Wyndham Decision Reminds Us To “Start with Security”

The digital ecosystem should pay attention to a recent decision from the US Third Circuit Court of Appeals against Wyndham Worldwide Corporation, that affirms the FTC’s right to regulate data security.

The FTC’s authority to regulate data privacy has never been in doubt, given the agency’s broad mandate under section 5 of the FTC Act to oversee “consumer protection”. But the FTC’s authority to prescribe data security practices has been questioned in cases involving two separate plaintiffs – Wyndham Hotels and Lab MD.

Before we delve into the ruling and how it applies to a company collecting sensitive and personal data from end users, let’s review the relevant background.

The FTC’s case against Wyndham

Hackers breached Wyndham’s computer systems three times between 2008 and 2010, stealing credit card information from 619,000 individuals, and incurring over $10.6 million in fraudulent charges. These systems included Wyndham’s corporate networks, which were linked to computer systems for over 7,000 Wyndham managed hotels and franchisees. Despite these repeated hacks, Wyndham refused to update its security procedures – resulting in additional infiltrations of its systems.

As a result of not implementing these basic security procedures, hackers were able to install “memory-scraping” malware on corporate network and property management systems for Wyndham managed and franchised hotels. Over a period of two years, the hackers systematically extracted personal and sensitive information (names, addresses, credit card numbers) for over 600,000 individuals, and illegally exported that data to a domain registered in Russia.

In response, the FTC filed action, arguing that Wyndham’s repeated refusal to implement reasonable data security measures, while continuing to collect sensitive and personal data (including credit card and other billing information) from individual end users, was “unfair” under section 5.

Further, the FTC found that not adopting these basic data security procedures was “deceptive” under Section 5, because Wyndham promised in its privacy policy that it would use “standard” security measures to safeguard personal and sensitive data.

You can learn more about the background of the case in this excellent update by @JanisKestenbaum of Perkins Coie.

How Wyndham failed to secure its network

The FTC complaint details some of the many things that Wyndham didn’t do to secure its network:

• failing to use readily available security measures to secure its internal computer systems e.g. firewalls;
• configuring software incorrectly, and as a result, storing end users’ credit card information in clear text;
• failing to address known security vulnerabilities on servers;
• using default usernames and passwords for access to servers;
• failing to require use of complex user IDs and passwords by employees to access company servers;
• failing to reasonably limit third-party access to company networks and computers.

The FTC argued that such practices were standard among businesses collecting personal and sensitive data – and that by not adopting such practices, even after three successive hacks, Wyndham’s actions were unfair.

The Third Circuit Speaks

In reaction to the FTC action, Wyndham filed suit in district court alleging, among other things, that the FTC lacked the authority to bring a data security action. It also argued that the FTC had not adequately identified what are “reasonable” data security practices.

After losing this claim in district court, Wyndham appealed to the Third Circuit. The Third Circuit ruling responded with a ruling which is quite critical of Wyndham and provides slim grounds for a Supreme Court appeal under the principle of “Certiorari.”

The Court’s opinion answered two important questions raised by Wyndham:

1. The FTC has the authority under the FTC Act to bring data security actions against companies not employing “reasonable” data security practices.
2. The FTC has provided adequate notice to industry of what constitutes “reasonable” data security. On this point, the Court looked at the FTC’s arguments in numerous filings against defendants who had improperly secured data that they had collected from end users and customers. They also looked at the FTC’s published guidance, which is primarily based on industry best practices to articulate a standard.

The Third Circuit didn’t address the specific question of whether Wyndham’s actions were indeed “unreasonable” based on FTC guidance -that question will be addressed by the New Jersey district court to whom the case has now been remanded.

If you have reached this point in the post, then congratulations, this is where things get interesting and hopefully relevant for you.

What does Reasonable Data Security Mean for Your Business?

Under the Third Circuit’s analysis, the FTC has given companies enough notice of those practices that they would consider “reasonable” when it comes to securing personal and sensitive data – through settlements with numerous defendants, as well as published guidance to the industry.

In fact, the FTC has provided specific guidance on “reasonable data security” practices for mobile app developers in its Start with Security guide.

“There is no checklist for securing all apps. Different apps have different security needs. For example, an alarm clock app that collects little or no data will likely raise fewer security considerations than a location-based social network. Apps that are more complex may rely on remote servers for storing and manipulating users’ data, meaning that developers must be familiar with securing software, securing transmissions of data, and securing servers. Adding to the challenge: Security threats and best practices evolve quickly.”

In other words, the FTC expects app developers to adopt and maintain reasonable data security practices based on the type of data they are collecting and how they use that data. They don’t prescribe a one-size-fits-all approach.

So it’s a good time to take inventory of your data and security practices to determine whether they are “reasonable” in light of the data you collect and how you use and share that data. It’s worth taking a look at the FTC’s Start with Security guide and determining whether these steps apply to you.

In particular, the FTC urges companies that are collecting personal and sensitive data to do the following:

• Make someone responsible for security.
• Take stock of the data you collect and retain.
• Practice data minimization: Don’t collect or store data you don’t need.
• Research and understand the security practices of the mobile platforms you work with.
• Protect your servers. If you maintain a server that communicates with your app, take appropriate security measures to protect it. If you rely on a commercial cloud provider, understand the divisions of responsibility for securing and updating software on the server.
• If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations. You can find more details on the types of laws and industry frameworks that apply on TUNE’s recently launched privacy and data microsite.
• Provide notice of your security, data and privacy practices and “talk to your users in your own words”.
• Generate credentials (usernames, passwords) securely.
• Don’t store or transit sensitive data in plain text. Use transit encryption for billing data, and other important data. The FTC has brought actions against Lifelock, RockYou and ValueClick for plain-text data storage and transmission.
• Transit and storage encryption is also relevant for compliance with state data breach statutes – which require that you report to the state Attorney General and end users when “personal data” is breached. Personal data under the laws of California and other states includes unencrypted data – data stored in plaintext e.g. credit card information, email address stored with password.
• Stay involved with your app after it launches. New vulnerabilities arise daily, and even the most reputable software libraries require security updates.

So, Start with Security

The Third Circuit decision against Wyndham is an important reminder that all companies dealing in personal and sensitive data should review their data and security practices. A breach of such data can lead to FTC liability, class action lawsuits, and most importantly the loss of trust with your end users.

Is this a risk you are willing to take? If not, then it makes sense to “Start with Security” today.

An additional important resource:

If you want to get even more granular on what is “reasonable” data security and how it might apply to your business, then it’s worth checking out the “The Common Law of Privacy” by noted privacy scholars Dan Solove and Woody Hartzog. It explores how the FTC has been able to shape modern US privacy law through “consent decrees”i.e. settlements that require the company to do certain specific acts for a set period of time (usually 20 years). This includes a data security consent decree against Microsoft (for Passport); the agency now has privacy consent decrees with Facebook (over its 2009 privacy policy changes) and Google (over the 2010 launch of Buzz).

Photo credit: @dcillustrated

Like this article? Sign up for our blog digest emails.