The Legal Stuff: FTC v. Wyndham
Since June 2012, Wyndham Hotels has been the focus of an FTC complaint, alleging that the company acted “unfairly” when it failed to provide “reasonable” measures to secure customer data (Wyndham had suffered three data breaches in two years). In response, Wyndham filed a motion to dismiss – challenging the FTC’s authority to even bring such an action under Section 5 of the FTC Act, which prohibits “unfair” and “deceptive” actions (Covington & Burling has an excellent summary of the case so far).
Last week, Judge Salas (District of New Jersey) dismissed Wyndham’s motion and allowed the FTC’s case to proceed. Her decision was significant because it was the first time that a federal judge weighed in on the scope of the FTC’s unfairness authority under Section 5.
For privacy watchers, this is an important case. Whether the FTC has the authority to regulate data security practices and what that standard should be, has also received its fair share of attention from the industry, prompting several amicus briefs (including this must read from the US Chamber of Commerce et al.).
One of the central questions, in this case, is what constitutes “reasonable” when it comes to data security standards. As both Wyndham and the Chamber point out, the FTC has not articulated what this standard should be (the FTC has stated it can’t articulate such guidance because industry standards constantly change in response to evolving threats and vulnerabilities).
Wyndham’s argument in response is that the FTC’s lack of guidance is essentially a constitutional violation of due process – because there’s no “fair notice” of the prohibited conduct. Judge Salas rejected that particular argument from Wyndham, stating that there was enough guidance in recent FTC complaints and orders for companies to develop reasonable data security practices.
However, her ruling was in the context of whether the case should proceed – the issue will still need to be litigated. And we may not get a comprehensive answer, or the answer to other important issues in this case, if Judge Salas is reversed on appeal, or if Wyndham settles.
The FTC is Leading Data Security Practice Enforcement
But one thing is clear. The FTC has emerged as the leading enforcer of data security practices (don’t forget the 4th Circuit’s recent decision in FTC v. Ross, affirming the FTC’s Section 5 authority in cybersecurity cases, including holding defendants personally liable for unfair and deceptive practices).
Plus, the lack of FTC guidance does not mean there aren’t industry defined best practices – including several embodied in TrustArc’s own program requirements – for implementing reasonable data security measures. These are best practices that you should already be included in your data governance programs.
Six Best Practices for Every Company that Considers Customer Personal Data to be an Asset
1. Make sure that your privacy disclosures reflect your actual practice.
If you talk the talk, then you need to walk the walk. Make sure you are doing what you say – especially when it comes to promises you are making in your privacy statement about how you manage the information you collect, process, share, and retain.
Look at the scope of your company’s privacy statement and how it is defined. Assess what the scope means and what aspects of your business it applies to. Take steps to verify that all your online properties (website, mobile app), products, services, business units, and parties covered under the defined scope comply with your privacy disclosures and statements.
When a company fails to abide by its stated privacy disclosures, it can open itself to Section 5 liability. Just ask Goldenshores Technologies, maker of the popular “Brightest Flashlight” app, which failed to disclose that it was collecting and sharing consumer data – and now finds itself the subject of a 20-year FTC decree.
2. Be proactive and actively identify, monitor, and address vulnerabilities.
Through proactive management and a plan of action to address vulnerabilities, steps can be taken to help prevent a data breach or escalate a solution. Part of having a plan in place in the event of a data breach is a swift plan of action – to quickly identify and remedy a problem to make sure the problem doesn’t happen again.
One good resource to help you start creating such a plan is the 2014 Data Protection & Breach Readiness Guide, published by our friends at the Online Trust Alliance. And if you want to learn more about how not “patching” vulnerabilities can get you into Section 5 trouble, look at the FTC’s settlement with HTC over the lack of “reasonable” data security practices.
3. Understand your data flows.
By understanding how data flows throughout your organization and with third parties, a data flow map can be developed. A data flow map should be the first step when conducting a privacy assessment, as it helps to identify where potential risks exist and where additional in-depth assessments are needed.
4. Put password management rules in place and reinforce them frequently.
Review your password protocols and rules for customers, employees, and vendors who have access to your information systems. Assess what type of information is accessed and put protocols and policies in place to manage which information is available to users.
Sensitive data will require stricter protocols – such as the use of stronger passwords e.g., rules for minimum password length and complexity (e.g., not allowing dictionary words and requiring the use of special characters). Passwords should have a set expiration period (e.g., six months) requiring users to update their password. It may also be worth looking at the guidance on passwords in the FTC’s guidance to consumers on keeping personal data secure.
5. Manage access to data.
Plug the holes within your company’s system to restrict/manage vendor access to data and have processes in place to revoke vendor access when it is no longer required. Assess servers connecting to your network to verify those servers do not have commonly known default IDs that could leave systems vulnerable to unauthorized access.
By reviewing your system, you will also learn how business units within your organization or vendors use customer data. Assess who has access to customer data, what information they have access to, and why they’re using it. Take steps, such as employing firewalls, to restrict access only to what is necessary for the business unit or vendor’s needs.
6. Encrypt sensitive data.
Review how your organization classifies data it collects and retains, and assess whether data classified as sensitive data is transmitted and stored using encryption mechanisms. This also includes login credentials that customers, employees, and vendors may use to access collected information.
This provides an extra layer of protection in the event of data breach where it is less likely sensitive data, such as financial information, including credit card numbers, will be compromised. The FTC recently addressed the importance of protecting data in transit in its consent decrees against Fandango and Credit Karma.
Companies – including those certified by TrustArc TRUSTe – are already using the steps outlined above to protect valuable customer data. For more information on how you can integrate similar best practices into your data governance programs, contact us today!