The FTC Act

In four cases announced in the past four months (against Wyndham, Franklin, RockYou.com and EPN, Inc.), the FTC has charged businesses whose data security was breached with violations of Section 5(a) of the FTC Act, on two theories. First, as to those companies that promised in their privacy policies to apply reasonable safeguards to protect customer information, then failed to do so, the FTC took the position that the companies' representations were false or misleading, thereby constituting deceptive acts or practices prohibited by Section 5(a). Second, irrespective of the companies' privacy policies, where the FTC deemed that the companies had failed to employ “reasonable and appropriate” measures to protect personal information against unauthorized access, the FTC alleged that defendants' failure caused, or is likely to cause, substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not offset by countervailing benefits to consumers or competition ' one of several definitions of an unlawful “unfair or deceptive act or practice” prohibited by the FTC Act.

It should be noted that this latter theory was the sole allegation in the FTC's case against debt collector EPN, which had no direct relationship with the consumers whose personal information was at issue, and therefore had not made any promises to those consumers about its data security measures. See In the Matter of EPN, Inc., also doing business as Checknet, Inc., FTC File No. 112 3143, www.ftc.gov/os/caselist/1123143/120607epncmpt.pdf. Thus, even companies that do not directly collect consumer information may be vulnerable to an FTC complaint, if consumers' personal information is nonetheless stored on the company's computers.

Actionable Failure

So, what acts or practices constitute, in the FTC's view, an actionable failure to provide reasonable and appropriate security for consumers' personal information? Failures alleged in the four complaints include the following:

• Unnecessarily collecting personal information from consumers in the form of e-mail address passwords;
• Storing passwords, with associated e-mail addresses, in clear text;
• Failing to “employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess”;
• Allowing servers to connect to the network “despite the fact that well-known default user IDs and passwords were enabled on the servers”;
• Failing to adequately inventory computers connected to the network;
• Failing to segment servers, so that once a hacker entered one part of the network, s/he could access all information on the network;
• Failing to adequately restrict third-party vendor access to the network;
• Not protecting the network from “commonly known or reasonably foreseeable attacks,” including SQL injection and XSS attacks, for which “solutions to prevent such attacks were readily-available and inexpensive”;
• Failing to adopt an information security and/or incident response plans;
• Failing to assess risks to consumer personal information collected and stored online;
• Failing to adequately train employees;
• Failing to use reasonable measures to assess and enforce compliance with security policies and procedures, “such as scanning networks to identify unauthorized peer-to-peer (“P2P”) file sharing applications ' or blocking installation of such programs”;
• Failing to use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on networks, “such as by adequately logging network activity and inspecting outgoing transmissions to the Internet to identify unauthorized disclosures of personal information” or “to conduct security investigations where unauthorized access to information occurred”;
• Allowing software at franchisee locations to be configured inappropriately; and
• Failing to remedy known security vulnerabilities.

While most corporate IT departments will immediately identify the above list as a litany of standard best practices, many also will acknowledge that their organizations have not achieved 100% compliance. Should you suspect that any of the failures detailed in the FTC's complaints are occurring in your company, the time to update policies and procedures, assess compliance, and implement remedial measures is now. Furthermore, as discussed below, every company should have strong mechanisms in place to identify and respond to data breaches.

Taking Action

Companies concerned that their data security practices may not yet incorporate all of the best practices detailed by the FTC will take some comfort in the fact that each of the FTC's recent complaints was triggered by an actual breach of personal information stored on the defendant company's network, and that settlements in the three cases that have been resolved thus far emphasize improved policies and procedures, rather than monetary penalties. Nonetheless, both the reputational and financial exposure faced by companies vulnerable to an FTC complaint should not be underestimated. RockYou.com operated a social website that, according to the FTC, allowed consumers to play games and use other applications, including one that enabled users to assemble slide shows of their personal photos. Hackers allegedly accessed the personal information of 32 million RockYou.com users. The FTC's settlement bars the company from making deceptive claims to consumers regarding its privacy and data security measures, requires it to implement and maintain a data security program and submit to independent audits every other year for the next 20 years, and levies a $250,000 fine against the company for violating the Children's Online Privacy Protection Act.

