Data Security Breaches

Perhaps one of the most wide-reaching and flexible laws in the privacy and data security arena does not even mention the words “privacy” or “data.” Section 5 of the Federal Trade Commission Act (FTCA) provides that “unfair or deceptive acts or practices in or affecting commerce ' are ' declared unlawful.” The statute defines unfair practices to include those that “cause or [are] likely to cause substantial injury to consumers [and are] not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The FTC is granted power to enforce these prohibitions. At its core, ' 5 is a consumer protection statute, and the FTC has interpreted its enforcement writ to cover the regulation of consumer privacy and data security.

The FTC has frequently used its enforcement authority to pursue companies for what it asserted were deceptive acts ' issuing privacy policies to consumers that promised more than the companies delivered. The FTC has also interpreted its authority to ensure that companies maintain adequate consumer data security.

An example can be found in an FTC enforcement action brought a decade ago against the former Tower Records. In the Matter of MTS Inc, FTC File #032-3209. According to the FTC's complaint, Tower operated a website that allowed users to purchase music and other products. To make purchases, consumers would input personal information, including their names, billing addresses and other contact information. Tower's privacy policy promised consumers that it used state-of-the-art technology to protect the information and that no one other than the consumer could access the data. In the process of a website redesign, however, Tower apparently failed to fully update software code ' an “easy” fix, according to the FTC ' and, as a result, customer data were viewable by unauthorized visitors to the Tower site.

The FTC argued that Tower Records' failure “to detect and prevent vulnerabilities in their Web site and applications,” along with the misstatements in its privacy policy, violated ' 5. As is generally the case with FTC enforcement actions, Tower ultimately entered into a consent order with the FTC, rather than challenge the FTC in court.

The Wyndham Case

Wyndham operates and manages hotels, resorts and timeshares through subsidiaries and franchisees. Between 2008 and 2010, Wyndham's computer networks were allegedly breached on three occasions, leading to the loss of more than 600,000 payment-card account numbers and the racking up of millions of dollars in fraudulent charges.

The FTC brought an enforcement action against Wyndham (and various related parties) asserting that “failure to maintain reasonable and appropriate data security for consumers' sensitive personal information” violated both the deception and unfairness prongs of the FTCA's ' 5(a). But unlike many targets of FTC enforcement actions, Wyndham decided to contest the FTC allegations, moving in federal court to dismiss the complaint. Wyndham argued that the agency must formally promulgate data security regulations, to provide adequate notice to parties before asserting unfairness claims based on data security incidents.

District Judge Salas rejected Wyndham's arguments. Of particular interest, the district court found that the language in ' 5, the FTC's guidance on reasonable data security measures and prior FTC consent agreements and opinions give companies adequate notice of appropriate data security standards. Although Judge Salas cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” the case made clear that the FTC can and will pursue companies for inadequate data security.

Wyndham appealed to the U.S. Court of Appeals for the Third Circuit. Federal Trade Commission v. Wyndham Hotels & Resorts LLC, 14-3514. The FTC has submitted a brief to the court in which it made clear that companies are responsible for keeping data “turned over” to them by consumers “from falling into the wrong hands.” Although the FTC claims that ' 5 does not require “perfect security,” it does require “reasonable” measures. The agency claims it has warned companies for almost a decade as to what measures are reasonable.

Advice for Companies

What steps should companies take (and what recommendations should their legal, compliance and information-technology advisers provide) in light of the Wyndham decision? A good starting place is to follow the implicit logic of the opinion and look at past complaints and consent orders in which the FTC alleged ' 5 violations due to poor security practices. By avoiding some of the failures cited, a well-advised entertainment company might find itself better insulated against FTC enforcement actions.

