BreachExchange mailing list archives
FTC Sees Potential Liability for Corporate Data Breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 14 Sep 2015 18:14:35 -0600
http://www.dailybusinessreview.com/id=1202737099279/FTC-Sees-Potential-Liability-for-Corporate-Data-Breaches?slreturn=20150814170832 The U.S. Court of Appeals for the Third Circuit has given the Federal Trade Commission a substantial victory in its recent decision, FTC v. Wyndham Worldwide. Not only does the individual suit against Wyndham proceed, but the FTC's authority to police cybersecurity standards has received its strongest endorsement to date. While there may have been doubt as to the full scope of the FTC's "unfair practices" power to penalize businesses that suffered a data breach, those doubts have been put to rest in the absence of congressional action or U.S. Supreme Court intervention. FTC v. Wyndham revolves around three data breaches perpetrated against Wyndham and its franchised hotel properties over the course of two years. In April 2008, hackers first broke into the local network of a Wyndham hotel in Phoenix, which was connected to Wyndham's network. The hackers used what the Third Circuit called the "brute force method — repeatedly guessing users' login IDs and passwords" by which they gained access to an administrator account on Wyndham's network. At that point, they accessed consumer data on computers throughout the network, including data for 500,000 payment accounts. According to the FTC, the hackers used this initial data breach as the starting point for two further hacks in 2008 and 2009, which ultimately resulted in over 600,000 consumers' data being accessed with over $10.6 million in damages suffered. When the FTC brought suit in the District of New Jersey, it asserted jurisdiction under the Federal Trade Commission Act, which empowers the FTC to sue businesses that engage in unfair practices. Wyndham moved to dismiss, contending that there was no unfair practice — after all, Wyndham itself was the victim of illegal conduct. When the district court denied the motion to dismiss, Wyndham moved for interlocutory certification, which the Third Circuit granted. Unfair Methods The court first took up the question of whether the FTC Act authorized the commission to bring the suit because it was unclear whether a data breach was an "unfair method of competition in commerce." The court embarked on a thorough discussion of the FTC's application of the "unfairness" aspect of its charter, concluding that where there was substantial injury to consumers, the commission likely had the right to file a civil complaint. Specifically, the court found that where the injury to customers was reasonably foreseeable and reasonably avoidable, then it may constitute an unfair method of competition to not take steps to prevent harm. Importantly, the court emphasized that Wyndham had been hacked three separate times, despite making substantial promises to customers about the safety of their personal and financial data. In addition, the court noted that there was no "fair notice" problem with the FTC announcing a new interpretation of unfair methods because Wyndham knew (certainly by the second time it was hacked) that it lacked adequate security protocols, and the FTC had long provided the kind of guidance necessary to establish minimum data security standards. The Fallout While the facts of this case may seem unique, the ruling will have far-reaching consequences. First, it establishes the FTC as the primary enforcer of data security. Other agencies have tried to play a role in this area (notably the FCC), but the Wyndham case gives the FTC pride of place as the primary regulatory body overseeing the consequences of data insecurity. Second, the case underlines the tension between business simplicity and security. Simple passwords and easy access to networks may facilitate faster work by employees, but they also make hacking much simpler. In order to strike the right balance between efficiency and security, businesses will have to craft data security systems that are both manageable for employees who lack a technological bent, but also present a sufficiently high barrier for hackers. Finally, the case provides a rubric for future complaints by the FTC against companies that suffered a data breach — and a road map for businesses that want to avoid such a lawsuit. Had Wyndham employed the kind of security protocols laid out by the FTC in its published guidelines, it likely would have avoided some of the data security problems it faced in 2008-2009. More concretely, following the FTC's lead in establishing adequate security policies and procedures would have given Wyndham more credibility when it argued that it was the victim rather than the perpetrator of an unfair act. The case also makes clear that taking aggressive action in the wake of a data breach is a must-do for businesses that want to avoid a regulatory action. The FTC has put businesses on notice that without a robust data security plan and swift response, they may face litigation in the wake of a data breach.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- FTC Sees Potential Liability for Corporate Data Breaches Audrey McNeil (Sep 15)