The Federal Trade Commission’s authority to enforce cybersecurity in the U.S.
FTC v. Wyndham gave the power of enforcing cybersecurity in the United States to the hands of the Federal Trade Commission. The Third Circuit of the United States Court of Appeals held that Wyndham violated the
ftcAct when it deceived its customers about its cybersecurity measures. Following a number of data breaches against Wyndham’s systems, thousands of guests of Wyndham suffered fraudulent financial charges. The
ftcthen brought suit against Wyndham. In the end, the Third Circuit ruled that the
ftcʼs power to regulate unfair and deceptive practices extends to cybersecurity.
Wyndham is a company running hotels throughout the U.S. At the time of the breaches, each hotel was part of a property management system that processed sensitive guest information; this information comprised “names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes.”* Starting in April 2008, attackers broke into the local network of a Wyndham hotel located in Phoenix, Arizona. This computer, like those in other hotels, was connected to Wyndham’s central hub of its property management system. The attackers used brute-force methods—i.e., “repeatedly guessing user’s login IDs and passwords”*—to access an administrator account on Wyndham’s network. By doing this, the attackers then were able to steal unencrypted information of “over 5000,000 accounts, which they [then] sent to a domain in Russia.”* In March 2009, Wyndham suffered another attack. This time, the attackers easily accessed Wyndham’s network with the administrative account they previously obtained. They then stole thousands of unencrypted payment card information. Wyndham’s network was breached yet again later in 2009. The attackers accessed even more payment card information by stealing information of “approximately 69,000 customers from the property management systems of 28 hotels.”* Wyndham didn’t learn about these incidents until January 2010, when a credit card company received many complaints from cardholders about fraudulent charges they were receiving.
Following these fraudulent charges, the
ftcbrought suit against Wyndham alleging, among other things, that Wyndham:
- practiced deceptive practices by allowing its hotels to store payment card information in unencrypted form,
- didn’t monitor its network for malware,
- allowed easy access to its passwords,
- didn’t employ reasonable security measures like firewalls, and
- failed to restrict unauthorized access to its networks. Due to 619,000 customers being affected, fraudulent charges led to a loss of 10.6 million USD.
As a consequence, the
ftcfurther argued that the customers suffered financial injury by expending time and effort to resolve these issues.
So the FTC can regulate cybersecurity now?
Section 5* of the
ftcAct gives the
ftcgreat power to prevent deceptive trade practices. Wyndham argued whether this applied to cybersecurity practices. It also argued that, even if the
ftcdid have the authority, Wyndham wasn’t given fair notice that its cybersecurity measures fell short of the
Wyndham alleged it didn’t receive notice of what specific cybersecurity practices were necessary to avoid liability. The court countered that “[f]air notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”* In fact, the
ftcpreviously advised businesses on how to establish security practices: in 2007, they published a manual called “Protecting Personal Information: A Guide for Business,” which contained several recommendations for basic security measures. The guidebook “described a data security plan ‘checklist’ for companies to follow. The guidebook encouraged practices like data encryption, strong passwords, and the use of firewalls that Wyndham failed to implement; the guidebook therefore could have helped Wyndham determine in advance that the
ftcwould view its data security measures as inadequate.”*
The court’s holding
In the end, the Third Circuit held that the
ftcindeed has power to regulate data security through the “unfair” and “deceptive” practices definitions dictated in § 5.* It’s this power that gave the
ftcthe authority to enforce data security practices in the U.S., and it began only in 2015. It’s a new power, sure, but a power that hasn’t dwindled. Breaches have come long before Wyndham, they have come in the years since, they will continue to come, and the
ftcwill continue enforcing basic security standards whenever possible. ❖
- Binkley, J.: “Fair notice of unfair practices: Due Process in
ftcdata security enforcement after Wyndham,” 31 Berkeley Tech. L.J. 1079, at 1084 (2016).*
- F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, at (3rd Cir. 2015).*
- Hartzog, Woodrow & Solove, Daniel J.: “The scope and potential of
ftcdata protection,” 83 George Washington Law Review 2230 (2015).*