our Customers” available at http://www.apple.com/customer-letter/
4.Order Compelling Apple, Inc. to Assist Agents In Search at 2 [Rec Doc not available] Case No. ED 15-CR-0451M (emphasis added).
5.See generally “Live CD” available at https://en.wikipedia.org/wiki/Live_CD
6.See e.g. https://livecdlist.com/
7. Id. at p 5 (discussing the “Secure boot chain” of an iOS device).
8.See “If you can’t update or restore your iPhone, iPad, or iPod touch” available at https://support.apple.com/en-us/HT201263
9.Id. at p 12; See also Id. at p 7 (explaining the Secure Enclave).

The FTC brought an administrative action against LabMD, a Georgia based medical testing lab, because of a security incident occurring within the company. A decision by the administrative law judge came out recently essentially saying the FTC failed to carry their burden in proving actual or likely substantial harm to consumers.1)See “Initial Decision Docket No. 9357” at 88, available at https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf. The dismissal is, of course, now on appeal to the commission, but I think LabMD is not very important because it is based on bad facts for an enforcement action. The only thing LabMD might stand for is the severe financial consequences of having to fight an FTC action even if your company’s failure did not actually hurt anyone (LabMD is essentially out of business now, and winding up operations). Wyndham, on the other hand, is a clear warning of the terrible consequences that come when the FTC takes issue with your cybersecurity failures – consequences which may include having the FTC looking over your shoulder for decades should you lose or settle.

As I wrote previously, the Wyndham case is a much more important precedent with implications for cybersecurity practices and data breach responses.2)See “Understanding the Implications of FTC v. Wyndham on Data Security Practices, available at http://hanrylaw.com/2015/09/11/understanding-the-implications-of-ftc-v-wyndham-on-data-security-practices/ . In fact, the FTC and Wyndham have proposed a settlement that is now awaiting court approval.3)See “Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk”, available at https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment . The Settlement terms give a glimpse into what standards the FTC will be holding other companies to in the aftermath of a data breach.4)See “Wyndham’s settlement with the FTC: What it means for businesses – and consumers”, available at https://www.ftc.gov/news-events/blogs/business-blog/2015/12/wyndhams-settlement-ftc-what-it-means-businesses-consumers .

 

Wyndham Settlement

The settlement imposes a rigorous set of actions that Wyndham must take over the next twenty (20) years.5)See “Proposed Stipulated Order For Injunction”, available at https://www.ftc.gov/system/files/documents/cases/wyndhamproposedstiporderfullyexecuted.pdf .

Wyndham will be required to establish a “comprehensive information security program” that is “fully documented in writing” and consisting of “administrative, technical, and physical safeguards” appropriate to its size, complexity, the scope of its activities, and the sensitivity of data it holds.6)Id. at 4-5. This program will also mandate designated employees that are accountable for its implementation and oversight, ongoing risk assessments, implementing safeguards to control risk identified in the assessments, to enforce similar requirements on vendors it uses, and to continuously update its program based on results from mandated monitoring/testing.7)Id. at 5-6.

Wyndham must also conduct annual assessments using qualified assessors to ensure its compliance with relevant security standards “at least as thorough as Version 2.0 of the PCI DSS Risk Assessment Guidelines.” 8)Id. at 7. In the event of a sufficiently large breach, they will be obligated to commission, “a PCI Forensic Investigator Final Incident Report”.9)Id. at 8.

Ongoing reporting and recordkeeping requirements are imposed including notification requirements.10)Id. at 11-12. The most problematic requirement, however, is that the order would permit the Commission, “to seek discovery, without further leave of Court” under the various Federal Rules of Civil Procedure that deal with discovery for a period of at least 23 years.11)Id. at 13 (describing section VI. “Compliance Monitoring” applies as long as Wyndham is subject to any obligations in parts I or II of the order plus three years thereafter, and part I has a 20 year duration).

Conclusion

The settlement’s prescribed “comprehensive information security program” is something Wyndham should have had in place regardless. These programs and their constituent policies are reasonable and necessary efforts that all companies should have. The requirements in that portion of the proposed order are very much in line with recommendations being drafted by the data breach response brainstorming group in the Sedona Conference Working Group 11 (disclosure statement: I am part of the brainstorming group drafting those recommendations). The unfortunateness of Wyndham’s position is the loss of some control over its policies and the additional requirements imposed on it by the remainder of the proposed order.

