Background on the case
On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case <i>FTC v. Wyndham Worldwide Corporation</i>. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn’t deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry.
We know that cybercrime is big. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom.
The decision should be a wake-up call to hotel owners because, as described below, hotel owners may ultimately bear the cost of data breaches involving their hotels. Owners should look at the Wyndham decision as an opportunity to consider whether their brands and managers have taken the steps necessary to protect guests and, ultimately, the hotel owner.
The case arose out of a suit brought by the FTC against Wyndham, a global hotel company, for failing to adequately safeguard its computer network, allowing hackers to access customer information, resulting in the compromise of more than 600,000 credit card records and financial losses in excess of $10 million. Wyndham argued that, among other things, the FTC lacks authority to regulate data security standards of commercial entities. The lower court ruled in the FTC’s favor, and Wyndham appealed to the U.S. Court of Appeals for the Third Circuit. On August 24, 2015, the Third Circuit affirmed the district court, upholding the FTC’s data protection authority. The result is that for the first time, the United States has what amounts to a data security regulator.
Click here for the FTC’s official release on the Wyndham opinion. And click here to read the full opinion of the court in FTC v Wyndham Worldwide, which the FTC says characterizes as “a must-read for business executives and attorneys.”
What did Wyndham do wrong?
The Wyndham decision is particularly helpful because it identifies clearly what Wyndham did – or did not do – that violates the FTC’s standards. Specifically, the FTC claimed that Wyndham:
- failed to use readily available security measures, such as firewalls
- stored credit card information in clear text
- failed to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks
- failed to address known security vulnerabilities on servers
- used default user names and passwords for access to servers
- failed to require employees to use complex user IDs and passwords to access company servers
- failed to inventory computers to appropriately manage the network
- failed to maintain reasonable security measures to monitor unauthorized computer access
- failed to conduct security investigations
- failed to reasonably limit third-party access to company networks and computers
Security professionals recognize that this list is a fair representation of minimum security requirements for any information system. Any company that does not address these requirements is likely to experience a breach. This list also amounts to an inventory of violations of Section 5 of the FTC Act – engaging in unfair or deceptive trade practices – and any firm that collects and maintains data and is guilty of these failures can expect that they, too, will be subject to action by the FTC, as well as private plaintiffs.
A call to action for hotel owners
We know that many hotel owners don’t consider the impact of data security, because most hotel owners don’t directly collect, store or utilize personal information; they engage managers and brands to do that through reservation systems, loyalty programs and marketing. But hotel owners should be concerned, because they are generally required to indemnify brands and managers for costs the managers and brands incur. To put it simply, if there is a breach, and if the brand or manager has to pay money to manage the breach, the owner will likely have to pay the bill, or at least have a significant struggle over the issue.
The list also has a potential benefit to hotel owners, because it allows owners to express their expectations of hotel brands and managers. Owners can, and should require their managers and licensors to follow the standards set by the FTC as part of their duties, and bear the cost if they do not.
At the same time, hotel owners should be aware that they, too, are subject to this regime. Hotel owners have to consider that they own, hold and maintain sensitive personal information, such as employment records, health information, financial data and business secrets. As a result, they have a legal obligation to protect that information. Hotel owners must both protect their information, and require their business associates to do the same.
Owners should also consider one additional factor that isn’t addressed in the Wyndham decision, but permeates almost every data breach: The human factor. At least 95% of reported data breaches can be traced to an intentional or unintentional act by a person within or associated with the affected organization. The fact is that a company can comply with all of the deficiencies noted by the FTC and still be subject to a breach, because an individual employee or contractor can, effectively, bypass all technological protections, simply by responding to the wrong email or clicking on the wrong website. Hotel companies are, as we know, focused on individuals, whether it is serving guests or cultivating employees and associates. Hotel owners should demand of their brands and managers that they focus on the importance of individuals in thwarting these attacks and creating an industry that engenders the public’s trust.
A note for hotel operators
Hotel operators will be concerned about meeting the rising standards for data security to avoid costly litigation by the FTC and other private parties, to fulfill their duties and expectations under their contracts with owners, and avoid embarrassing publicity on blunders that could have been avoided. Failing to meet minimum standards likely constitutes a breach of contractual obligations, will put the operator at a comparative disadvantage to competitors who offer greater data security, and will suffer bruises to their public image.
Besides, most operators will want to do they best they can because it is the right thing to do for all concerned.