EPN's COO allegedly installed a P2P application on her desktop computer that resulted in files containing personal information for approximately 3,800 consumers to be breached. Similarly, Franklin Toyota/Scion allowed P2P software on its network that exposed sensitive information for 95,000 consumers. However, neither EPN nor Franklin was required by the FTC to pay a fine. Rather, the settlements with EPN and Franklin require, among other things, that ' like RockYou.com ' each establish and maintain a comprehensive information security program and undergo independent data security audits every other year for the next 20 years.

It remains to be seen how the FTC's case against Wyndham, announced on June 26, 2012, will be resolved, since no settlement had been reached as of press time. The FTC's lawsuit against Wyndham Worldwide Corporation, Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management alleges that defendants' information security failures affected approximately 90 Wyndham-branded hotels under franchise or management agreements with the defendants. The complaint contains counts both for deception, based on Wyndham's representations in its Privacy Policy, and for unfairness, based on its failure to employ reasonable and appropriate data security measures. The FTC is requesting a permanent injunction, redress to consumers including but not limited to rescission or reformation of contracts, restitution, refunds, and disgorgement of “ill-gotten monies,” as well the FTC's costs of suit.

Lessons to be Learned

One clear lesson of the Wyndham complaint is that the FTC expects companies to protect consumers by proactively monitoring for, and promptly responding to, data security breaches. The FTC's complaint emphasizes Wyndham's alleged failure, after a so-called “brute force attack” on its network in 2008 and three breaches in 2009, to detect and take action against the intrusions. The complaint states that payment card account information for more than 619,000 consumers, much of which was exported to a domain address registered in Russia, resulted in the loss of more than $10.6 million to fraud, for which the FTC seeks to hold Wyndham accountable. As this case illustrates, the common misconception that companies cannot be held liable for the bad acts of criminal hackers no longer holds true. If, as the FTC alleges, the means exist to detect and/or thwart a criminal invasion of computer networks, companies are required to implement such measures to do so.

The FTC's complaints against Wyndham, Franklin, RockYou.com and EPN provide both a roadmap and a warning for companies that handle consumers' personal information. The warning, of course, is that companies that fail to live up to their data security promises or to implement reasonable and appropriate data security measures will be vulnerable to a lawsuit under the FTC Act. The roadmap is contained in the complaints themselves, which detail the language in the defendants' respective privacy policies that got them into trouble when a breach occurred, and list the data security best practices the defendants allegedly failed to meet. Arguably, these recent FTC actions also up the ante for companies that ignore their message, as the FTC has now clearly put companies on notice regarding their data security expectations.

L. Elise Dieterich is co-Chair of the Telecommunications and Privacy Practice Groups in the Washington, DC, office of Kutak Rock LLP, and a member of this newsletter's board of editors.

Read the Privacy Policy on the typical company's website, and it is likely to say something like this: “We recognize the importance of protecting the privacy of personally identifiable information [and] we safeguard out customers' personally identifiable information by using industry standard practices. We restrict access to non public personal information about you only to those employees who need to know that information to provide products and services to you. We use commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information [and] make commercially reasonable efforts to ensure the security of our systems.”

