That the Federal Trade Commission (FTC) has court-approved authority to bring legal action against companies embroiled in data breaches is old news by now. Of course, when you consider that the FTC has been suing companies over data breaches since 2005, and has over 40 such cases under its belt to date, this doesn’t sound like groundbreaking news. Indeed, for all intents and purposes, everyone appeared to accept that the FTC should be playing cybercop.
It’s a Bold Move
Everyone, that is, except Wyndham Worldwide Corporation, a hotel and resorts company. After being sued by the FTC – how could they not? Wyndham had experienced three data breaches over two years; let’s face it, that’s up there as data breaches go – the company argued that the FTC did not have the authority to bring legal actions against companies for data breaches.
Last month, the courts declared otherwise. The Third US Circuit Court of Appeals sided with the FTC and declared that the Commission did indeed have the right (some might even say the duty) to go after companies that were remiss in protecting customers’ sensitive data. Wyndham begs to differ (my emphasis):
“While we are disappointed by today’s opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” Michael Valentino, a spokesperson for Wyndham Worldwide, told BuzzFeed News.
I guess Wyndham could try to get an opinion from the US Supreme Court. If anything, Wyndham cannot be accused of not having enough panache. I’ll bet their hotels are excellent.
Where’s the Beef?
One of the arguments that Wyndham made, and will probably make once they’re back in the lower courts (they still have to defend themselves against the FTC’s accusations), is that the FTC didn’t make clear what comprised the level of security it was looking for. It turns out that it may be a moot point: according to the FTC accusations, which the court made a point to draw attention to, Wyndham was being sued because it did not have certain security in place, never mind the level of security:
the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, … did not restrict specific IP addresses at all, … did not use any encryption for certain customer files, … and did not require some users to change their default or factory-setting passwords at all.
Think of it this way: if a friend asks you to pick up some beer at the store, there’s a heck of difference between saying,
- hey, I didn’t know what kind you liked, so I got this (nice. It’s the thought that counts)
- hey, I didn’t know what kind you liked, so I got all of these different ones (generous, although there’s a chance you missed the mark)
- hey, I didn’t know what kind you liked, so I didn’t get you any (no need to comment, I imagine)
Likewise, the complaints Wyndham are throwing around about security levels is a deflated one if the FTC is right.
The court also pointed out that FTC action was brought against a different company in the past for essentially the same issues Wyndham was being accused of. It goes without saying that if one company was sued because of certain security shortcomings, then a different company would also be sued for the same.
Also, consider that (a) there was a period of 6 years between Wyndham and the company given as an example, meaning the former had more than adequate time to put something in place and (b) Wyndham had been hacked three times in two years. Three times!
Furthermore, if the accusation holds, Wyndham’s three data breaches were essentially more of the same: if shortcomings were shored up after the first breach, the second and third data breaches could very well not have taken place.
Fair Notice of Proposed Standards for Data Security
Among all the untenable things that Wyndham has proclaimed, there is one salient truth: the FTC has never issued guidance on what cybersecurity measures are considered reasonable. It could be argued that Wyndham failed to use and to implement specific data security and protection measures and policies because such guidance was lacking. There is no denying that the dissemination of an official to-do list would make it easier to adhere to best practices.
The thing is, there are plenty of companies around the size of Wyndham that are doing an excellent job of protecting customer data – or at least, meeting the lowest possible acceptable standards – despite the lack of a data security guideline from the FTC.
(Wyndham ranked #497 in the 2015 Fortune 500 list, in case you’re wondering whether the company has the financial wherewithal to properly secure data.)
True, many companies in the Fortune 500 tend to be in the technology sector, making things a little bit easier for them. But, Wyndham being in the hospitality business is not much of a defense: they can always hire consultants. Chances are, they already have, currently do, and will continue to do so. After all, someone in the tech sector has to set up and run their global POS network, customer loyalty tracking software, global CRM, etc. The argument that Wyndham didn’t have the proper data security and technology in place because, simply put, they didn’t know what to use, is a shallow one and an impermissible one at that.
The argument seems even less believable when you consider that there are many laws and industry regulations and agreements geared towards preventing the types of blunders that Wyndham is accused of engaging in. It’s the 2010’s; one does not simply argue that they failed to properly secure their network because there were no guidelines.
Related Articles and Sites: