Last week, a federal district judge in New Jersey upheld the Federal Trade Commission’s authority to pursue a case charging the Wyndham hotels group with “unfair” and “deceptive” conduct arising out of a series of hacking incidents directed at Wyndham. The court’s ruling points the way toward a legal regime where the victims of hacking can potentially be held responsible for failing to prevent data breaches if their security measures were deficient.
What happened at Wyndham, what did the court say, and what are the practical takeaways for other companies?
WHAT HAPPENED AT WYNDHAM
According to the FTC’s complaint, from 2008 to 2010, hackers were able to steal credit card data and other personal information of about 600,000 Wyndham customers, resulting in more than $10 million in fraudulent charges to their accounts. Notably, the FTC alleged a detailed ticklist of security failures on Wyndham’s part:
- failure to employ firewalls to limit access between the public internet, individual hotel servers and the corporate network;
- storage of payment card information in clear readable text;
- permitting insecure servers to connect to Wyndham’s networks, using commonly known default user IDs and passwords or outdated operating systems that were incapable of receiving security updates to address known vulnerabilities;
- failure to employ commonly used methods to require user IDs and passwords that were difficult for hackers to guess;
- failure to maintain an adequate inventory of computers with access to Wyndham’s servers containing sensitive information;
- failure to monitor its network for malware used in previous intrusions; and
- failure to restrict third-party access to its network, such as by restricting connections to specified IP addresses, or by granting only temporary and limited access.
WHAT THE COURT SAID
Wyndham brought a wide-ranging threshold challenge to the FTC’s case, arguing, among other things, that the FTC lacks any authority to regulate data security and, in the alternative, that any enforcement action must be preceded by clearer Commission statements of the applicable standards of conduct.
Judge Esther Salas of the District of New Jersey ruled for the FTC across the board, denying Wyndham’s motion to dismiss. Judge Salas held that the FTC’s allegations of security shortfalls by Wyndham, together with the FTC’s claim that consumers had suffered actual financial loss resulting from the misuse of their data, were sufficient to state a claim under Section 5 of the FTC Act.
PRACTICAL TAKEAWAYS FOR CORPORATE AMERICA
- Dog bites man — that is, not much news here, at least as far as the scope of FTC’s authority is concerned. Unfairness and deception are big, flexible legal doctrines that the FTC has been deploying for a century across countless industries and evolving technologies. It is no surprise to see a single district judge being reluctant to embrace Wyndham’s aggressive argument for fencing the FTC out of perhaps the hottest area of modern consumer protection law.
- Don’t expect the FTC on your doorstep just because you’ve been hacked. Not only did Judge Salas explicitly observe that she was not giving the FTC “a blank check,” but as a practical matter the Commission can be expected to devote its limited resources to the biggest and sexiest cases. The Commission has confirmed it is investigating Target, for example. Keep in mind though, that, just as the FTC Act makes “unfair” and “deceptive” conduct illegal, so do equivalent state laws across the country. There are 50 state attorneys general, and innumerable plaintiffs’ class-action lawyers, who can be expected to press the case that corporations experiencing future breaches were not just victims, but fell short in an affirmative duty to prevent the breach.
- Constantly updating your company’s data security measures should be seen as a matter of legal obligation. Chalk up a potentially important win here for the view that the failure to keep data security measures up to snuff is substantively “unfair” and therefore illegal. That view is hardly well-settled in the law, but it gains a bit of a toehold with this decision. So take a look at that list of technical faults pled by the FTC against Wyndham. Internal lawyers should get under the hood and make sure your IT group is doing better than that, and continues to do better as threats evolve.