In a decision that cites a litany of basic security blunders, the United States Third Circuit Court of Appeals unanimously found that the Federal Trade Commission has the authority to sue Wyndham Hotels for unfair cyber-security practices that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”
The decision lists a series of network security practices that came to light after a trio of breaches in 2008 and 2009. The fundamental security blunders include storing payment data customer identifying information in clear, unencrypted text. The company, which uses point-of-sale terminals made by Micro Systems, then made all of the user names and passwords “micros.”
The company’s network was essentially wide open to attackers because Wyndham apparently didn’t feel the need to use firewalls, properly update server and computer software, control what computers attached to the company network or change default user names and passwords.
Network security was so lax that the court observed that Wyndham was unable to tell for sure that it had been hacked and when the event became obvious (because its customers’ identities and credit card information were being sold online) it was at a loss to figure out how it happened.
For its part, Wyndham was challenging the FTC’s authority to punish it for its security failings. The FTC began enforcing security practices in 2005 in conjunction with its charter that it protect consumers. Since then, companies that have been found not to be in compliance with reasonable security practices have settled with the FTC, signed consent agreements and beefed up their security practices.
Wyndham, however, decided to challenge the FTC through the courts using tactics that the court itself called “alarmist.” Among other things, Wyndham argued that it was the victim of the hackers and that consumers weren’t harmed. But the court’s decision noted that it was clear that Wyndham customers’ credit card numbers and their identities were stolen after the data breach.
The judges lapsed into Latin to ridicule some of the hotel chain’s arguments. “Wyndham posits a reductio ad absurdum,” or resorts to the absurd, when arguing that the FTC was exceeding its legal authority in regulating IT security standards.
The company argued that if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to ‘regulate the locks on hotel room doors, . . . to require every store in the land to post an armed guard at the door,’… and to sue supermarkets that are ‘sloppy about sweeping up banana peels.'”
“The argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under §45(a)”, which is the part of the U.S. code that prohibits unfair practices.
U.S. Court Affirms FTC Authority to Enforce Data Breach Rules
The court responded that it was not persuaded by Wyndham’s arguments, observing that its actions were permitted under existing federal legislation and under the Constitution.
While Wyndham Hotels does theoretically have the right to appeal the decision to the U.S. Supreme Court, it’s hard to see how the high court is going to get past the vision of hundreds or thousands of customers, all slipping on banana peels. Wyndham’s legal position, it would seem, is untenable.
But the Wyndham decision is relevant to any industry that is dealing with the public. It’s clear that the FTC is convinced its a serious error to leave consumer financial or identity information effectively defenseless on corporate networks.
What it means to your business is that, in addition to the financial pain you may suffer, if you fail to protect customer information you can expect the feds to come down on you like a ton of bricks. That is in addition to the risk to the C-suite’s employment security as well as the market valuation of companies that fail to pay attention to data security.
Adding to the hotel chain’s troubles were its published privacy statement, which laid out all of the steps that the company went to in its efforts to secure customer data; those steps included such things as claims that all data was protected by 128-bit encryption.
Unfortunately, following the series of cyber-attacks on Wyndham, it became clear that the claims of protection were just that—claims. Wyndham didn’t actually do what it had claimed. The FTC listed that as yet another deceptive business practice.
As you might expect, the FTC was pleased with the court decision. “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez in a prepared statement released to the media. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
But what it really means to your company is that security of customer information is required by law. If you don’t protect the personal and financial information to the maximum extent required by the FTC, then you’re going to be in a world of hurt. In addition, it’s probably cheaper and easier to protect the data like you’re supposed to in the first place, instead of thinking up flimsy excuses for why you shouldn’t have to.