Wyndham Case May Mean Uncertainty for New Payment Providers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bna.com/wyndham-case-may-n17179936196/

Wyndham Hotels & Resorts LLC’s appeal of a Federal Trade Commission (FTC)
complaint against the hotel chain for alleged lax data protection practices
is being watched closely by banking officials who say it could lead to
uncertainty over cybersecurity regulations for emerging technologies such
as mobile wallets and digital payments.

The case could also lead to uncertainty for banks and other financial
institutions should Congress apply a proposed national data security
standard to banks, said Scott Talbott, senior vice president of government
affairs for the Electronic Transactions Association. Banks would be
exempted from any new national standard because they are currently subject
to Gramm-Leach-Bliley data security and notification requirements. But
retailers are pushing for the removal of the exemption, potentially making
them subject to a national standard that would be enforced by the FTC.

The U.S. Court of Appeals for the Third Circuit on Aug. 24 affirmed the
FTC’s authority to sanction businesses for “unfair” business practices
based on unreasonably weak data security practices (FTC v. Wyndham
Worldwide Corp., 3d Cir., No. 14-3514, 8/24/15). According to the FTC,
Wyndham’s procedures contributed to three breaches that gave hackers access
to the payment card information of more than 619,000 consumers, resulting
in at least $10.6 million in fraudulent transactions.

The court, in denying Wyndham’s motion to dismiss the case, ruled the FTC
did not necessarily need to say in advance what businesses are required to
do to protect data, legal experts told Bloomberg BNA. That gives the agency
wide authority to determine what exactly constitutes an unfair practice and
creates uncertainty for businesses of what they're supposed to do.

At a minimum, “the court said you’re on notice as to what sorts of things
would be unfair,” Glen Kopp, former assistant U.S. Attorney in the Southern
District of New York, and now a partner with Bracewell & Giuliani LLP, told
Bloomberg BNA. “But the FTC did not define the outer limits of what they’ll
consider unfair.”

The court decision “does not require the FTC to provide ‘ascertainable
certainty’ as to how it will determine reasonable security practices or the
conduct that will trigger enforcement actions, outside of egregious
circumstances,” Christin McMeley, chair of Davis Wright Tremaine LLP’s
privacy and security practice, told Bloomberg BNA in an e-mail.

In the absence of a national data security standard, the ruling could leave
some alternative payment and mobile payment providers not covered by the
Gramm-Leach-Bliley Act cybersecurity requirements, uncertain of which
practices could run them afoul of the FTC, Talbott said.

Talbott, whose association includes alternative payment providers such as
PayPal and Google, declined to detail specific companies that could be
impacted. A number of non-banking companies, including PayPal and Prosper,
did not respond to e-mails seeking comment.

The case's full impact will ultimately depend on what happens next. The
federal court did not address whether Wyndham's practices were unfair,
ruling only whether the case should be thrown out because the FTC had not
given proper notice of the possibility of sanctions by laying out what was
required. The question of whether Wyndham’s practices were insufficient
will now be considered by the U.S. District Court for the District of New
Jersey, unless the case is settled. Wyndham attorneys did not respond to a
request for comment.

Implications For Banks

On the surface, the case does not affect banks and other financial
institutions covered under Gramm-Leach-Bliley, attorneys and banking
officials said. But it someday could.

The case comes as several data security bills in Congress propose creating
a national standard, with some requiring businesses to take “reasonable
measures,” while others simply require creating and implementing a plan.
Whether business meet the requirements would be interpreted and enforced by
the FTC, a Senate aide said.

The bills for now exempts those subject to Gramm-Leach-Bliley from the
standard, but the National Retail Federation is pushing for the exemption
to be removed, subjecting financial institutions to current regulations
plus a national standard. The uncertainty of the Wyndham case only “raises
the stakes” on preserving the Gramm-Leach-Bliley exemption, Talbott said.

“Why should financial institutions have to live by two sets of rules?”
American Bankers Association senior vice president and senior advisor for
risk management policy, Doug Johnson, told Bloomberg BNA Sept. 10.

But in pushing for the elimination of the Gramm-Leach-Bliley exemption,
National Retail Federation senior vice president and general counsel
Mallory Duncan told members of the Senate Commerce Committee Feb. 5,
“Exemptions for particular industry sectors not only ignore the scope of
the problem but create risks criminals can exploit.”

Unfair Practice

In ruling against Wyndham, the circuit court found that even if the FTC
hadn’t laid out its requirements, the Federal Trade Commission Act allows
the agency to take action against an “unfair practice,” defined as one
causing substantial injury to customers that’s not outweighed by any
benefits to customers or to competition.”

According to the court decision, Wyndham hotels were hacked three times in
2008 and 2009, beginning with the network of a hotel in Phoenix, in which
hackers were able to obtain unencrypted information for more than 500,000
accounts, which they sent to a domain in Russia.

In the second cyberattack, in March 2009, hackers used the same malware as
in the first attack, the FTC said. The second attack was also not
discovered by Wyndham for two months, until customers began filing
complaints about fraudulent charges, the agency said. Because Wyndham had
not monitored its network for the malware used in the first attack,
“hackers had unauthorized access to [its] network for approximately two
months,” the FTC’s complaint against Wyndham said.

In the third attack, hackers were able to gain access to the networks of
multiple Wyndham hotels after accessing one of them, because the company
hadn’t walled off access between the hotels, the FTC said. As a result, the
FTC said hackers obtained payment card information for an additional 69,000
customers at 28 hotels. Wyndham’s failure to take a number of
steps—including not following proper incident response procedures by
monitoring for the malware used in the first attack, and not using readily
available security measures such as firewalls between the hotel
networks—constituted an “unfair practice.” The FTC also said Wyndham stored
payment card information in clear readable text, and allowed the use of
easily guessed passwords.

Despite the absence of clear requirements, “it should have been painfully
clear to Wyndham” that a court could find its conduct as unfair under the
FTC Act, particularly after the hotel chain was breached a second time, the
circuit court said.

Questions Remain

While the circuit court suggested Wyndham was on clear notice that its
practices could be deemed unfair, how the standard will be applied in other
contexts remains any open question, said Janis Kestenbaum, a former FTC
senior legal advisor who is now a partner with Perkins Coie LLP.

“What ‘unfair’ cybersecurity will mean in any given case is a big question.
There is a lot of uncertainty,” Kestenbaum said.

The FTC also tends to act on a case-by-case basis, she said. However, it's
unlikely the agency will require more than the regulations created to
implement Gramm-Leach-Bliley, because the agency tends to point to those
rules in cybersecurity cases, Kestenbaum said.

In the ever-changing cybersecurity world, it will be difficult to lay out
specific requirements, Craig Carpenter, a member of Thompson & Knight LLP’s
data privacy and cybersecurity team, told Bloomberg BNA.

“It would be difficult to develop and implement a ‘standard’ for data
security that has any more specificity than the Court’s analysis in this
opinion,” he said. “The opinion shows that the Court is comfortable” with
using the definition of an unfair practice “as an appropriate measuring
stick for security standards.”

McMeley, though, said it’s important for regulatory agencies to give
businesses a clear idea of what’s expected, given the potential civil
penalties and reputational harm that is at stake. For now, the FCC appears
to be focusing on the most “egregious” cases to make examples of bad
practices, she wrote in a Sept. 9 Bloomberg BNA Insights piece. “But when
do political pressures dictate that other, more borderline cases, be taken
by the FCC or another agency?”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!