The hard-fought cybersecurity case Federal Trade Commission v. Wyndham Worldwide Corp. has been resolved. For the next 20 years, Wyndham, a holding company for Wyndham hotels and other lodging brands, has agreed to perform annual security audits that conform to the Payment Card Industry Data Security Standard, certify the networks of its franchisees, engage an auditor to perform a formal risk assessment process that will analyze the security risks that the company faces, and notify the FTC in the event of a breach of more than 10,000 credit card numbers.
By way of background, during 2008 and 2009 hackers compromised the hotel chain’s security system and through that breach over $10 million in fraudulent charges were levied against customers whose credit card information had been disclosed to the hotel. The FTC commenced an administrative action against the chain, alleging that the company failed to adequately protect consumer data under the section of the U.S. code that prohibits “unfair or deceptive acts or practices in or affecting commerce.” This code has been used by the FTC for a number of years to enforce cybersecurity actions.
Wyndham hotels fought hard against the FTC jurisdiction and argued that Wyndham being hacked was not in and of itself an “unfair” act conferring jurisdiction to the FTC and that the commission failed to give it fair notice about the cybersecurity standard to which the FTC was holding the company.
The second argument, at least to us, is more interesting. In the tortured procedural history related to this case, the FTC appears to have worked hard to avoid being pigeonholed into setting forth a brightline standard that companies must meet to show that their cybersecurity practices are reasonable. The reasons for this are many, as most experts believe that one’s cybersecurity should be aligned to the nature of the organization and the type of data it maintains. Thus, a standard can’t really be defined in the abstract. This makes objective sense, but it provides limited guidance where, as here, it is the same agency determining the standard that is enforcing it on a case-by-case basis.
The problem Wyndham faced, as recounted in the decisions from the two courts, was that its efforts toward cybersecurity appeared anemic at best. Thus, even if one believed that their argument had merit, it looked contrived when they did not even meet their own internal privacy standards as represented to their customers on their website. The Third Circuit, however, found that Wyndham was not entitled to know with certainty the FTC’s interpretation of what cybersecurity practices are required under Section 45(a). Instead, all it needed was fair notice to know that its cybersecurity practices could fall within the meaning of the statute—however it is construed by the FTC. In other words, was Wyndham on notice that the FTC saw cybersecurity practices as something it could govern under section 5 of the FTC Act (15 U.S.C. § 45)? The court found it was.
Unfortunately, we are still without a clear cybersecurity standard that organizations can rely upon to show that their cybersecurity efforts are reasonable. HIPAA and the HITECH Act are standards, but they don’t really set out any practices or specifics and mostly focus on the end user rather than sys-tem design issues. The National Institute of Standards and Technology has published a rich and detailed cybersecurity framework to evaluate cybersecurity risk and response, but it is more of a process or practice than it is a standard. There is a very large and confusing gap that is fraught with horrible consequences for the unwary. Thus, there is a real need for lawmakers to develop a meaningful risk-driven standard to plug this gap and allow keepers of sensitive data to safely navigate these dangerous waters.
Alan Winchester is a partner with Harris Beach PLLC and leader of its Cybersecurity Protection and Response team. Dawn Russell is manager of information security for Harris Beach and an ISACA certified information security auditor.
2/12/2016 (c) 2016 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email firstname.lastname@example.org.