In my opinion, Wyndham stands for the proposition that the innocent age when cybersecurity issues could be glossed over has passed. The numerous high profile data breaches over the past two years alone have raised public awareness and concern. Regulators have clearly taken notice on both the state and federal levels, and enforcement actions are going to become more common when companies do not take reasonable steps to address cybersecurity, data breach response planning, and consumer protection.  People may hate paying lawyers, but an ounce of prevention is definitely worth at least a pound of litigation later in the cybersecurity and data breach arena.

References   [ + ]

1.See “Initial Decision Docket No. 9357” at 88, available at https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf.
2.See “Understanding the Implications of FTC v. Wyndham on Data Security Practices, available at http://hanrylaw.com/2015/09/11/understanding-the-implications-of-ftc-v-wyndham-on-data-security-practices/ .
3.See “Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk”, available at https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment .
4.See “Wyndham’s settlement with the FTC: What it means for businesses – and consumers”, available at https://www.ftc.gov/news-events/blogs/business-blog/2015/12/wyndhams-settlement-ftc-what-it-means-businesses-consumers .
5.See “Proposed Stipulated Order For Injunction”, available at https://www.ftc.gov/system/files/documents/cases/wyndhamproposedstiporderfullyexecuted.pdf .
6.Id. at 4-5.
7.Id. at 5-6.
8.Id. at 7.
9.Id. at 8.
10.Id. at 11-12.
11.Id. at 13 (describing section VI. “Compliance Monitoring” applies as long as Wyndham is subject to any obligations in parts I or II of the order plus three years thereafter, and part I has a 20 year duration).

Social media discovery has long been used in family and criminal litigation, and it can be more widely utilized in casualty litigation as well.  Indeed, it is not uncommon to come across a timely post from the plaintiff describing how an accident occurred or a date-stamped admission of being “pain free.”  Moreover, plaintiff’s job search, work history, and even party habits are sometimes recorded on these platforms.

A number of defense attorneys have asked me how to capture and utilize this type of social media discovery, so I prepared this short primer on utilizing Facebook data.  Fortunately, the pattern of collecting, authenticating, and utilizing Facebook data can be replicated across many social media platforms with minor adjustments.

Initially, an attorney should determine the extent of plaintiff’s Facebook data that is publicly available.  There is no need nor excuse to use deception in viewing the truly public information.  Simply log into one’s own Facebook account and search for the plaintiff and plaintiff’s known aliases.  If the public information is valuable, capture it by (1) contracting with a third-party vendor or (2) using the “print screen” function and copying the relevant screen shots.  Note that if you use the cheap and quick method of capturing screen shots, these particular documents are unlikely to be admissible in that form.  That is, an attorney would be wise to avoid having to personally authenticate the information she captured.  A third-party vendor, however, could be relied upon to both capture the data in a usable form and to provide an affidavit regarding the authenticity of the data.  Of course, obtaining an affidavit of authenticity from the vendor at the time of the search and capture is recommended.

Specific discovery requests regarding social media data should be standard, much like those requesting the plaintiff’s cell carrier and phone number.  An example request for production states:

Produce a copy of your Facebook data.  This may be accomplished by (1) signing into your profile; (2) selecting “account settings” from the dropdown menu at the top of the page; (3) selecting the “Download a copy of your Facebook data” link towards the bottom of the page; (4) selecting “Start My Archive”; and (5) confirming the download and saving the data.1)The instructions for downloading one’s own data can be found at https://www.facebook.com/help/131112897028467/.

Please note that you are not to delete or modify any historical data (data posted prior to [date of accident]) prior to the time such data is turned over to counsel for Defendants, and a violation of this instruction may be construed as spoliation of evidence.

