FTC Sees Potential Liability for Corporate Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dailybusinessreview.com/id=1202737099279/FTC-Sees-Potential-Liability-for-Corporate-Data-Breaches?slreturn=20150814170832

The U.S. Court of Appeals for the Third Circuit has given the Federal Trade
Commission a substantial victory in its recent decision, FTC v. Wyndham
Worldwide. Not only does the individual suit against Wyndham proceed, but
the FTC's authority to police cybersecurity standards has received its
strongest endorsement to date.

While there may have been doubt as to the full scope of the FTC's "unfair
practices" power to penalize businesses that suffered a data breach, those
doubts have been put to rest in the absence of congressional action or U.S.
Supreme Court intervention.

FTC v. Wyndham revolves around three data breaches perpetrated against
Wyndham and its franchised hotel properties over the course of two years.
In April 2008, hackers first broke into the local network of a Wyndham
hotel in Phoenix, which was connected to Wyndham's network. The hackers
used what the Third Circuit called the "brute force method — repeatedly
guessing users' login IDs and passwords" by which they gained access to an
administrator account on Wyndham's network. At that point, they accessed
consumer data on computers throughout the network, including data for
500,000 payment accounts. According to the FTC, the hackers used this
initial data breach as the starting point for two further hacks in 2008 and
2009, which ultimately resulted in over 600,000 consumers' data being
accessed with over $10.6 million in damages suffered.

When the FTC brought suit in the District of New Jersey, it asserted
jurisdiction under the Federal Trade Commission Act, which empowers the FTC
to sue businesses that engage in unfair practices. Wyndham moved to
dismiss, contending that there was no unfair practice — after all, Wyndham
itself was the victim of illegal conduct. When the district court denied
the motion to dismiss, Wyndham moved for interlocutory certification, which
the Third Circuit granted.

Unfair Methods

The court first took up the question of whether the FTC Act authorized the
commission to bring the suit because it was unclear whether a data breach
was an "unfair method of competition in commerce." The court embarked on a
thorough discussion of the FTC's application of the "unfairness" aspect of
its charter, concluding that where there was substantial injury to
consumers, the commission likely had the right to file a civil complaint.

Specifically, the court found that where the injury to customers was
reasonably foreseeable and reasonably avoidable, then it may constitute an
unfair method of competition to not take steps to prevent harm.
Importantly, the court emphasized that Wyndham had been hacked three
separate times, despite making substantial promises to customers about the
safety of their personal and financial data.

In addition, the court noted that there was no "fair notice" problem with
the FTC announcing a new interpretation of unfair methods because Wyndham
knew (certainly by the second time it was hacked) that it lacked adequate
security protocols, and the FTC had long provided the kind of guidance
necessary to establish minimum data security standards.

The Fallout

While the facts of this case may seem unique, the ruling will have
far-reaching consequences. First, it establishes the FTC as the primary
enforcer of data security. Other agencies have tried to play a role in this
area (notably the FCC), but the Wyndham case gives the FTC pride of place
as the primary regulatory body overseeing the consequences of data
insecurity.

Second, the case underlines the tension between business simplicity and
security. Simple passwords and easy access to networks may facilitate
faster work by employees, but they also make hacking much simpler. In order
to strike the right balance between efficiency and security, businesses
will have to craft data security systems that are both manageable for
employees who lack a technological bent, but also present a sufficiently
high barrier for hackers.

Finally, the case provides a rubric for future complaints by the FTC
against companies that suffered a data breach — and a road map for
businesses that want to avoid such a lawsuit. Had Wyndham employed the kind
of security protocols laid out by the FTC in its published guidelines, it
likely would have avoided some of the data security problems it faced in
2008-2009.

More concretely, following the FTC's lead in establishing adequate security
policies and procedures would have given Wyndham more credibility when it
argued that it was the victim rather than the perpetrator of an unfair act.

The case also makes clear that taking aggressive action in the wake of a
data breach is a must-do for businesses that want to avoid a regulatory
action. The FTC has put businesses on notice that without a robust data
security plan and swift response, they may face litigation in the wake of a
data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!