Court to Review FTC's Security Authority

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/court-to-review-ftcs-security-authority-a-7150


The U.S. Court of Appeals for the Third Circuit has agreed to hear Wyndham
Worldwide's appeal regarding what authority the Federal Trade Commission
has over corporate data security. The dispute stems from a suit the FTC
brought against the hotel chain following three breaches that exposed
stored payment card details for nearly 670,000 accounts (see: FTC Sues
Hotel Chain for Card Breaches).

The appellate court has not yet scheduled a hearing.

"We are pleased that the United States Court of Appeals for the Third
Circuit has granted an appeal in this case," a spokesperson for Wyndham
Worldwide tells Information Security Media Group. "We continue to believe
that the FTC lacks the authority to regulate data security and has failed
to provide any standards by which it is attempting to hold companies
accountable. A number of other organizations in the business and data
privacy communities have expressed their support for our position, which we
will continue to defend vigorously."

The FTC also is facing Congressional scrutiny of its data security
enforcement activities. At a recent hearing, a House panel reviewed FTC
investigations in the healthcare arena (see: Examining FTC's Data Security
Enforcement).

The appellate court's decision to hear the Wyndham Worldwide case
highlights the importance of the issues involved for "virtually every
business," says Christin McMeley, partner in the the privacy and security
practice at law firm Davis Wright Tremaine. The case "raises very
legitimate questions about the FTC's authority to regulate at all in this
space, and, if it does have such authority, whether the commission should
establish clear security standards through a rulemaking process versus
through enforcement."

Two Key Questions

Wyndham Worldwide, in its petition for appeal, is seeking to answer two
questions: whether Section 5 of the Federal Trade Commission Act grants the
FTC general authority over corporate data security; and whether the FTC has
provided adequate notice of what Section 5 requires with respect to
corporate data security.

"If ever a case warranted ... appellate review, this is it," Wyndham said
in its petition. "This case presents important questions of first
impression about the scope of a federal agency's authority to regulate a
vast sector of the American economy and the extent to which such regulation
comports with fundamental principles of fair notice and due process."

The FTC also welcomed the appellate court's decision to hear Wyndham's
appeal. "In the FTC's longstanding view, it has ample authority to proceed
against companies for unreasonable data-security practices that harm
consumers," a spokesperson said. "We agreed to immediate appellate review
of the district court's decision upholding that authority because the
public would benefit from a prompt appellate decision removing the legal
uncertainty that Wyndham is attempting to generate over that authority to
protect consumers."

The appeal follows an April 7 federal district court ruling denying
Wyndham's motion to dismiss the FTC lawsuit. That court determined that the
commission has authority under the FTC Act to bring an enforcement action
against Wyndham to remedy its "unreasonable" data security
practices,Bloomberg BNA reported.

Wyndham Breaches, Lawsuit

The FTC claimed in a 2012 statement that Wyndham's alleged security gaps
allowed hackers to infiltrate the hotel chain's network on three separate
occasions in less than two years and export card details. The exported data
was traced to an Internet domain address registered in Russia.

Wyndham-branded hotels use property management computer systems that handle
card transactions and store information, such as card account numbers,
expiration dates and security codes, according to the FTC. The FTC alleges
millions of dollars in fraud losses resulted from the three breaches, which
are believed to have occurred in 2008 and 2009.

The FTC claims Wyndham and its subsidiaries failed to implement standard
security measures, such as complex user IDs and passwords, firewalls and
network segmentation between hotels and the corporate network.
Additionally, the FTC says improper software configurations used by the
hotel chain and its subsidiaries resulted in the improper storage of
sensitive card information in clear readable text. The storing of sensitive
payment card information violates the Payment Card Industry Data Security
Standard, the FTC notes.

Healthcare Cases

At a July 24 hearing, members of the House Committee on Oversight and
Government Reform considered the issue of whether the FTC was acting
appropriately in its recent investigations of alleged healthcare data
breaches.

"Safeguards are needed for how FTC looks at allegations" of unfair business
practices involving data security, Committee Chairman Darrell Issa,
R-Calif., said at the hearing. "Cybersecurity is not a hard science, you
can be sure."

Testifying at the hearing was Michael Daugherty, CEO of LabMD, an
Atlanta-based medical lab testing firm that's been, like Wyndham Worldwide,
embroiled in an ongoing data security dispute with the FTC over data
security practices. The FTC has been pursuing an enforcement action against
LabMD for alleged unfair business practices related to the two separate
data security incidents.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!