We know it has been a few months since this decision, but as security and privacy become more important, a review of this decision is critical. For those of you who haven’t yet read the decision, the following summary will help. The Federal Trade Commission (FTC) asserted that Defendants, the Wyndham Hotel Group, engaged in acts of unfair competition and deceptive trade practices by failing to follow its stated, published privacy policy. At the District Court level and on appeal, Wyndham Hotels sought to have the case dismissed on various grounds such as standing and allegations that the FTC lacked statutory authority. The District Court and the Third Circuit Court of Appeals denied Wyndham’s motion to dismiss. Federal Trade Comm’n v. Wyndham Worldwide Corp., Case No. 14-3514 (3rd Circuit, Aug. 24, 2015) (Available Here). A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, and the company fails to make good on the promise by investing inadequate resources in cybersecurity. As a result of its inadequate efforts, it exposes unsuspecting customers to substantial financial and injury while gaining profits associated with its business operations.
The FTC brought claims of unfair competition and deceptive trade practices under 15 U.S.C. sections 45(a) and 45(n). Those enforcement statutes prohibit unfair or deceptive acts or practices by businesses. This case follows a trend which began in 2005 when the FTC brought administrative actions against companies with allegedly deficient cybersecurity measures that failed to protect consumer data against hackers. The FTC alleged that Wyndham engaged in unfair cybersecurity practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data and credit card data to unauthorized access and theft. The FTC complaint also raised a deception claim alleging that since 2008, Wyndham published a privacy policy on its website that overstated the company’s cybersecurity efforts. That privacy policy stated that Wyndham used industry standard practices although it did not “guarantee security.” Further, the privacy policy stated that Wyndham would use commercially reasonable efforts to create and maintain firewalls and other appropriate safeguards.
On three occasions in 2008 and 2009, hackers successfully accessed Wyndham’s computer system. The hackers stole personal and financial information for hundreds of thousands of customers leading to over $10.6 million in fraudulent charges. Wyndham franchises and manages approximately 90 independently owned hotels. It uses a property management system that collects names, credit card information and other data for its customers or patrons. The FTC alleged that the Wyndham Hotels sometimes stored credit card information in clear readable text. (As an aside, Payment Card Industry or PCI standards, which are widely known and used by merchants, prohibit storing credit card information in clear readable text.)
The Agency also alleged that easily guessed passwords were used such as the name of development company “micro.” The FTC alleged that firewalls were not used to limit access between the hotels’ property management systems, the corporate network and the Internet. The Agency alleged that Wyndham used an out of date operating system and had not updated some of its security software in over three years. Further, Wyndham used default user Ids and failed to make adequate inventory of computers connected to the network. This “failure to inventory” resulted in multiple hacking events and data releases after the first hack. Wyndham failed to adequately restrict access to networks by not providing temporary or limited access to its vendors. It failed to conduct adequate security investigations. It failed to monitor all of its networks for malware.
In 2008, hackers broke into a local network using a brute force method and by guessing users’ login and passwords. They stole approximately 5000 accounts. In March 2009, the hackers attacked again and this attack was not discovered for two months. It appeared that the first attack involved memory scraping malware deposited in about 30 computer systems of different hotels. This resulted in the disclosure of credit card information for about 50,000 customers and nearly 40 hotels. Late in 2009, a third attack occurred but Wyndham did not learn of the intrusion until January 2010. This third attack resulted in credit card information release for about 70,000 customers and 28 hotels.
The FTC alleged that Wyndham falsely told consumers that it followed industry practices when it did not do so. Further, the FTC alleged that Wyndham’s privacy policy deceived customers by making statements that Wyndham used reasonable security data practices.
Of the many arguments raised by Wyndham, one of the compelling arguments involved whether Wyndham had “fair notice” that it’s inadequate data security policies and actions were contrary to the statute. In other words, did Wyndham have fair notice that it’s inadequate cybersecurity policies and actions may have violated the FTC’s statute. The Appeals Court stated that the relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of its enforcement statute but whether Wyndham had fair notice of what the statute itself requires. The Appeals Court said that Wyndham was not entitled to know with “ascertainable certainty” that the FTC’s’s interpretation of what cybersecurity practices are required under the enforcing statute.
The Court then looked to the statute which asks whether “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Section 45(n). Therefore, although the enforcement statute is not very precise, the standard informs parties that the relevant inquiry is a cost-benefit analysis. A number of cases regarding FTC enforcement efforts discuss a relevant factors including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the cost to consumers that would arise from investment in stronger cybersecurity.
The FTC’ complaint alleged that Wyndham failed to use any firewall protection at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change the default our factory set passwords at all.
Commentary: Companies should carefully consider their cybersecurity policies and their promises made public in their privacy policies for all types of customer data. After three significant cybersecurity events and data breaches, Wyndham should have followed its stated privacy policy and employed industry-standard software and management protocols to avoid unauthorized disclosure of personal identifying information and credit card data of its customers.
