Court Affirms FTC Authority in Cybersecurity Enforcement
An August 24, 2015 decision by the U.S. Court of Appeals for the Third Circuit appears to have broadened the scope of the FTC’s authority, ushering Commission oversight into the muddied waters of cybersecurity compliance. This newest decision affirmed the District Court’s prior ruling that Wyndham’s conduct amounted to an “unfair practice affecting commerce” under the FTC Act, 15 U.S.C. § 45(a). FTC v. Wyndham Worldwide Corporation, et al. Complaint at 5. As a brief background, the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In 2005, the FTC began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. While the vast majority of these cases have ended in settlement, this newest Court of Appeals ruling appears to raise the bar for what the FTC considers sufficient cybersecurity practices.
The initial suit brought against Wyndham, et al. by the FTC focused on three incidents that occurred between 2008 and 2009 in which hackers gained repeated entry into Wyndham’s computer systems, ultimately stealing personal and financial data of thousands of customers, and resulting in an excess of $10.6 million in fraud-based charges being filed thereafter. This ruling signifies an important development in cybersecurity law, one that business owners should pay attention to. Specifically, business owners storing any amount of electronic customer data are urged to thoroughly reexamine their data and security management practices, ideally retaining the help of counsel.
In the Wyndham, et al. decision, the Court of Appeals honed in on some interesting aspects of the company’s data and security management practices, many of which highlighted seemingly inconspicuous vulnerabilities. For instance, the District Court held in the prior ruling that Wyndham employees’ use of the password “micros” on the company’s hotel management system was too easily guessed because the hotel’s system was developed by Microsoft. FTC v. Wyndham Worldwide Corporation, et al. (3d Cir.) at 8. Not exactly a glaring weakness, but it is important to take heed of the FTC’s detailed scrutiny here. Most of the other mishaps highlighted by the FTC were a bit more intuitive, including:
- Wyndham’s failure to use comprehensive firewalls to limit access between hotel property management systems, the corporate network, and the Internet.
- Wyndham permitted at least one hotel to connect to the Wyndham Network with an out-of-date operating system that had not received a security update in over three years’ time.
- Wyndham failed to adequately restrict third-party access to the Wyndham Network and the servers of Wyndham-branded hotels.
- Wyndham did not use adequate encryption because it stored hotel payment information as plain text.
The Court of Appeals also took issue with the fact that the hotel’s three cyber attacks were executed in nearly the exact same fashion, demonstrating to the Court that Wyndham had failed to follow proper incident response procedures by not learning from previous breaches. In response, Wyndham argued that although the FTC had indeed highlighted the need for it to beef up its cybersecurity measures, the FTC had failed to prove that the company’s data security practices fell within the plain meaning of the word “unfair,” as used in the FTC Act, 15 U.S.C. § 45(a); especially since the company was itself a victim to attacks and had committed no affirmative wrong. This argument was summarily dismissed by the Court of Appeals, reasoning that “[a]lthough unfairness claims usually involve actual and completed harms, they may also be brought on the basis of likely rather than actual injury” (emphasis added). FTC v. Wyndham Worldwide Corporation, et al. (3d Cir.) at 20.
In addition to serving as a cautionary tale to business owners that store or maintain electronic customer data, this ruling raises the question of whether the FTC’s reasoning may next be applied in the context of customers filing private suits against companies that mismanaged their data. Gordon Law Group has successfully and substantially reduced clients’ liability under the FTC Act, and our attorneys pride themselves in staying current on cybersecurity law’s rapid evolution. Contact us today to ensure that your company’s cybersecurity practices won’t land you a seat across the table from the FTC.