The Federal Trade Commission’s authority to enforce cybersecurity in the U.S.

FTC v. Wyndham gave the power of enforcing cybersecurity in the United States to the hands of the Federal Trade Commission. The Third Circuit of the United States Court of Appeals held that Wyndham violated the

ftc

Act when it deceived its customers about its cybersecurity measures. Following a number of data breaches against Wyndham’s systems, thousands of guests of Wyndham suffered fraudulent financial charges. The

ftc

then brought suit against Wyndham. In the end, the Third Circuit ruled that the

ftc

ʼs power to regulate unfair and deceptive practices extends to cybersecurity.

An overview

Wyndham is a company running hotels throughout the U.S. At the time of the breaches, each hotel was part of a property management system that processed sensitive guest information; this information comprised “names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes.”* Starting in April 2008, attackers broke into the local network of a Wyndham hotel located in Phoenix, Arizona. This computer, like those in other hotels, was connected to Wyndham’s central hub of its property management system. The attackers used brute-force methods—i.e., “repeatedly guessing user’s login IDs and passwords”*—to access an administrator account on Wyndham’s network. By doing this, the attackers then were able to steal unencrypted information of “over 5000,000 accounts, which they [then] sent to a domain in Russia.”* In March 2009, Wyndham suffered another attack. This time, the attackers easily accessed Wyndham’s network with the administrative account they previously obtained. They then stole thousands of unencrypted payment card information. Wyndham’s network was breached yet again later in 2009. The attackers accessed even more payment card information by stealing information of “approximately 69,000 customers from the property management systems of 28 hotels.”* Wyndham didn’t learn about these incidents until January 2010, when a credit card company received many complaints from cardholders about fraudulent charges they were receiving.

Following these fraudulent charges, the

ftc

brought suit against Wyndham alleging, among other things, that Wyndham:

  1. practiced deceptive practices by allowing its hotels to store payment card information in unencrypted form,
  2. didn’t monitor its network for malware,
  3. allowed easy access to its passwords,
  4. didn’t employ reasonable security measures like firewalls, and
  5. failed to restrict unauthorized access to its networks. Due to 619,000 customers being affected, fraudulent charges led to a loss of 10.6 million USD.

As a consequence, the

ftc

further argued that the customers suffered financial injury by expending time and effort to resolve these issues.

So the FTC can regulate cybersecurity now?

Section 5* of the

ftc

Act gives the

ftc

great power to prevent deceptive trade practices. Wyndham argued whether this applied to cybersecurity practices. It also argued that, even if the

ftc

did have the authority, Wyndham wasn’t given fair notice that its cybersecurity measures fell short of the

ftc

’s standards, as required by Due Process.* It claimed that practices are “unfair” only if they’re marked by injustice, partiality, or deception.* Wyndham reasoned this was so because it didn’t engage in unfair practices per its own privacy policy. The Third Circuit, however, disagreed: a “company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”*

Wyndham alleged it didn’t receive notice of what specific cybersecurity practices were necessary to avoid liability. The court countered that “[f]air notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”* In fact, the

ftc

previously advised businesses on how to establish security practices: in 2007, they published a manual called “Protecting Personal Information: A Guide for Business,” which contained several recommendations for basic security measures. The guidebook “described a data security plan ‘checklist’ for companies to follow. The guidebook encouraged practices like data encryption, strong passwords, and the use of firewalls that Wyndham failed to implement; the guidebook therefore could have helped Wyndham determine in advance that the

ftc

would view its data security measures as inadequate.”*

The court’s holding

In the end, the Third Circuit held that the

ftc

indeed has power to regulate data security through the “unfair” and “deceptive” practices definitions dictated in § 5.* It’s this power that gave the

ftc

the authority to enforce data security practices in the U.S., and it began only in 2015. It’s a new power, sure, but a power that hasn’t dwindled. Breaches have come long before Wyndham, they have come in the years since, they will continue to come, and the

ftc

will continue enforcing basic security standards whenever possible. ❖

Works cited