In the United States, the Federal Trade Commission (FTC) has taken an aggressive regulatory approach in response to cybersecurity lapses in the private sector, commencing proceedings in a number of cases where consumers have suffered loss and damage as the result of cyber-attack.
Could this happen in Australia? So far, the Australian Competition and Consumer Commission (ACCC) has preferred to take an educational role in relation to cybercrime and cybersecurity.
The ACCC has powers under the Australian Consumer Law (ACL) that are analogous to statutory powers available to the FTC. If developments in the US are any guide, it is conceivable that the ACCC could look to take a more interventionist approach in the case of more serious and systemic IT security lapses, potentially including taking action under the ACL.
This article examines the case of Federal Trade Commission v Wyndham Worldwide Corporation1 and draws out important lessons to be learned and applied by Australian entities.
US Federal Trade Commission Act
The US Federal Trade Commission Act proscribes “unfair or deceptive acts or practices affecting commerce”2.
Since 2005, the FTC has exercised its statutory powers under this provision to protect consumers against corporations taking inadequate cybersecurity measures.
Federal Trade Commission v Wyndham Worldwide Corporation
The facts in the Wyndham case
“Wyndham Worldwide”4 is “a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries”5. At the time of these proceedings, there were approximately 90 independently-owned hotels utilising the Wyndham brand under licence as franchisees.
In an arrangement common in many franchise systems, each franchisee is required to purchase and configure a property management system which interfaces with a central data centre operated by Wyndham Worldwide.
Each hotel’s property management system processes customer information, including payment and credit card information.
Wyndham’s systems – including its corporate network and the hotel’s property management systems – were attacked on three occasions in 2008 and 2009. In 2008, hackers were able to obtain unencrypted information for more than 500,000 accounts which were “sent to a domain in Russia”6.
In a second attack in 2009, “hackers obtained unencrypted payment card information for approximately 50,000 consumers from the property management systems of 39 hotels.”7
And again, later in 2009, “hackers obtained payment card information for approximately 69,000 customers from the property management systems of 28 hotels”.8
Overall, the FTC alleges that:
the hackers obtained payment card information from over 619,000 consumers, which … resulted in at least $10.6 million in fraud loss.
The FTC has alleged a number of breaches of cybersecurity practices9, including the following:
- it was alleged that payment card information was stored in clear readable text
- it was alleged that franchisee property management systems were protected by “easily guessed passwords”; for example, in respect of one hotel’s system, which was developed by Micros Systems, Inc, “the user ID and password were both ‘micros'”10
- it was alleged that basic security measures, such as firewalls, were not employed to limit and control access between individual hotels’ property management systems, the corporate network and the internet
- it was alleged that individual hotels were permitted to access the corporate network via their property management systems without adequate safeguards and practices being in place; for example:
- one franchisee’s property management system had not had security updates applied “in over three years”
- it appears that in a number of cases, default user IDs and passwords were not changed
- at the corporate network level, there was inadequate control over who could connect and have access to the corporate network, meaning the source of at least one cyber-attack could not be identified
- third party vendor access to the corporate network and to franchisees’ systems was apparently poorly controlled; e.g., access was not limited to specified IP addresses and/or provided on a temporary, limited basis as required for a particular vendor to provide the relevant services
- it was alleged that reasonable measures were not in place to detect and prevent unauthorised access or to conduct security investigations
- it was alleged that proper “incident response procedures” were not followed, so that, despite there being three cyber-attacks in all, with similar methods used in each, Wyndham failed to sweep or monitor its systems for malware used in previous intrusions.
Comparing the US Federal Trade Commission Act with the ACL
The “unfair or deceptive acts or practices affecting commerce” provision of the US Federal Trade Commission Act has a number of direct parallels in our own Australian Consumer Law.
In addition, a number of other consumer protection provisions of the ACL are potentially enlivened by the scenario alleged by the FTC.
Misleading and deceptive?
We safeguard our Customers’ personally identifiable information by using industry standard practices. Although “guaranteed security” does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations … our Web sites utilize a variety of different security measures … including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by VeriSign Inc. … We take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards”.
It was part of the FTC’s case (but not considered by the Court of Appeals) that such representations were “deceptive” within the meaning of 15 U.S.C. § 45(a).
In our view, the ACCC could take analogous action under s 18 of the ACL, if any such statements published in respect of security measures are “misleading and deceptive” or “likely to mislead or deceive” within the scope of s 18.
For example, a person may be induced, in reliance on a website statement about privacy and/or security measures, to transact on line with an entity. The causal link to such policies and statements (for the purposes, for example, of an award of damages under s 236 of the ACL) is readily established by the requirement that a consumer “agree to” or “accept” such statements and other terms and conditions before engaging in transactions on a website.
Other provisions of the ACL
It is not difficult to envisage Wyndham-type scenarios potentially giving rise to ACCC action under other provisions of the ACL, including:
- s 19(1)(b): false or misleading representation that services are of a particular standard
- s 34: misleading conduct as to the nature, the characteristics or suitability for purpose of services
- s 60: guarantee that services will be rendered with due care and skill
- s 61: guarantee that services will be reasonably fit for purpose.
In the Wyndham scenario, although the group’s primary business is providing holiday accommodation, in the author’s view, it is strongly arguable that Wyndham is also providing accommodation booking, reservation and payment services, providing a tie-in for the ACL provisions referred to above.
Will the Government tell us what to do?
Commonwealth agencies, in particular security agencies such as the Australian Signals Directorate, have for some years now been publishing cybersecurity guidance and recommendations for businesses. ASIC has also published recommendations in this area.14
The Wyndham case tells us that corporations would do well to avail themselves of such free advice, if they have not already done so.
It was an element of Wyndham’s appeal case that FTC had “failed to give fair notice of the specific cybersecurity standards the company was required to follow”.15
The Court of Appeal rejected this argument, citing an FTC publication from 2007 which counselled against many of the failures in Wyndham’s cybersecurity policies alleged by the FTC. Those FTC recommendations covered areas such as:
- encrypting sensitive information stored on a computer network
- installing patches and updates to ensure the latest identified security vulnerabilities are addressed
- using firewalls
- setting access controls
- using “strong” passwords (and in particular, changing default passwords)
- developing a breach plan.
Many similar recommendations can be found in various Commonwealth publications and guidance16 and also in industry-published standards and codes of practice.17
If the ACCC decides to follow the lead of the FTC in the area of cybersecurity, woe betide the organisation that has not implemented cybersecurity standards consistent with such published guidance (to the extent relevant).18
So far the ACCC has not made any moves to go down the litigation path in this area. However, it would seem that FTC-type actions could be open to the ACCC in suitable circumstances.
This seems to us to be another reason, if one was needed, for corporations to take cybersecurity issues very seriously, including at senior management and board levels. Nobody will want to be the first to be a test case for the ACCC flexing its potential muscle in this area, on top of all of the other pain that a cyberbreach would inflict.
In particular, corporations should:
- take reasonable cyber security measures to protect customer information and access to its systems (and, where relevant, those of its franchisees)
- ensure that cybersecurity measures, at a minimum, meet requirements identified in relevant government and industry publications
- check public statements, including those published on websites, in relation to cybersecurity measures to ensure that such statements are not misleading and deceptive.