If your company's Privacy Policy contains similar statements, beware: These statements paraphrase the privacy policies of defendants Wyndham Hotels, Franklin Toyota/Scion, and RockYou.com, respectively, as quoted in recent Federal Trade Commission (FTC) complaints, in which the FTC alleged that such statements, if not backed up by adequate data security measures, constitute an “unfair or deceptive act or practice,” in violation of Section 5(a) of the FTC Act, 15 U.S.C. ' 45(a). See Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corporation; Wyndham Hotel Group, LLC; Wyndham Hotels & Resorts, LLC; and Wyndham Hotel Management, Inc. (U.S. District Court for the District of Arizona) Case No. 2:12-cv-01365-SPL, http://ftc.gov/os/caselist/1023142/120626wyndamhotelscmpt.pdf; In the Matter of Franklin's Budget Car Sales, Inc., also doing business as Franklin Toyota/Scion FTC File No. 102 3094, www.ftc.gov/os/caselist/1023094/120607franklinautomallcmpt.pdf; United States of America (For the Federal Trade Commission) v. RockYou, Inc. (U.S. District Court for the Northern District of California, San Francisco Division) Case No. 3:12-cv-01487-SI, www.ftc.gov/os/caselist/1023120/120327rockyoucmpt.pdf.

Serious Charges

In four cases announced in the past four months (against Wyndham, Franklin, RockYou.com and EPN, Inc.), the FTC has charged businesses whose data security was breached with violations of Section 5(a) of the FTC Act, on two theories. First, as to those companies that promised in their privacy policies to apply reasonable safeguards to protect customer information, then failed to do so, the FTC took the position that the companies' representations were false or misleading, thereby constituting deceptive acts or practices prohibited by Section 5(a). Second, irrespective of the companies' privacy policies, where the FTC deemed that the companies had failed to employ “reasonable and appropriate” measures to protect personal information against unauthorized access, the FTC alleged that defendants' failure caused, or is likely to cause, substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not offset by countervailing benefits to consumers or competition ' one of several definitions of an unlawful “unfair or deceptive act or practice” prohibited by the FTC Act.

It should be noted that this latter theory was the sole allegation in the FTC's case against debt collector EPN, which had no direct relationship with the consumers whose personal information was at issue, and therefore had not made any promises to those consumers about its data security measures. See In the Matter of EPN, Inc., also doing business as Checknet, Inc., FTC File No. 112 3143, www.ftc.gov/os/caselist/1123143/120607epncmpt.pdf. Thus, even companies that do not directly collect consumer information may be vulnerable to an FTC complaint, if consumers' personal information is nonetheless stored on the company's computers.

Actionable Failure

So, what acts or practices constitute, in the FTC's view, an actionable failure to provide reasonable and appropriate security for consumers' personal information? Failures alleged in the four complaints include the following:

• Unnecessarily collecting personal information from consumers in the form of e-mail address passwords;
• Storing passwords, with associated e-mail addresses, in clear text;
• Failing to “employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess”;
• Allowing servers to connect to the network “despite the fact that well-known default user IDs and passwords were enabled on the servers”;
• Failing to adequately inventory computers connected to the network;
• Failing to segment servers, so that once a hacker entered one part of the network, s/he could access all information on the network;
• Failing to adequately restrict third-party vendor access to the network;
• Not protecting the network from “commonly known or reasonably foreseeable attacks,” including SQL injection and XSS attacks, for which “solutions to prevent such attacks were readily-available and inexpensive”;
• Failing to adopt an information security and/or incident response plans;
• Failing to assess risks to consumer personal information collected and stored online;
• Failing to adequately train employees;
• Failing to use reasonable measures to assess and enforce compliance with security policies and procedures, “such as scanning networks to identify unauthorized peer-to-peer (“P2P”) file sharing applications ' or blocking installation of such programs”;
• Failing to use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on networks, “such as by adequately logging network activity and inspecting outgoing transmissions to the Internet to identify unauthorized disclosures of personal information” or “to conduct security investigations where unauthorized access to information occurred”;
• Allowing software at franchisee locations to be configured inappropriately; and
• Failing to remedy known security vulnerabilities.

