On August 24, 2015 the U.S. Court of Appeals for the Third Circuit strengthened the Federal Trade Commission’s cybersecurity compliance authority. The decision affirmed the District Court’s prior ruling that Wyndham’s conduct amounted to an “unfair practice affecting commerce” under the FTC Act, 15 U.S.C. § 45(a).
FTC v. Wyndham: Unfair and Deceptive Acts
The FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” So, eager to crack down on lax digital security, in 2005 the FTC started using the provision to sue companies with soft cybersecurity programs. The vast majority of these cases have ended in settlement, but the Court of Appeals ruling in the FTC v. Wyndham saga appears to raise the bar regarding sufficient cybersecurity practices.
The FTC’s suit against Wyndham focused on three incidents that occurred between 2008 and 2009. Hackers gained repeated entry into Wyndham’s computer systems and ultimately stole customers’ personal and financial data. In the end, the hack spawned over $10.6 million in fraud-based charges.
FTC v. Wyndham: Every Business Should Familiarize Themselves With The Case
This ruling signifies an important development in cybersecurity law. Business owners storing any amount of electronic customer data are urged to thoroughly reexamine their data and security management practices, — ideally with the help of someone who intimately understands the related regulations and laws.
In the Wyndham decision, the Court of Appeals honed in on inconspicuous vulnerabilities in the company’s data security program. For instance, the District Court held that Wyndham employees’ use of the password “micros” on the company’s hotel management system was too easily guessed because the hotel’s system was developed by Microsoft. Most of the other mishaps highlighted by the FTC were a bit more intuitive, including:
- Wyndham’s failure to use comprehensive firewalls to limit access between hotel property management systems, the corporate network, and the Internet.
- Wyndham’s failure to limit access to its network. One hotel was able to connect to the Wyndham Network with an out-of-date operating system that had not received a security update in over three years’ time.
- Wyndham’s failure to adequately restrict third-party access to it’s computer network.
- Wyndham’s failure to use adequate encryption method. The multi-national corporation stored payment information as plain text.
FTC v. Wyndham: Courts Can Blame Victims For Recidivist Hacking
Hackers attacked Wyndham several times using the same methods. The courts saw this as a punishable due diligence deficiency on Wyndham’s part. After all, the judges reasoned, the company failed to learn from its mistakes and recklessly put consumers in harm’s way.
FTC v. Wyndham: What Did Wyndham Argue in its defense?
In response, Wyndham argued that although the FTC had highlighted the need for enhanced cybersecurity measures, it failed to prove that the company’s data security practices fell into “unfair” territory, as outlined in the FTC Act; especially since the company was a, attack victim that had committed no affirmative wrong. This argument was summarily dismissed by the Court of Appeals, reasoning that “[a]lthough unfairness claims usually involve actual and completed harms, they may also be brought on the basis of likely rather than actual injury” (emphasis added). FTC v. Wyndham Worldwide Corporation, et al. (3d Cir.) at 20.
Can private parties looking to sue companies for sub-par digital security use this ruling? Time will tell.
Contact An FTC Defense Lawyer
Gordon Law Group has successfully and substantially reduced clients’ liability under the FTC Act, and our attorneys pride themselves in staying current on cybersecurity law.
Contact us today to ensure that your company’s cybersecurity practices won’t land you in a seat across the table from the FTC.
Federal Trade Commission v. Whyndham Worldwide Corporation, et al. (UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT August 24, 2015).