Way back in 2004, we noted that the FTC went after Tower Records for getting hacked
and leaking customer records. At the time, we wondered if this was appropriate. Companies get hacked all the time
, even those with good security practices. So, at what point can it be determined if the company is being negligent, or if it's just that those looking to crack their systems are just that good
. Well, the FTC had decided that it can
draw the line, and for companies that do a particularly egregious job in not protecting user data, it's made it clear that it's going to go after them. A few years back, the FTC went after Wyndham Hotels for failing to secure user data, and Wyndham tried to argue that the FTC had no authority to do so. Last year, a district court sided with the FTC
and now the Third Circuit appeals court has upheld that ruling
, giving the FTC much more power to crack down on companies who fail to protect user data from leaking.
The ruling doesn't fully answer the question of where can the FTC draw that line, but it certainly suggests that if your security is laughably bad
then, absolutely, the FTC can go after you. And, yes, Wyndham's security was laughably bad. From the court ruling:
The company allowed Wyndham-branded hotels to store payment card information in clear readable text.
Wyndham allowed the use of easily guessed passwords to access the property management systems. For example, to gain “remote access to at least one hotel’s system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.”...
Wyndham failed to use “readily available security measures”—such as firewalls—to “limit access between [the] hotels’ property management systems, . . . corporate network, and the Internet.” ...
Wyndham allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions. It did not ensure that the hotels implemented “adequate information security policies and procedures.” ... Also, it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham’s network even though “default user IDs and passwords were enabled . . . , which were easily available to hackers through simple Internet searches.” ... And, because it failed to maintain an “adequate inventory [of] computers connected to [Wyndham’s] network [to] manage the devices,” it was unable to identify the source of at least one of the cybersecurity attacks.
Wyndham failed to “adequately restrict” the access of third-party vendors to its network and the servers of Wyndham-branded hotels. ... For example, it did not “restrict connections to specified IP addresses or grant temporary, limited access, as necessary.”
It failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.”
It did not follow “proper incident response procedures.” ... The hackers used similar methods in each attack, and yet Wyndham failed to monitor its network for malware used in the previous intrusions.
So, yeah. This wasn't a situation where determined malicious hackers had to carefully dismantle a security apparatus. There was no security apparatus, basically. The ruling also mentions that the Wyndham website claimed
to encrypt credit card data and use firewalls and other things -- none of which it actually did. Oops. And, of course, hackers broke in multiple times and Wyndham did basically nothing.
As noted, on three occasions in 2008 and 2009 hackers accessed Wyndham’s network and the property management systems of Wyndham-branded hotels. In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham’s network and the Internet. They then used the brute-force method—repeatedly guessing users’ login IDs and passwords—to access an administrator account on Wyndham’s network. This enabled them to obtain consumer data on computers throughout the network. In total, the hackers obtained unencrypted information for over 500,000 accounts, which they sent to a domain in Russia.
In March 2009, hackers attacked again, this time by accessing Wyndham’s network through an administrative account. The FTC claims that Wyndham was unaware of the attack for two months until consumers filed complaints about fraudulent charges. Wyndham then discovered “memory-scraping malware” used in the previous attack on more than thirty hotels’ computer systems.... The FTC asserts that, due to Wyndham’s “failure to monitor [the network] for the malware used in the previous attack, hackers had unauthorized access to [its] network for approximately two months.” ... In this second attack, the hackers obtained unencrypted payment card information for approximately 50,000 consumers from the property management systems of 39 hotels.
Hackers in late 2009 breached Wyndham’s cybersecurity a third time by accessing an administrator account on one of its networks. Because Wyndham “had still not adequately limited access between . . . the Wyndham-branded hotels’ property management systems, [Wyndham’s network], and the Internet,” the hackers had access to the property management servers of multiple hotels.... Wyndham only learned of the intrusion in January 2010 when a credit card company received complaints from cardholders. In this third attack, hackers obtained payment card information for approximately 69,000 customers from the property management systems of 28 hotels.
The FTC alleges that, in total, the hackers obtained payment card information from over 619,000 consumers, which (as noted) resulted in at least $10.6 million in fraud loss. It further states that consumers suffered financial injury through “unreimbursed fraudulent charges, increased costs, and lost access to funds or credit,” ..., and that they “expended time and money resolving fraudulent charges and mitigating subsequent harm.”
And yet, still, Wyndham insisted that the FTC had no mandate to go after them for this rather egregious behavior. The appeals court agrees with the lower court in saying "of course the FTC can go after such behavior." The main question: Is this an "unfair" practice by Wyndham? The company argued that it's not unfair because it's the victim here. The court doesn't buy it.
Wyndham asserts that a business “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.”... It offers no reasoning or authority for this principle, and we can think of none ourselves.
Also: it's generally not a good thing when a court refers to your legal argument as "a reductio ad aburdum" (i.e., taking something to such an extreme as to be ridiculous).
Finally, Wyndham posits a reductio ad absurdum, arguing that if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to “regulate the locks on hotel room doors, . . . to require every store in the land to post an armed guard at the door,” ... and to sue supermarkets that are “sloppy about sweeping up banana peels,” ... The argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).
Going for a due process move, Wyndham tries to argue that there was not "fair notice" of what kinds of security practices the FTC required. I'm actually marginally sympathetic to this argument. If this is ever amorphous, then that is really challenging for companies who just don't know if their security practices meet the vague non-public standard of "okay" for the FTC. But, if you're running a company -- especially one as large as Wyndham Hotels -- it's not unreasonable to suggest that your tech staff at least understand some basic fundamentals about security, like not using default passwords, encrypting credit card data, and using firewalls. This isn't advanced computer security here. This is pretty basic stuff. Furthermore, the court basically says Wyndham doesn't need specific rules from the FTC, but rather just should know that the law about "unfair" practices exists.
Wyndham is entitled to a relatively low level of statutory notice for several reasons. Subsection 45(a) does not implicate any constitutional rights here.... It is a civil rather than criminal statute.... And statutes regulating economic activity receive a “less strict” test because their “subject matter is often more narrow, and because businesses, which face economic demands to plan behavior carefully, can be expected to consult relevant legislation in advance of action.”
In this context, the relevant legal rule is not “so vague as to be ‘no rule or standard at all.’”... Subsection 45(n) asks whether “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” While far from precise, this standard informs parties that the relevant inquiry here is a cost-benefit analysis,... that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity. We acknowledge there will be borderline cases where it is unclear if a particular company’s conduct falls below the requisite legal threshold. But under a due process analysis a company is not entitled to such precision as would eliminate all close calls.
And, the court notes, Wyndham's behavior here is so egregious that no reasonable person could find it surprising that the FTC went after the company for its [lack of] security practices.
As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all.
Which leads to the kicker in the following sentence:
Wyndham did not respond to this argument in its reply brief.
The court also notes that maybe Wyndham's response would be more reasonable if the company had only been hacked once. But three times is a bit much:
Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis.... [C]ertainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.
And thus, while I'm still a little nervous about going after companies who get hacked, it seems in this case, where there appears to be overwhelming evidence of near total gross negligence on the part of Wyndham to secure user data, it does seem reasonable for the FTC to be able to proceed, and now both a district and appeals court agree.