The FTC Flexes It’s Cyber Muscles

Sept 1, 2015

In a highly anticipated decision, the United States Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s (“FTC”) authority to regulate corporate cybersecurity practices on August 24, 2015. The Court’s ruling is the latest event in an epic battle between the FTC and Wyndham Worldwide Corporation (Wyndham).

Wyndham, a hospitality giant, manages hotels and sells timeshares worldwide; its vast portfolio contains three subsidiaries (Wyndham Hotel Group, Wyndham Exchange & Rentals, and Wyndham Vacation Ownership), a myriad of franchises, and has at least 90 licensing agreements with independently owned hotels.

At the heart of the dispute is the Wyndham property management system, which essentially manages Wyndham properties and franchise hotels. Each hotel connects to the property management system located in Arizona for customer reservations. As such, customer information is stored (i.e. home addresses, payment card information, etc.) on the system.

From April 2008 to 2009, Wyndham’s data center experienced three massive cyber incidents thought to be perpetrated by Russian cyber actors. In total, these attacks affected approximately 619,000 Wyndham-customers and caused at least $10.6 million in fraud losses.[1]

The first attack occurred in April 2008 and involved a Phoenix, Arizona hotel. During this attack, hackers broke into the hotel’s local network, which was connected to Wyndham’s network and the Internet. Next, the hackers used a brute-force style attack, where they repeatedly guessed usernames and passwords to gain access to an administrator account on Wyndham’s network. After gaining access to an administrator account, the hackers were able to obtain customer information from computers throughout Wyndham’s network. By the end of the attack, the hackers seized unencrypted information from 500,000 accounts, which were then sent to a Russian domain.[2]

The second attack occurred in March 2009. Here again, the hackers gained access to Wyndham’s network through an administrator account. Two months later, Wyndham learned of the intrusion when they discovered malware from the first attack on 30 different Wyndham-branded hotels’ computer systems. As a result of this attack, the unencrypted payment card information of approximately 50,000 customers was seized and 39 Wyndham-branded hotels’ property management systems were compromised.[3]

The final attack occurred in late 2009, and for a third time, hackers gained access to Wyndham’s network through an administrator account. Wyndham was also unaware of this intrusion until credit card companies started filing complaints from their customers. As a result of the third attack, hackers seized the payment card information of 69,000 customers and compromised 28 Wyndham-branded hotels’ property management systems.[4]

In June 2012, the FTC got involved, filing an administrative action against Wyndham in the U.S. District Court for the District of Arizona, and alleging that “Wyndham engaged in unfair cybersecurity practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”[5] The FTC cited examples of Wyndham’s claimed lax cybersecurity practices including Wyndham’s practice of allowing Wyndham-branded hotels to store unencrypted payment card information; using the name of their software company, “micros,” as both the log-in and password to property management systems; and failure to use firewalls to limit access from corporate networks and the Internet.[6]

Wyndham responded to the FTC complaint, by requesting the transfer of the case to the U.S. District Court for the District of New Jersey, which the Arizona District Court granted. Wyndham followed with a motion to dismiss the FTC’s action, which the court denied. However, the court allowed Wyndham to file an interlocutory appeal on the unfairness claim, which it did. The Third Circuit granted Wyndham’s application for appeal and considered the following arguments[7]

First, Wyndham contended that the FTC’s claim failed to meet the plain meaning of unfairness. Under section 45(n) of FTC Act, an unfair practice must offend public policy; be immoral or oppressive; and cause substantial injury to consumers. Wyndham argued that the plain meaning of the word unfair requires additional factors, which are not included in the statute.

Second, Wyndham argued that previous congressional acts demonstrated that cybersecurity was not within the purview of the FTC Act. For instance, Wyndham relied on three separate legislative acts (Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Online Privacy Protection Act), where Congress expressly directed the FTC to create cybersecurity regulations. Wyndham contended that these “tailored grants of substantive authority to the FTC in the cybersecurity field would be in explicable if the Commission already had general substantive authority over this field.”