While most corporate IT departments will immediately identify the above list as a litany of standard best practices, many also will acknowledge that their organizations have not achieved 100% compliance. Should you suspect that any of the failures detailed in the FTC's complaints are occurring in your company, the time to update policies and procedures, assess compliance, and implement remedial measures is now. Furthermore, as discussed below, every company should have strong mechanisms in place to identify and respond to data breaches.

Taking Action

Companies concerned that their data security practices may not yet incorporate all of the best practices detailed by the FTC will take some comfort in the fact that each of the FTC's recent complaints was triggered by an actual breach of personal information stored on the defendant company's network, and that settlements in the three cases that have been resolved thus far emphasize improved policies and procedures, rather than monetary penalties. Nonetheless, both the reputational and financial exposure faced by companies vulnerable to an FTC complaint should not be underestimated. RockYou.com operated a social website that, according to the FTC, allowed consumers to play games and use other applications, including one that enabled users to assemble slide shows of their personal photos. Hackers allegedly accessed the personal information of 32 million RockYou.com users. The FTC's settlement bars the company from making deceptive claims to consumers regarding its privacy and data security measures, requires it to implement and maintain a data security program and submit to independent audits every other year for the next 20 years, and levies a $250,000 fine against the company for violating the Children's Online Privacy Protection Act.

EPN's COO allegedly installed a P2P application on her desktop computer that resulted in files containing personal information for approximately 3,800 consumers to be breached. Similarly, Franklin Toyota/Scion allowed P2P software on its network that exposed sensitive information for 95,000 consumers. However, neither EPN nor Franklin was required by the FTC to pay a fine. Rather, the settlements with EPN and Franklin require, among other things, that ' like RockYou.com ' each establish and maintain a comprehensive information security program and undergo independent data security audits every other year for the next 20 years.

It remains to be seen how the FTC's case against Wyndham, announced on June 26, 2012, will be resolved, since no settlement had been reached as of press time. The FTC's lawsuit against Wyndham Worldwide Corporation, Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management alleges that defendants' information security failures affected approximately 90 Wyndham-branded hotels under franchise or management agreements with the defendants. The complaint contains counts both for deception, based on Wyndham's representations in its Privacy Policy, and for unfairness, based on its failure to employ reasonable and appropriate data security measures. The FTC is requesting a permanent injunction, redress to consumers including but not limited to rescission or reformation of contracts, restitution, refunds, and disgorgement of “ill-gotten monies,” as well the FTC's costs of suit.

Lessons to be Learned

One clear lesson of the Wyndham complaint is that the FTC expects companies to protect consumers by proactively monitoring for, and promptly responding to, data security breaches. The FTC's complaint emphasizes Wyndham's alleged failure, after a so-called “brute force attack” on its network in 2008 and three breaches in 2009, to detect and take action against the intrusions. The complaint states that payment card account information for more than 619,000 consumers, much of which was exported to a domain address registered in Russia, resulted in the loss of more than $10.6 million to fraud, for which the FTC seeks to hold Wyndham accountable. As this case illustrates, the common misconception that companies cannot be held liable for the bad acts of criminal hackers no longer holds true. If, as the FTC alleges, the means exist to detect and/or thwart a criminal invasion of computer networks, companies are required to implement such measures to do so.

The FTC's complaints against Wyndham, Franklin, RockYou.com and EPN provide both a roadmap and a warning for companies that handle consumers' personal information. The warning, of course, is that companies that fail to live up to their data security promises or to implement reasonable and appropriate data security measures will be vulnerable to a lawsuit under the FTC Act. The roadmap is contained in the complaints themselves, which detail the language in the defendants' respective privacy policies that got them into trouble when a breach occurred, and list the data security best practices the defendants allegedly failed to meet. Arguably, these recent FTC actions also up the ante for companies that ignore their message, as the FTC has now clearly put companies on notice regarding their data security expectations.

L. Elise Dieterich is co-Chair of the Telecommunications and Privacy Practice Groups in the Washington, DC, office of Kutak Rock LLP, and a member of this newsletter's board of editors.