The United States Court of Appeals for the Third Circuit Monday found the Federal Trade Commission has the authority to bring enforcement actions against companies like Wyndham Worldwide Corporation [WYN] for inadequate consumer cybersecurity precautions.
The FTC filed suit against the company in 2012, alleging it conducted in an unfair practice with a deceptive privacy policy in the wake of three successful hacks of Wyndham’s computer systems in 2008 and 2009. As an international hospitality company, hackers stole the personal and financial information of over 600,000 consumers, leading to over $10.6 million in fraudulent charges.
Since 2008, the company has claimed on its hotel and resort website that “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program …”
The FTC claims Wyndham has engaged in unfair cybersecurity practices since at least April 2008 “that taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” The privacy policy misrepresented security measures the company took to protect consumer data and such unfair and deceptive security practices violated the FTC Act, the agency said.
Wyndham appealed the FTC’s right to pursue a suit. The company argued the FTC does not have the authority to regulate cybersecurity under an unfairness regulation and, if so, the company did not have fair notice its cybersecurity practices could fall short of the provision. The Appeals Court affirmed a District Court ruling dismissing the Wyndham appeal, allowing the FTC action to go forward.
“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” Judge Thomas Ambro wrote in the court decision.
The court also explained the hacking does not free Wyndham from liability for inadequate protective measures. “That a company’s conduct was not the most [original emphasis], proximate cause of an injury generally does not immunize liability from forseeable harms.”
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” Federal Trade Commission Chairwoman Edith Ramirez said in a statement following the decision.
Without further congressional data breach regulation or legislation, the FTC has brought over 50 data security cases, most resulting in settlement.
The alleged lax security included: storage of payment card information in clear readable text, using easily guessed simple passwords to access property management systems, failure to use easily available security measures like firewalls, failure to ensure hotels implemented adequate security policies and procedures like updating operating systems and disabling default user logins, failure to adequately restrict access of third-party vendors to networks and servers, failure to employ reasonable measures to detect and prevent unauthorized access, and did not follow proper incident response procedures.
The last allegation in particular was cited as a failure that allowed hackers to repeat similar attack methods multiple times over the attack years.
The first attack occurred in April 2008, when hackers broke in the network of a Wyndham hotel in Phoenix, Ariz., using the brute-force method to access an administrator account on the network, ultimately taking unencrypted information for over 500,000 accounts. The information was sent to a domain in Russia, the decision said.
Photo: FTC
A second attack occurred in March 2009, when hackers again used an administrative account. The FTC claims Wyndham was unaware of the hack for two months when consumers filed complaints about fraudulent charges. The company then found “memory-scraping malware” used in the first attack on over 30 hotels’ computer systems. The FTC alleges hackers had so much time in the network because the company failed to monitor its network for malware used in the previous attack.
In the second attack, hackers took the payment card information of another 50,000 consumers. Hackers broke into Wyndham’s system a third time by accessing an administrator account again. The FTC alleges the company still had not adequately limited access between property management systems, the Wyndham network, and the internet so hackers gained access to the servers of several hotels.
Wyndham only learned of the attack in January 2010 when a credit card company received complaints from cardholders. The hackers ultimately stole information of a further 69,000 customers.