Federal Judge OKs FTC Enforcement for Data Security

If your business handles sensitive customer data, keeping your security practices tight just got even more important. Federal court case, FTC v. Wyndham Worldwide Corp., has extended the FTC’s jurisdiction to data security practices - and it’s also made it possible for the FTC to levy enforcement penalties against businesses without strong security.

The case rests on the FTC’s jurisdiction over unfair and deceptive business practices. After Wyndham hotels lost more than 600,000 credit card records to hackers in three separate breaches between 2008 and 2010, the FTC filed a suit against the chain that alleged the hotelier was in violation of the unfair and deceptive practices rules. The FTC filed the suit in 2012, and Wyndham in turn moved to dismiss all counts last April. However, the ruling by Federal District Court judge Esther Salas will force Wyndham to face the charges, and it also affirms the FTC’s role as the federal enforcement arm of data security.

The key to the FTC’s argument is that Wyndham disseminated a privacy policy which asserted the company kept customer data safe, but the chain’s actual security practices were insufficient to carry out that promise. For instance, the chain stored credit card information in their systems in plaintext, did not use firewalls to protect their systems, did not change default usernames and passwords, and failed to patch or remedy known security issues upon discovering the first and second breaches.

According to the FTC, Wyndham’s operations constituted a deceptive and unfair business practice: deceptive because the privacy policy misrepresented the hotel chain’s capabilities to protect customer data, and unfair because it created likely or unreasonable harm to customers without benefitting the business.

Of course, this is not the first suit that the FTC has levied against a company in response to data security lapses. The difference was in Wyndham’s response – rather than pay a settlement to the FTC, Wyndham moved to dismiss the charges. Their argument stated that the FTC did not have Congressional authority to regulate data security, that the FTC never gave guidelines on what constitutes “fair” data security, and that the FTC couldn’t prove any customers had actually been harmed by their practices. By dismissing these arguments, the Federal Court has firmly established the FTC’s authority over the data security sphere.

What does this ruling mean for other business owners dealing with sensitive data? There are several takeaways:

  • The absence of a standard does not remove your responsibility. One of Wyndham’s arguments focused on the fact that Congress has developed standards (HIPAA, GLBA, and so on) that regulate specific industries. Since no standard existed for the hospitality industry, that meant Congress did not intend for the FTC to regulate it directly. When this argument was dismissed, it also gave the FTC legal authority over every data security arena. In other words, even if your business doesn’t fall under a standard, that does not excuse you from the responsibility to protect customer data.
  • Breaches are now a matter of federal importance. Though the FTC has been handling data security enforcement for more than a decade, this ruling will likely only make them take a larger role. Expect to see more enforcement actions against businesses that have weak data security practices.
  • Too much security is better than too little. There are no federal guidelines to what exactly constitutes a fair versus an unfair data security practice – the court decision even notes that the wording “unfair or deceptive practice” is purposefully ambiguous so it can be interpreted broadly. In the absence of a standard, businesses should examine their own security systems and make sure they meet the best practices of their industry, and they should also keep their systems up to date.
  • The worst thing you can do is ignore security issues. If the FTC or a court can prove that you knew your system had security problems and you did not address them, it’s much more likely you’ll face an unfair or deceptive practices charge. Wyndham didn’t remedy its vulnerabilities until it was breached three separate times in almost the exact same way. Behaving in a similar manner could result in similar penalties.

In the end, this decision is a huge win for the FTC. They are allowed to keep enforcing data security as an unfair or deceptive practice without needing to publish a standard defining their position. In this context, it is vitally important for businesses to be proactive and ensure their data is secure, either by improving their own systems or by partnering with a security firm.

TokenEx is a data security provider dedicated to helping businesses improve their security practices and reduce their risk from handling sensitive data. To contact a TokenEx representative and learn about our different security products, call (877.316.4544) or email us today. You can also follow us on Twitter and LinkedIn for data security news and analysis.

Topic(s): payments , data security

Keep Up With Our PCI & Privacy Blog