A defense attorney should be prepared to compel the production of this data, as plaintiffs and their attorneys will nearly always try to avoid producing it.  Being armed with the screenshots or data captured prior to issuing formal requests will certainly work in your favor, though often the public data alone may not be sufficient to demonstrate the presence of discoverable information.  Even absent the screenshots or other data captured from the public profile, the defense attorney may have success arguing that the expected contents of the Facebook data—including pictures of plaintiff throughout his recovery, real-time snapshots of the plaintiff’s “status” on and around the date of the injury, and real-time snapshots of the plaintiff’s activities throughout the recovery period—far exceed the “calculated to lead to the discovery of admissible evidence” threshold.  Examples of highly relevant Facebook data discussed in recorded cases are both accessible and helpful to the motion.

Plaintiffs may also counter with confidentiality and privacy concerns.  While a competent discussion of these issues is beyond the scope of this post, a growing number of courts are recognizing that a plaintiff’s privacy interest in material posted online is minimal.  See, e.g., Nucci v. Target Corp., 162 So. 3d 146, 151 (Fl. 4th Dist. Ct. App. Jan. 7, 2015) (“[Plaintiff] has but a limited privacy interest, if any, in pictures posted on her social networking sites”).  At a minimum, the blanket refusal to provide any of the requested Facebook data because of privacy concerns should fail.

A litigant successful in obtaining the Facebook data should receive an electronic file with the following folders: html, photos, and videos (if there are any), along with a file named index.

a litigant successful in...

The files titled “messages” and “wall” that are located within the html folder will often be the most valuable.  If these files are extensive, word searches of the files and of particular dates may be more efficient than reading from beginning to end.  The photos folder should be reviewed, and the index could be useful.  There may be two photos folders, one within the html file and one located in the initial window, and the folder located within the initial window will contain the actual photographs.  Also note that many of the files will open in an internet browser; using the Facebook Mitch Blog“print to pdf” function of your browser to convert these files will result in more navigable documents with page numbers.  Whether or not the other files contained within the Facebook data are useful will be case specific.

Note that civil discovery directed to Facebook, or any other social media platform, will fail.  The Stored Communications Act mandates this result, and only law enforcement will be able to overcome this obstacle.  See 18 U.S.C. § 2701(a)(1).  Accordingly, the request of a waiver from plaintiff for the disclosure of social media content will usually be a waste of time.

Finally, despite the prevalence of discovery and admissibility fights over Facebook data, many states have yet to settle on uniform standards regarding the discoverability and use of the data.  Naturally, this landscape of caselaw will evolve rapidly over the next few years.

References   [ + ]

1.The instructions for downloading one’s own data can be found at https://www.facebook.com/help/131112897028467/.

The Federal Trade Commission (FTC) is very active and interested in data breaches and other cyber security incidents. The federal government and many state governments are slowly adding legislation that specifically addresses issues of cyber security and data breach reporting, but while those efforts slowly produce narrowly focused legislation, the FTC is trail blazing by using its existing and broad authority to regulate unfair business practices. 1)See 15 USC § 45(a). Using this broad authority granted by congress over a century ago, the FTC is actively bringing regulatory actions and filing suits against companies whose cyber security practices are inadequate and result in data breaches. These actions often result in consent decrees which have long term consequences for the companies that settle with the commission. Occasionally, a company will dig in for an extended legal battle. One such case is the FTC v. Wyndham action which recently produced an appellate decision from the Third Circuit which has significant implications for cyber security practices. 2)See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015).

I read Court opinions so you don’t have to, thus this post will discuss (1) a brief summary of the Wyndham data breaches, (2) the FTC’s authority under the “unfairness” prong, and (3) the importance of the Third Circuit opinion as a contour of likely future FTC actions. I will conclude by discussing future liability concerns in the wake of data breaches especially in the context of the FTC.

WYNDHAM DATA BREACHES

In the FTC’s complaint, it lays out what it contends are the salient facts behind three data breaches of Wyndham’s networks. 3)See FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1. Essentially, the systems in question consist of (1) the terminals at the hotels (“Property Management System”), (2) servers in a datacenter located in Phoenix, AZ (“Central Reservation System”), and (3) connections between the local hotel network and the Wyndham corporate networks. 4)Id. at ¶¶ 14-9. (more…)

References   [ + ]

1.See 15 USC § 45(a).
2.See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015).
3.See FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1.
4.Id. at ¶¶ 14-9.