The major headline hacking event of 2014 involved data theft at a highly visible enterprise: Sony Pictures.
Perhaps just as significant in e-commerce security, but below the conventional news radar, was a 2014 federal court ruling which allows the Federal Trade Commission to continue penalizing commercial firms for failure to protect consumer data from hackers.
That decision has been challenged, and in early March the FTC and its opponent will square off for oral arguments in court on whether the FTC has exceeded its authority for protecting consumer records. The U.S. Appeals Court, Third Circuit, in Philadelphia, will hear the case.
In FTC v. Wyndham Worldwide, the FTC alleges that the hotel and hospitality services company violated the Federal Trade Commission Act.
The litigation has been termed a possible landmark case by some legal experts. Elizabeth Hyman, executive vice president at TechAmerica, said that while the trade group does not have a position on the Wyndham case itself, it has been following the litigation closely. “The outcome of the case will have a major impact on the federal government’s ability to regulate the protection of consumer data,” she told the E-Commerce Times.
‘Unfair Practice’ Charge
Wyndham experienced three separate intrusions of its computer system between April 2008 and January 2010. “Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia,” the FTC said.
The FTC concluded that Wyndham had relied on faulty software configurations, vulnerable passwords, and insecure servers. The FTC further claimed the company failed to properly improve security after the first hacking event.
“We regret the FTC’s decision to pursue litigation, and believe its claims are without merit. We cooperated fully with the FTC regarding its investigation of previously reported data breaches that occurred from 2008 to 2010, in which cybercriminals potentially accessed a limited amount of customer information at some Wyndham Hotels and Resorts-brand hotel properties,” Wyndham said in a statement.
Wyndham asked a district court to dismiss the FTC’s charges, but the court refused to do so. Wyndham has now — in effect — asked the appeals court to dismiss the FTC’s complaint. If Wyndham prevails, the case will be terminated, according to Chris Cole, a partner at law firm Crowell and Moring. Procedurally, the case involves a ‘motion to dismiss,’ so if the appeals court supports the FTC, it only means that the case would revert back to the district court for trial, he explained. If that happens, “both sides live to fight another day,” Cole told the E-Commerce Times.
Wyndham’s arguments call into question the fundamental legal authorities the FTC relies on not only to protect consumer privacy, but also in other contexts. One of those authorities is the ‘unfair practice’ provision of the FTC Act, which Cole says is an issue “that has ramifications far beyond data security, and it would be a major blow to the FTC if the court placed significant constraints on the FTC here.”
The FTC contends that Wyndham’s actions “caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” This assertion means that Wyndham’s behavior constitutes an illegal unfair practice under the FTC Act.
Wyndham counters that the FTC has failed to meet the legal test of proving “substantial” consumer injury that would support a finding of unfair practices. “Indeed, the FTC recently admitted in discovery after having investigated the cyberattacks against Wyndham for nearly five years that it has failed to identify a single individual consumer who suffered unreimbursed financial loss,” the company said in a court memo. (In a related procedural issue, certain discovery matters have been put on hold.) The company further contends, in essence, that credit-card fraud limits protect consumers, and thus make it possible for cardholders to avoid significant losses.
“At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services. To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks,” Wyndham vice president for marketing and communication, Michael Valentino, told the E-Commerce Times.
What is Reasonable Protection?
A second significant issue is the standard of compliance used by FTC. “In numerous instances Defendants (i.e. Wyndham) failed to employ reasonable and appropriate measures to protect personal information,” the FTC said. Under federal law, the commission need only determine itself what constitutes reasonable — or unreasonable — behavior, and the agency is not required to issue any technical cybersecurity standards prior to making those determinations. The lack of specific technical requirements for dealing with cyberprotection not only presents a baffling compliance burden for businesses, but also constitutes a legal deficiency in FTC authority, Wyndham and its supporters contend.
The FTC defends its enforcement actions by noting that numerous consent order settlements dealing with data breaches provide an adequate reference point for determining reasonable cyberprotection methods. Wyndham has challenged that assertion, and the U.S. Chamber of Commerce contends that variations in the circumstance of each consent order only result in a patchwork of after-the-fact guidance.
In an amicus brief supporting Wyndham, the U.S. Chamber said: “But discerning any consistent standards from these consent orders is futile because the FTC’s definition of what data-security principles are ‘unreasonable’ depends on the business it is investigating.” Furthermore, FTC complaints and consent orders premised on failures by businesses to maintain ‘reasonable,’ or ‘appropriate,’ protection “are ambiguous and can — and do — constantly change,” the Chamber said.
FTC Claims Appropriate Enforcement
The FTC further contends that its cyberenforcement actions have been judicious, restrained and directed towards solving a serious problem. In response to a query from the E-Commerce Times at a recent TechAmerica conference in Washington D.C., FTC Commissioner Julie Brill noted that “The Wyndham litigation is not a case of ‘gotcha’ regulation.”
But Scott Talbott, senior vice president of government affairs at the Electronic Transactions Association, has a different perspective. “Because legislative and industry initiatives protect consumers from unauthorized charges, consumers are already protected from harm related to the theft of credit card data. Therefore, cases involving the theft of credit card data do little to protect consumers, but add considerable burden to those companies that have been victimized by a criminal attack,” he told the E-Commerce Times. The ETA has also filed an amicus brief supporting Wyndham.
The discretionary latitude of the FTC Act could work in the FTC’s favor in the Wyndham case, and the agency has had success in the past in appellate level decisions, Crowell and Moring’s Cole observed. But at the same time he noted that the case is “no slam dunk” for the FTC. While Wyndham is standing its ground in court, the company expressed a preference for addressing cyberprotection in a less confrontational way.
“We continue to believe that the FTC cannot regulate in the field of cybersecurity without authorization from Congress and without identifying what cybersecurity measures are required by law. At a time when cyberattacks are increasing dramatically, safeguarding personal information remains a top priority for our company, and we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries,” Valentino said.