The Federal Trade Commission has brought forth a lawsuit against Wyndham Worldwide and three of its subsidiaries (Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management. The Wyndham family includes the Ramada, Howard Johnson, Super8, and Days Inn hotel chains) for, essentially, deceptive practices.
This suit part of the FTC’s long history of ensuring consumers get what they’re promised; it’s certainly not the first time the Commission has levied charges against a company when they suffered a data breach. Which makes me muse: could it ever come to a point where not using hard disk encryption like AlertBoot would be reason for bringing legal action against a company?
“We Safeguard Our Customers’ Personally Identifiable Information”
The above, in quotes, is what got Wyndham in trouble with the FTC. Mind you, the story is making the rounds in business and computer IT / security sites as an “FTC lawsuit for data breaches.” Nothing could be further from the truth…at least, on paper.
Simply put, the FTC doesn’t have the power to sue companies for having a data breach. But, the Federal Trade Commission can definitely bring action for deceiving consumers. What deception could Wyndham have made? You can ask Rite Aid, Twitter, RockYou, and other companies: the promise of safeguarding customer info but not actually doing so.
In its complaint, the FTC noted the following about Wyndham:
Since at least 2008, Defendants have disseminated, or caused to be disseminated, privacy policies or statements on their website to their customers and potential customers. These policies or statements include, but are not limited to, the following statement regarding the privacy and confidentiality of personal information, disseminated on the Hotels and Resorts’ website:
. . . We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program (collectively, “Customers”). . . . This Policy applies to residents of the United States, hotels of our Brands located in the United States, and Loyalty Program activities in the United States only. . . . We safeguard our Customers’ personally identifiable information by using standard industry practices. Although “guaranteed security” does not exist on or off the Internet, we take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy, and that the Information is not improperly altered or destroyed.
And, that this resulted in:
Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia. In all three security breaches, hackers accessed sensitive consumer data by compromising Defendants’ Phoenix, Arizona data center.
The FTC contends that the promises of client data security were not kept. In fact, their investigation found that Wyndham (as summarized by a commentator at slashdot.org):
- failed to use … firewalls
- allowed … storage of payment card information in clear readable text;
- … permitted Wyndham-branded hotels to connect insecure servers to the … network, including servers using outdated operating systems that could not receive security updates or to address known security vulnerabilities;
- allowed … well-known default user IDs and passwords … easily available to hackers through simple Internet searches;
- … did not require the use of complex passwords for to … property management systems … Defendants used the phrase “micros” as both the user ID and the password;
- failed to adequately inventory computers connected to the … network;
- failed to … conduct security investigations;
- failed to … monitor … network for malware used in a previous intrusion; and
- failed to adequately restrict third-party vendors’ access to … property management systems …
Does all of this sound like obvious security failings? The FTC certainly does. The washingtonpost.com notes that,
Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, said the security failings were “obvious.” She added: “We don’t bring cases that we think are close calls.”
Wyndham, for its part, has promised to “vigorously” defend themselves.
Could Not Using Laptop Encryption be the Next Reason for a Lawsuit?
The above suit is interesting in that the FTC lists certain technologies (or the lack thereof) as partial reasons for suing Wyndham, such as the use of firewalls or the use of complex passwords.
If we were to follow this line of thought — and further details found in the Wyndham suit — it’d only make sense to, for example, fine a financial corporation for not using adequate encryption software to secure the contents of a bank-issued employee laptop that contains sensitive client data (but only if the bank promises consumers that it will do its utmost to protect that data…which it probably will).
For example, let’s say a bank allows employees to tote around client data in laptops and other mobile devices (like smartphones and tablets) as part of their BYOD / consumerization transition and goal. Since the bank is the enabler of the mobile workforce, and the employees work for the bank, the bank is ultimately responsible for ensuring that client data is secured.
Not using laptop encryption and other types of mobile security tools — which, let’s face it, are de rigeur in this day and age, despite all the companies out there that don’t use it. I’m not necessarily referring to banks, who’ve traditionally been very good at — could conceivably be, then, a sign that the company was being lax in its security and “deceptive” when it claims that it was doing its utmost to protect customers’ collected personal details.
You might raise objections that (a) companies have been promising data security forever and (b) companies have been losing unencrypted laptops with personal information, also forever…so, what’s new? Why would the FTC go after companies that lose laptops now when it let such cases slide in the past?
And my rebuttal would be: well, (a) companies have been promising data security forever and (b) companies have been hacked for as long as they’ve been losing laptops, and look at what’s happening now.
Related Articles and Sites: