Wyndham Hotel’s motion comes at a time when the business community is fighting back over what it sees as unchecked FTC authority. One case garnering a lot of attention along with the Wyndham Hotels case is LabMD which has spent half of million dollars fighting an FTC civil investigative demand (CID) where no data breach has even occurred in its view.
Wyndham decisions to fight the FTC has led to a pitched battle which is a “must win” for the FTC. The National Chamber of Commerce has filed an amicus brief, arguing that the FTC is unfairly punishing the victim.
The FTC has routinely punished businesses who are themselves hacking victims for allegedly failing to have “reasonable” data security measures in place – only there’s no way for a business to truly know beforehand what the FTC will consider “reasonable” measure until after it’s been hacked. Because FTC has never formally promulgated any data security standards, a business has no way of knowing whether it’s compliant until after it’s been hacked, had its data stolen, completed a costly FTC investigation, and an enforcement action has been filed against it. Then the FTC strong-arms the business into entering into so-called “settlement” agreements (or “consent orders”) that often give the FTC roving and unchecked authority for the next 20 years to conduct audits and impose penalties on the business – again, for violating non-existent data security standards.
The FTC’s conduct raises serious due process concerns, is not supported by any statutory grant of authority from Congress, and chills e-commerce and innovation. . . . .The FTC’s regulation by consent order has a particularly pernicious impact on small businesses. Because they have no way of knowing in advance what the FTC considers commercially “reasonable” data security measures, many small businesses must divert scarce resources away from addressing cybersecurity breaches to retaining legal counsel in anticipation of and response to potential FTC investigations and enforcement actions.
Another pro-Wyndham amici is Tech Freedom which argued that
Rulemaking is generally preferable to case-by-case adjudication as a way to develop agency-enforced law, because rulemaking both reduces vagueness and constrains the mischief that unconstrained agency actions may cause.
Public Citizen has comes to the FTC’s defense with its own amicus brief, asserting:
Although the injuries resulting from a data breach can be significant, private tort suits alleging such injuries are nascent, and federal courts to date have not recognized a private remedy against companies whose networks are breached for consumers whose data is stolen but not yet misused. Thus, FTC enforcement actions pursuant to Section 5 of the FTC Act, 15 U.S.C. § 45, against companies that fail to reasonably protect their consumers’ information from misappropriation are currently the key means of protecting consumers. Indeed, FTC enforcement actions such as the one at issue here have served as the only effective means of redressing the unfair corporate practices that lead to corporate data breaches that cause substantial injuries to consumers.
The court’s ruling on this matter could have a far reaching effect and come at a time when U.S. cyber security is at critical stage.
FTC Sues Wyndham Over Security Failures Leading to Three Data Breaches
According to the FTC, it sued global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. The breaches lead to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.
recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program.
The FTC faults Wyndham for:
- failing to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network
- allowing improper software configurations which resulted in the storage of sensitive payment card information in clear readable text.
- three data breaches that led to the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia.
- failing to remedy known security vulnerabilities;
- failing to employ reasonable measures to detect unauthorized access;
- and failing to follow proper incident response procedures.
Wyndham Challenges FTC Authority to Regulate Data Security
The Wyndham Hotels is seeking to dismiss the complaint by challenging the FTC’s authority over data breaches. In its motion, Wyndham argues
This is an unprecedented lawsuit with far-reaching implications. For the first time ever, the FTC is asking a federal court to hold that Section 5 of the FTC Act—a 1914 statute that prohibits “unfair and deceptive acts or practices”—authorizes the Commission to regulate the sophisticated technologies that businesses use to protect sensitive consumer information. Large and small businesses already are subject to a dizzying array of federal statutes that establish data-security standards in specific sectors of the economy. None of those statutes, however, apply in this case. Notwithstanding that statutory silence, the FTC argues that the general language of Section 5 gives it the broad authority to set data-security standards for any American business operating in any industry. No court has ever held that Section 5 gives the FTC such unbounded authority . . . .
To address pressing concerns of cybersecurity, Congress and the President have made substantial efforts to enact laws that would establish specific data-security standards for the private sector. Just last year, a comprehensive data-security law, the Cybersecurity Act of 2012, failed to pass the Senate despite extensive negotiations among the President, legislators, and scores of interest groups. In response, the President in February 2013 issued an Executive Order and a Presidential Policy Directive on cybersecurity issues, which require the development of minimum data-security standards for businesses operating critical-infrastructure systems or assets. In stark contrast to the FTC’s approach to regulation in this case, however, the Executive Order requires the formulation of specific data-security standards far in advance of any regulatory enforcement efforts and after an open public comment and review process. For its part, Congress has continued to pursue cybersecurity legislation. Just last week the House of Representatives passed an entirely new cybersecurity bill, the Cyber Intelligence Sharing and Protection Act, which now is pending before the Senate Intelligence Committee.
