In a precedent-setting agreement, Wyndham Worldwide Corp. has agreed to settle charges brought by the U.S. Federal Trade Commission that the company failed to adequately protect its data systems and customer information from cyberattacks. The FTC announced the settlement on December 9, 2015, and the announcement ends a lawsuit that was the test case for the FTC’s power to regulate data security.
In 2012, after a two-year investigation into Wyndham’s data security practices, the FTC filed suit against the hospitality company alleging that Wyndham had engaged in “unfair … acts or practices” in violation of the Federal Trade Commission Act, 15 U.S.C. §45(a), by failing to take “reasonable and appropriate” measures to adequately secure hotel guests’ personal information. The FTC’s complaint alleged that Wyndham’s deficient security practices led to “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss.”
Wyndham initially filed a motion to dismiss the FTC’s complaint arguing that (1) the FTC did not have the authority to bring an unfairness claim involving data security under §45(a) of the FTC Act, and (2) if it did, the FTC failed to promulgate regulations before bringing its unfairness claim. After its motion was denied by the United States District Court for the District of New Jersey, Wyndham filed an interlocutory appeal with the United States Court of Appeals for the Third Circuit. On August 24, 2015, the Third Circuit affirmed that the FTC could enforce its own reasonable interpretation of what cybersecurity standards are necessary to avoid prosecution from the FTC for unfair methods of competition.
The recently announced settlement comes on the heels of the Third Circuit’s ruling. “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” FTC Chairwoman Edith Ramirez said in a statement. “The court rulings in the case have affirmed the vital role the FTC plays in this important area.” Under the order, Wyndham must establish a comprehensive information security program designed to protect cardholder data, including payment card numbers, names and expiration dates, the FTC said. Although the settlement is subject to court approval and Wyndham was not fined or required to admit wrongdoing, the order will last for 20 years and will require Wyndham to comply with a widely used industry standard to protect the safety of payment card information.
The Wyndham case provides guidance to companies about what types of practices are important to safeguard sensitive information about customers and employees. At a bare minimum, companies need to implement the following practices and policies that Wyndham failed to adopt:
- store credit card information and other sensitive information in encrypted text;
- implement regular updates to operating systems;
- require employees to use complex user IDs and passwords to access company servers;
- train employees to follow information security policies;
- change default or factory-setting passwords to permit access through critical network points;
- use readily available security measures, such as firewalls, to limit access between the corporate network and the Internet;
- implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;
- investigate cybersecurity attacks that are discovered, identify the source of the attacks, and recognize repeated patterns of security breach;
- implement reasonable measures to “adequately restrict” the access of third-party vendors to its networks and to detect and prevent unauthorized access to its computer network; and
- conduct security investigations and follow proper incident response procedures.
Beyond these basics, companies should take cybersecurity precautions that align with industry standards and federal guidelines. In February 2013, the President issued Executive Order (“EO”) 13636 to direct the National Institute for Standards and Technology (“NIST”) to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST's EO 13636 role. Since releasing the Framework for Improving Critical Infrastructure Cybersecurity (the "Framework") in February 2014, NIST has been educating a broad audience about the Framework's use and value. The Framework is being employed voluntarily across the country, in a host of sectors, by organizations ranging from multinationals to small businesses. Businesses should also look to what the federal government is requiring in terms of cybersecurity from its contractors.
Perhaps the most important lesson to take away from the Wyndham case is that the work of safeguarding consumer data never ends. Companies must recognize that they will be held to an ever-evolving standard of cybersecurity practices. What is reasonable today may not be reasonable next year and will almost certainly be insufficient in five years. As technology changes and hackers become more sophisticated in their attacks, the standard of “reasonable” cybersecurity measures becomes a moving target, and the standard will not be the same for all industries. To ensure that they are complying with prevailing industry standards, businesses must remain vigilant and stay abreast of best practices and guidelines derived from the settlements and consent orders announced by the FTC.