In Wyndham’s final argument, it contended that section 45(a) failed to provide fair notice of the prohibited conduct. More specifically, Wyndham argued it was entitled to know with “ascertainable certainty” what cybersecurity practices the FTC’s required under section 45(a).

In sum, Wyndham claimed that the FTC lack statutory authority to regulate a U.S. business’s cybersecurity practices, and even if the FTC did have such authority, it did not give businesses sufficient notice of what cybersecurity standards they should be implementing.

In deciding the above, the Third Circuit reviewed the legislative history of the FTC Act as well as Supreme Court case law interpreting the statute. In FTC v. Bunte Bros., the Supreme Court stated that Congress intended the term unfair practice to be a “flexible concept with evolving content.”[8] In a later decision, the Supreme Court stated that Congress “intentionally left [its] development . . . to the Commission,” in reference to the term unfair practice.[9]

Based on this precedent, the Third Circuit found that the FTC does have legal authority to regulate the cybersecurity practices of corporate entities. As such, “the relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires.” In answering this question, the Court pointed to the FTC’s guidebook on sound cybersecurity practices. While the guidebook does not state which cybersecurity practices are required by section 45(a), it does warn against many of Wyndham’s cybersecurity practices.[10] On a cautionary note, the Court looked to Wyndham’s customer privacy notice, which expressly guaranteed: adherence to industry standard practices; encryption of confidential information; and firewalls, finding that it is “unfair” for a company to market a privacy policy as a means of garnering customers and increasing profits, but fail to utilize even the most rudimentary cybersecurity protocols.[11]

What Does the Third Circuit’s Decision Mean to a Company?

The Court’s decision further underscores the FTC’s role as one of the United State’s top cyber cops for U.S. businesses. Accordingly, businesses must do the following:

1. Review and follow the FTC’s cybersecurity guidebook

The FTC released Protecting Personal Information: A Guide for Business (“Guidebook”), which details the various elements of a “sound data security plan.” Although the recommendations in the Guidebook are voluntary, they should be viewed as a baseline for a company’s potential cybersecurity plan. In addition to the FTC’s Guidebook, a company should implement recommended cyber practices within their industry for a more tailored cybersecurity plan.

2. Consider the cost-benefit analysis of improving cybersecurity

A crucial part of the Third Circuit’s ruling in favor of the FTC was whether Wyndham’s cybersecurity practices put consumers at substantial risk of injury. In order to answer this question, courts will perform a cost-benefit analysis. The analysis considers the “unavoidable harms” to consumers at a given level of cybersecurity versus the cost to eliminate those risks. If the “unavoidable harms” outweigh the costs to eliminate those risks, then a company will fail the analysis. Although companies are not required to eliminate all risks, suffering multiple data breaches should signal a need for improved cybersecurity. While no clear guidance was given on what would amount to an adequate level of cybersecurity, the Court did, however, highlight some low-cost cybersecurity improvements (e.g. firewalls; encryption of customer files; software patches; and strong passwords).

3. Post an accurate privacy policy
A company must ensure that its privacy policy aligns with its actual cybersecurity capabilities and practices. In other words, the FTC will likely find it inherently unfair for a company to market a privacy policy as a means of garnering customers and increasing profits, where the company fails to fulfill those promises. Therefore, a company must update its privacy policy to reflect its actual cybersecurity safeguards.

Steven Nelson
Syracuse University College of Law

[1] FTC v. Wyndham Worldwide Corp., 2015 WL 4998121, 3 (3rd Cir. August 24, 2015)

[2] Id. at 2

[3] Id.

[4] Id. at 3

[5] Id.

[6] Id. at 1-2

[7] Id. at 3

[8] FTC v. Bunte Bros., 312 U.S. 349, 353 (1941)

[9] Atl. Ref. Co. v. FTC, 381 U.S. 357, 367 (1965)

[10] Wyndham Worldwide Corp., 2015 WL 4998121 at 12, 14

[11] Id. at 5