In a highly anticipated cybersecurity decision, a federal appeals panel confirmed last week that the Federal Trade Commission (FTC) can bring enforcement actions against a company that suffers from a data breach if the company failed to take steps to adequately safeguard consumer data.
The FTC, the government’s consumer watchdog with broad enforcement powers to stop “unfair” or “deceptive” business acts or practices under Section 5 of the Federal Trade Commission Act (codified at 15 U.S.C. § 45), has settled charges against companies for weak security standards since at least 2005, but it had never faced a serious court challenge.
The case decided last week involved the hotel chain Wyndham Worldwide Corp., which suffered a series of three data breaches in 2008 and 2009 that the FTC alleges exposed payment card information on over 619,000 consumers and resulted in an estimated $10.6 million in fraud loss. The FTC alleges that even after the first breach, Wyndham “still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures.”
A central part of the FTC’s complaint said that Wyndham’s conduct was “unfair,” a term the FTC uses to identify practices that cause or are likely to cause substantial injury to consumers, including financial harm. Wyndham responded by arguing that a business “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.”
But on Monday, a three judge panel of the United States Court of Appeals for the Third Circuit affirmed the FTC’s case. The Court deferred to the FTC and agreed that conduct, such as failing to implement sufficient security standards, can be unfair even before any consumer injury occurs. The Court also pointed out that even if a company’s weak security safeguards are not the most immediate cause of harm to a consumer – after all, the hacker who breached the company’s database is also at fault – the company still faces liability for foreseeable harm.
The decision put in the spotlight what the FTC has been saying all along: companies handling consumer information must take steps to secure that information. Wyndham failed to do so here by making these mistakes:
- Stored payment card information in clear readable text
- Protected sensitive databases and networks with weak or default passwords
- Lacked firewalls to limit access between internal networks and the Internet
- Used out of date technology
- Did not adequately restrict access of third party vendors to its network and servers
Finally, this ruling may embolden the Federal Communications Commission’s (FCC) Enforcement Bureau to investigate data security breaches by telecommunication carriers, now including broadband Internet access service (BIAS) providers. Because the FCC’s Open Internet Order extended Section 222 to BIAS providers, Internet access providers are now subject to the FCC’s consumer privacy protections; however, the FCC did not extend its rules to BIAS providers because it said its rules apply too specifically to traditional telephone providers.
As we’ve noted, this puts BIAS providers in a precarious position at least until the FCC adopts new rules to govern the treatment of consumer information by BIAS providers. The Enforcement Bureau has said that it will enforce the statutory language of Section 222, which leaves BIAS providers to struggle with the broad statutory language without the guidance provided by accompanying rules. Section 222 requires telecommunications carriers “to protect the confidentiality of proprietary information” of its customers. And, recently, the FCC has shown its willingness to construe its authority broadly under Section 222.
As the Wyndham case suggests, businesses that fail to protect their data and then suffer from a data breach can expect the FTC (or FCC for telecommunications carriers) to investigate. Today, with an unprecedented number of threats and with data breaches in the news almost monthly, companies should consider reviewing their own security safeguards to ensure they meet industry best practices.
If you have any questions about your business’s cybersecurity policy or plan, please contact please contact Linda McReynolds, email@example.com – 703-714-1318.