Below are just a few examples of security failures that the FTC has alleged constitute unfair or deceptive trade practices:

• Failing to restrict employee access to data on a need-to-know basis.
• Failing to adequately train employees to securely dispose of personally identifiable information.
• Failing to use readily available security measures to limit wireless access to retail company networks, thereby allowing intruders to connect wirelessly to in-store networks without authorization.
• Failing to require network administrators and other users to use strong passwords, or different passwords to access different programs, computers and networks.
• Failing to encrypt sensitive personally identifiable information.
• Failing to employ sufficient security measures for detecting and preventing unauthorized access to corporate networks on which sensitive data had been processed.
• Overriding default secure-socket layer protocol settings in application program interfaces to be used with apps running on mobile and tablet devices, thus leading to the risk of man-in-the-middle attacks.
• Failing to contractually require vendors to implement appropriate security measures to protect personally identifiable information (such as through use of encryption).

In addition, entertainment companies should become familiar with the FTC's publication, “Protecting Personal Information Guide for Business,” which provides practical advice. For technical guidance in implementing or refining data security programs, look to security standards promulgated by well-regarded organizations including the ISO/IEC 27001/2 standards, National Institute of Standards and Technology (NIST) Special Publication 800-53, the NIST Cybersecurity Framework and the Payment Card Industry Data Security Standard (PCI-DSS).

Todd C. Taylor and Karin M. McGinnis, based in Charlotte, NC, co-lead Moore & Van Allen's privacy and data security practice. Taylor, who also leads the commercial & technology transactions team, handles outsourcing, corporate, technology and supply-chain matters. He can be reached at [email protected]. McGinnis, also a member of the law firm's litigation and labor and employment teams, has handled a wide range of litigation, employment, privacy and data security matters. She can be reached at [email protected].

In April 2014, Judge Esther Salas of the U.S. District Court for the District of New Jersey decided that the Federal Trade Commission (FTC) could pursue a claim that a hotel company's failure to have adequate data security measures is an unfair trade practice. Federal Trade Commission v. Wyndham Worldwide Corp. , 10 F.Supp. 3d 602 (D.N.J. 2014). In its recent brief addressing Wyndham's appeal to the U.S. Court of Appeals for the Third Circuit, the FTC has made clear that it is not backing down. The agency believes that data security is a basic responsibility of any company that accepts consumer personal information, and that savvy companies should heed Wyndham's lessons.

U.S. Privacy Laws

In the United States, there is no single privacy and data security law of general applicability. There are, however, many federal and state laws that impose obligations on a wide number of different actors. For example, federal governmental entities are subject to information-security and privacy requirements under laws that include the Federal Information Security Management Act (FISMA). At the state level, 47 states have enacted data breach notification laws involving personally identifiable information.

Perhaps one of the most wide-reaching and flexible laws in the privacy and data security arena does not even mention the words “privacy” or “data.” Section 5 of the Federal Trade Commission Act (FTCA) provides that “unfair or deceptive acts or practices in or affecting commerce ' are ' declared unlawful.” The statute defines unfair practices to include those that “cause or [are] likely to cause substantial injury to consumers [and are] not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The FTC is granted power to enforce these prohibitions. At its core, ' 5 is a consumer protection statute, and the FTC has interpreted its enforcement writ to cover the regulation of consumer privacy and data security.

The FTC has frequently used its enforcement authority to pursue companies for what it asserted were deceptive acts ' issuing privacy policies to consumers that promised more than the companies delivered. The FTC has also interpreted its authority to ensure that companies maintain adequate consumer data security.

An example can be found in an FTC enforcement action brought a decade ago against the former Tower Records. In the Matter of MTS Inc, FTC File #032-3209. According to the FTC's complaint, Tower operated a website that allowed users to purchase music and other products. To make purchases, consumers would input personal information, including their names, billing addresses and other contact information. Tower's privacy policy promised consumers that it used state-of-the-art technology to protect the information and that no one other than the consumer could access the data. In the process of a website redesign, however, Tower apparently failed to fully update software code ' an “easy” fix, according to the FTC ' and, as a result, customer data were viewable by unauthorized visitors to the Tower site.

