Over the past few years, the providers of public utility services have become increasingly aware of the need to protect their computer networks from electronic intrusion by individuals or organizations seeking to destroy equipment or disrupt service.  A recent court decision brings to light another cybersecurity issue that also should be of concern to utilities—namely, the theft of customer financial information and the potential liability for a utility that can arise from insufficient data protection.

Federal Trade Commission v. Wyndham Worldwide Corp., Case No. 14-3514 (3rd Cir., Aug. 24, 2015) involved the theft of guests’ personal and financial data from the Wyndham hotel chain’s computer network.  The hackers, who collected the data in three separate attacks, then ran up more than $10.6 million in fraudulent charges.  In response, the Federal Trade Commission filed a complaint alleging that Wyndham’s cybersecurity practices unreasonably and unnecessarily exposed consumers’ personal data to theft, and that its conduct violated the prohibition against unfair competition in the Federal Trade Commission Act.  The FTC alleged that, among other things, Wyndham allowed its branded hotels to store payment card information without encryption, failed to use readily available security measures such as firewalls, did not employ reasonable measures to detect and prevent unauthorized access to its computer network, and failed to follow proper incident response procedures.  Wyndham sought to have the FTC complaint dismissed on the ground that the FTC lacks the statutory authority to enforce cybersecurity standards.  The District Court denied the motion, so Wyndham appealed to the Third Circuit—without success.  The appellate court held that the District Court ruled correctly in deciding that a company may be found to engage in an “unfair method[] of competition in commerce” in violation of the FTC Act by failing to implement reasonable measures to protect the personal financial data of its customers.

Providers of utility services should take special note of Wyndham.  Utilities could be an inviting target for hackers because so many utilities now offer their customers the option of online bill payment.  These arrangements put the utility service provider in possession of sensitive customer financial data, such as credit card numbers and bank account information.  In addition, the ubiquity of utility service necessarily means that, at any point in time, a provider is likely to have in its database the private financial information of a very large number of people.  This offers hackers the promise of collecting large volumes of private financial data through a small number of intrusions.

As a matter of disclosure and perhaps reassurance, municipal utility systems that offer online payment typically inform customers of the measures they have taken to protect private information.  For example, one mid-sized Midwest municipal utility (roughly 110,000 electric service customers) includes the following in its “Privacy Statement” on its website:

[Utility] takes protecting personally identifiable information (PII) very seriously. Our technologies utilize multiple layers of security anytime information is stored, transmitted, or processed. These protections include strong network security and authentication, anti-virus protection, data encryption, and secure web tunnels (SSL). By using up-to-date products and technologies, [Utility] provides service in a safe and secure manner.

Similarly, a municipal utility in the Southeast with about 65,000 retail electric customers states on its website that it “is concerned with the security of [customers’] data,” and that it “uses SSL 128-bit encryption to secure your personal information.”

Utilities that offer online payment should assume that customers contemplating use of that option will rely on the utility’s description of its data protection measures.  Although utilities offer online payment generally for the convenience of customers, they also benefit from the reduced payment lag online payment provides.  In light of that benefit, descriptions of the utility’s data protection measures will be carefully scrutinized should those measures later prove inadequate protection against a determined hacker.

The lesson of Wyndham is three-fold.  First, a utility’s public description of the data protection measures it employs must be factually accurate.  If the utility’s website describes a stronger set of data protections than actually are in use, that inaccuracy could later be portrayed as intentionally or negligently misleading.  Second, it is not enough to adopt a set of data protection measures and then forget about them.  Hackers are constantly honing their techniques and trolling for new vulnerabilities.  Utilities must ensure that their data protection measures are continuously updated and maintained.  Finally, it is vitally important to document—carefully and comprehensively—any and all steps taken to protect customer financial information.  That includes not only installing systems (hardware and software) but also maintaining and updating those systems.  It should not be assumed, for example, that every new patch pushed out by a software vendor is successful; it is important to document that the patch was downloaded, installed and tested.  Records that demonstrate ongoing efforts to prevent data theft can prove to be invaluable, should a breach someday result in lawsuits or administrative enforcement actions.