On August 24, 2015, the United States Court of Appeals for the Third Circuit issued a precedential opinion in the matter of Federal Trade Commission v. Wyndham Worldwide Corporation, et al., No. 14-3514 (3d. Cir., Aug. 24, 2015). The long-awaited opinion affirmed an earlier denial of Wyndham’s motion to dismiss the action by the United States District Court for the District of New Jersey. This opinion should be a wakeup call not only to Wyndham, but to other businesses whose cybersecurity practices might be lacking.
The matters at issue in the Third Circuit appeal revolved around the FTC’s assertion that the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” granted the FTC authority to regulate cybersecurity under the Act’s “unfairness” prong, and if so, whether Wyndham had notice that its cybersecurity practices could fall short of that prong. The Third Circuit found that the FTC has such authority under the Act and also found that Wyndham had fair notice.
In 2008 and 2009, Wyndham’s computer systems had been successfully hacked on three occasions. The FTC alleged that the hackers accessed and/or stole personal and financial information of more than 600,000 consumers, who incurred over $10.6 million of fraudulent charges. Wyndham noted in its briefing that none of the consumers ultimately bore the burden of the fraudulent charges and they were apparently reimbursed by their banks and credit card companies.
There were myriad shortcomings in Wyndham’s security measures alleged by the FTC:
- payment card information was stored in plain readable text;
- easily guessed passwords were used to access Wyndham’s property management systems;
- Wyndham failed to used firewalls to limit access between systems and connect to the internet;
- at least one hotel was able to access the Wyndham systems using an out-of-date operating system that had not received a security update in over three years;
- hotel servers accessed Wyndham’s network with default user IDs and passwords enabled;
- Wyndham failed to maintain an inventory of computers connected to the network and manage the devices, which resulted in being unable to identify the source of one of the cybersecurity attacks;
- third party vendor access to systems was not restricted;
- no reasonable methods were in place to discover unauthorized access, or to conduct security investigations;
- proper incident response procedures were not implemented and the network was not monitored for malware.
Despite Wyndham’s arguments to the contrary, the Third Circuit determined that Wyndham’s alleged conduct, in fact, could be “unfair” within the meaning of the Act, and dispensed with Wyndham’s argument that it had not received fair notice of what the Act requires. The Court concluded that Wyndham “was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required” under the Act. Rather, Wyndham was only entitled to have fair notice that its conduct could fall within the meaning of the Act.
Ironically, in 2007 – before Wyndham suffered the breaches – the FTC had issued a guidebook titled Protecting Personal Information: A Guide for Business. That guidebook addressed and recommended fixing many of the failures in which Wyndham is alleged to have engaged. For example, the guidebook recommended encryption for sensitive data, updating vendor software, using firewalls, restricting access to networks or portions of network to those who have a legitimate need to be there.
Also before the attacks against Wyndham, the FTC had also filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate data security. The Third Circuit noted in a footnote that Wyndham never argued that it was unaware of the consent decrees.
In addition to the opinion being important for an understanding of the enforcement positions that the FTC will take under the Act with respect to cybersecurity breaches, the opinion should also be a catalyst for businesses to take data security seriously if they haven’t already. Businesses should be looking at whether their systems and practices suffer from the same infirmities that Wyndham’s are alleged to have had. At a minimum, the opinion provides at least a framework for what is considered by the FTC to be unacceptable security measures. So companies must take stock of their security efforts and, if they are falling short, fix the problems. While not an exhaustive list, companies should check to make sure they are taking at least the following security measures:
- Prepare a computer and device inventory – do you know what you have and where it is.
- Regularly update software and correctly install security patches
- Use strong login IDs and passwords and change them periodically. Don’t allow use of default logins or passwords. Most importantly, don’t share login credentials with anyone
- Install firewalls between your systems and networks and the internet
- Segment networks and provide access only to the portions of the network a person needs to access to do their job
- Encrypt sensitive data
- Restrict and monitor third-party or vendor access to the network
- Monitor your network for intrusions and periodically run penetration testing
- Have a data breach response plan in place and know how to implement it
- If you have privacy policies, follow them.
For additional information and guidance on data security practices currently recommended by the FTC, the FTC has published Start with Security: A Guide For Business, available on its website here.