The FTC argued that Tower Records' failure “to detect and prevent vulnerabilities in their Web site and applications,” along with the misstatements in its privacy policy, violated ' 5. As is generally the case with FTC enforcement actions, Tower ultimately entered into a consent order with the FTC, rather than challenge the FTC in court.

The Wyndham Case

Wyndham operates and manages hotels, resorts and timeshares through subsidiaries and franchisees. Between 2008 and 2010, Wyndham's computer networks were allegedly breached on three occasions, leading to the loss of more than 600,000 payment-card account numbers and the racking up of millions of dollars in fraudulent charges.

The FTC brought an enforcement action against Wyndham (and various related parties) asserting that “failure to maintain reasonable and appropriate data security for consumers' sensitive personal information” violated both the deception and unfairness prongs of the FTCA's ' 5(a). But unlike many targets of FTC enforcement actions, Wyndham decided to contest the FTC allegations, moving in federal court to dismiss the complaint. Wyndham argued that the agency must formally promulgate data security regulations, to provide adequate notice to parties before asserting unfairness claims based on data security incidents.

District Judge Salas rejected Wyndham's arguments. Of particular interest, the district court found that the language in ' 5, the FTC's guidance on reasonable data security measures and prior FTC consent agreements and opinions give companies adequate notice of appropriate data security standards. Although Judge Salas cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” the case made clear that the FTC can and will pursue companies for inadequate data security.

Wyndham appealed to the U.S. Court of Appeals for the Third Circuit. Federal Trade Commission v. Wyndham Hotels & Resorts LLC, 14-3514. The FTC has submitted a brief to the court in which it made clear that companies are responsible for keeping data “turned over” to them by consumers “from falling into the wrong hands.” Although the FTC claims that ' 5 does not require “perfect security,” it does require “reasonable” measures. The agency claims it has warned companies for almost a decade as to what measures are reasonable.

Advice for Companies

What steps should companies take (and what recommendations should their legal, compliance and information-technology advisers provide) in light of the Wyndham decision? A good starting place is to follow the implicit logic of the opinion and look at past complaints and consent orders in which the FTC alleged ' 5 violations due to poor security practices. By avoiding some of the failures cited, a well-advised entertainment company might find itself better insulated against FTC enforcement actions.

Below are just a few examples of security failures that the FTC has alleged constitute unfair or deceptive trade practices:

• Failing to restrict employee access to data on a need-to-know basis.
• Failing to adequately train employees to securely dispose of personally identifiable information.
• Failing to use readily available security measures to limit wireless access to retail company networks, thereby allowing intruders to connect wirelessly to in-store networks without authorization.
• Failing to require network administrators and other users to use strong passwords, or different passwords to access different programs, computers and networks.
• Failing to encrypt sensitive personally identifiable information.
• Failing to employ sufficient security measures for detecting and preventing unauthorized access to corporate networks on which sensitive data had been processed.
• Overriding default secure-socket layer protocol settings in application program interfaces to be used with apps running on mobile and tablet devices, thus leading to the risk of man-in-the-middle attacks.
• Failing to contractually require vendors to implement appropriate security measures to protect personally identifiable information (such as through use of encryption).

In addition, entertainment companies should become familiar with the FTC's publication, “Protecting Personal Information Guide for Business,” which provides practical advice. For technical guidance in implementing or refining data security programs, look to security standards promulgated by well-regarded organizations including the ISO/IEC 27001/2 standards, National Institute of Standards and Technology (NIST) Special Publication 800-53, the NIST Cybersecurity Framework and the Payment Card Industry Data Security Standard (PCI-DSS).

Todd C. Taylor and Karin M. McGinnis, based in Charlotte, NC, co-lead Moore & Van Allen's privacy and data security practice. Taylor, who also leads the commercial & technology transactions team, handles outsourcing, corporate, technology and supply-chain matters. He can be reached at [email protected]. McGinnis, also a member of the law firm's litigation and labor and employment teams, has handled a wide range of litigation, employment, privacy and data security matters. She can be reached at [email protected].