The FTC is not waiting for the political process to determine the proper scope and contours of cybersecurity regulation. Notwithstanding that WHR was a victim of hacking, and notwithstanding the substantial data-security efforts WHR undertook both before and after attacks, the FTC brought this unprecedented lawsuit against WHR, claiming that the company—as opposed to the hackers themselves—should be held responsible for the attacks. Although no specific statute grants the FTC authority to establish and enforce data-security standards for the private sector, the Commission claims that such authority can be found in Section 5’s general prohibition on “unfair and deceptive” trade practices—a provision that has traditionally been understood to forbid certain dishonest or unscrupulous business practices. WHR does not dispute that the FTC can bring enforcement actions against companies that make “deceptive” statements to consumers. But in this case the Commission is attempting to do much more than that. . . .
The FTC’s approach to data-security regulation in this case only confirms that the Commission has neither the expertise nor the statutory authority to establish data-security standards for the private sector. The FTC has not published any rules or regulations that might provide the business community with ex ante notice of what data-security protections a company must employ to comply with Section 5. . . . Instead, the FTC is enforcing its vision of data-security policy through this selective, ex post enforcement action, which seeks to hold WHR liable for violating the FTC Act without any fair notice as to what data-security protections that Act supposedly requires. Indeed, after a two-year investigation into WHR’s data-security practices, the FTC is unable to allege anything more specific than that WHR failed to employ protections that were “reasonable,” “appropriate,” “adequate,” or “proper.” The FTC’s inability or unwillingness to state precisely what WHR did wrong—or tell others in the business community what they must do to avoid similar lawsuits in the future—confirms that the Commission has no business trying to regulate data-security practices under the FTC Act.
Wyndham stresses that the FTC in the past has
specifically disclaimed the authority to regulate data security under Section 5’s “unfair … practices” language. In the late 1990s and early 2000s, the Commission repeatedly stated that it “lack[ed] authority to require firms to adopt information practice policies,” FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace, (hereinafter, “2000 Privacy Report”), at 34 (2000), available at http://www.ftc.gov/reports/ privacy2000/.pdf, and that its authority over data-security matters was “limited … to ensuring that Web sites follow their stated information practices . . .
FTC Response: Regulating Data Security is Part of Its Broad Mandate
- “Congress deliberately delegated broad power to the FTC under Section 5 of the FTC Act to address unanticipated practices in a changing economy;”
- Wyndham had fair notice of what constituted reasonable data security via industry standards and FTC guidance and consent decrees;
- Wyndham itself “told consumers that it used “industry standard practices” and that it took “commercially reasonable” efforts to create and maintain firewalls.”
In response to Wyndham’s charge that the FTC did not specify how Wyndham failed to meet data security standards, the FTC recited the following list from the Complaint which states that Wyndham:
- failed to limit access among different computer networks through the use of readily available measures, such as firewalls;
- permitted improperly-configured software, resulting in the storage of payment card information in clear text;
- failed to ensure the Wyndham-branded hotels had adequate information security policies in place prior to allowing them to access Wyndham’s computer network;
- failed to require servers attached to its networks to have the latest security patches from manufacturers;
- permitted servers on its network with commonly-known default user IDs and passwords;
- failed to follow best practices for password complexity;
- failed to inventory the computers on its network in order to permit Wyndham to identify the origin of intrusion efforts;
- failed to employ reasonable measures to detect and prevent unauthorized access;
- failed to follow proper procedures to prevent repeated intrusions;
- and failed to restrict third-party access to its network.
Wyndham Response: FTC Exceeding Authority in Setting Data Standards
Wyndham’s Reply Brief asserts:
The FTC has appointed itself as a roving data-security prosecutor—but, unlike other prosecutors, the FTC itself defines the elements of the offense and does so only after the fact. Worse, the FTC turns victims of cybercrime into defendants by bringing “case-by-case,” quasi- criminal enforcement proceedings against companies like Wyndham, which responded to cyberattacks in a responsible fashion by alerting law enforcement, notifying consumers, retaining experts, and spending millions on remedial measures. The FTC, however, is not letting the law or the facts get in the way of its data-security agenda. The lesson for American businesses (large and small) is clear: do not expect the FTC to say what the rules are until after your business has been attacked, had data stolen, participated in an investigation, and been subjected to litigation.
That theory of governmental power is fundamentally inconsistent with the principles of fair notice and due process that are at the core of our legal system. If the rule of law means anything, it means the government must say in advance what the rules are before it tries to impose liability for breaking them. “We know it when we see it” is not a lawful (or desirable) approach to agency regulation. . . . n the highly complex and technically sophisticated world of data security, a command to “act reasonably” provides no guidance as to how businesses must manage their systems, program their software, configure their servers, or make any of the other decisions involved in protecting computer networks from hackers.
Noting that the FTC and numerous other government branches also have been hacked, Wyndham asserts:
Surely the FTC does not seriously argue that these agencies—not to mention Google, CitiBank, Sony, and scores of other sophisticated companies—are leaving their doors open to cybercriminals. The way to help victims of cybercrime is not to empower the FTC to scour the country for “unreasonable” data-security practices, particularly when (as here) there is no evidence that consumers suffered economic harm from the attacks. It is, as Congress and the President have recognized, to establish in advance clear data-security requirements by which companies should abide and to allow companies to share information without the chill of litigation. Those ongoing efforts by the Executive and Legislative branches only confirm that Section 5, to the extent it even applies in the data-security context, provides no meaningful guidance as to what a business can do to comply with the law.