September 9, 2015

Cybersecurity Alert: Businesses Victimized by a Cyber Attack May Have to Answer to Federal Regulators

Related Attorneys

by Douglas Brent, Attorney at Stoll Keenon Ogden PLLC

Recently we wrote about the legal risks in overpromising your ability to protect electronic data you obtain from your customers. As one major (you’re probably a member) social networking site learned, promising “industry standard” cybersecurity can be a huge mistake if the standard evolves after you make the initial promise, yet you fail to evolve . If a court accepts the premise that your customers chose to deal with you because you said you would protect them from computer-based fraud, you could wind up in trouble when the promised protection fails.

That risk of failing to deliver was underscored August 24 when a federal appeals court in Philadelphia upheld the Federal Trade Commission’s authority to pursue regulatory enforcement actions against the victim of a major cyber-attack. 

Say Again?

Hospitality company Wyndham Worldwide franchises and manages hotels under several well-known brand names. Each branded hotel uses computerized property management systems configured to Wyndham’s specifications. The systems include a variety of information about guests, including payment card information.

Over about a year, hackers connected to Russia broke into several of these systems, stole information for more than 500,000 accounts, and caused more than $10 million in fraudulent charges.

The Federal Trade Commission sued Wyndham, claiming its online privacy policy promising to “safeguard our customers’ personally identifiable information” using “industry standard practices” was deceptive. Contrary to this policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

A lower court refused to dismiss the case. The question before the Court of Appeals panel was whether the FTC has authority to regulate cybersecurity under a section of federal law that prohibits “unfair” acts or practices affecting commerce. The panel answered with a resounding “yes.” In addition, the judges rejected Wyndham’s claim that the FTC complaint failed to “spell out what specific cybersecurity practices . . . actually triggered the alleged violation.” The opinion outlines several cybersecurity failures the FTC had cited in its complaint, noting these were issues the agency had brought up in earlier complaints against another business.

Enforcement Activity Likely to Increase

Since 2005 the FTC has brought administrative enforcement actions against companies with allegedly defective cybersecurity that failed to protect consumer data against hackers. It’s critical to note that these actions relate more to promises about security than defects in security. Thus, it is a mistake to assume that the federal government has its hands full with security failures in its own systems and won’t pursue regulatory enforcement actions against businesses victimized by the same hackers that also attack the government. Also, while the Wyndham court was not ruling on the merits of the FTC’s complaint, its nod to the FTC’s description of unreasonable cybersecurity practices is important.  Without comprehensive federal cybersecurity standards, a company’s legal responsibilities will continue to be forged by judge-made common law. (We’ve discussed this before in connection with security guidance principles published by federal banking regulators.) 

The main thing to remember is the Wyndham decision is likely to influence not only lower federal courts, but also the FTC’s own appetite for pursuing businesses that claim broad privacy policies but fail to back them with robust security.

Check Your Protection Plan

Whatever your business, if you handle personally identifiable information, credit cards or any other form of electronic payments, especially for consumers, it is critical to review your cybersecurity and privacy policies, in light of your actual business practices.  A member of SKO’s Privacy and Information Security practice can advise in this effort.

Cyber intrusions may seem inevitable, but with proper legal planning the fallout does not have to include being hauled before the FTC.