Are You Ready for the Next Data Breach? The FTC, Privacy Policies, and Data Protection
If your business collects customer data, do you have proper security measures in place to protect that data? Since 2005, the Federal Trade Commission (FTC) has pursued administrative actions against companies with deficient cybersecurity. The rise of serious data breaches has caught the notice of the FTC, causing it to increase its consumer protection enforcement activity.
A recent ruling by the U.S. Court of Appeals for the Third Circuit, FTC v. Wyndham, affirms the FTC’s authority to take actions against companies that have unfair or deceptive cybersecurity practices. It is more critical than ever that businesses implement measures to adequately protect their customer data, prepare response plans in case the data is compromised, and ensure that their privacy policies accurately reflect the level of protection they provide.
The Wyndham Decision
Wyndham Worldwide is a hospitality company that franchises and manages hotels. In June 2012, the FTC sued Wyndham for failure to maintain “reasonable and appropriate” data security measures. Wyndham’s privacy policy had a very common clause. It stated that Wyndham safeguarded customer data using “industry standard practice.” Unfortunately, the FTC found that Wyndham failed to live up to that “industry standard practice” by:
- Allowing hotels to store payment card information in an unencrypted format;
- Using “easily guessed passwords” for its property management systems;
- Failing to use firewalls or other “readily available security measures;”
- Allowing connection to its network without taking “appropriate cybersecurity precautions;”
- Failing to “adequately restrict” access to its network;
- Failing to employ “reasonable measures to detect and prevent unauthorized access”; and
- Failing to follow “proper incident response procedures.”
Wyndham’s deficient cybersecurity protocols allowed hackers to access Wyndham’s computer systems on three occasions in 2008 and 2009. The hackers obtained access to over 619,000 accounts, causing the loss of $10.6 million to Wyndham’s customers. The FTC filed suit against Wyndham, alleging that its conduct was an unfair practice and that its privacy policy was deceptive.
Wyndham challenged the FTC’s authority to sue it for this conduct. In a unanimous decision, the Third Circuit affirmed both that Wyndham failed to adequately maintain reasonable appropriate data security measures, which constituted an unfair practice under Section 5 of the FTC Act and the FTC’s enforcement powers. Wyndham’s actions were precisely the type of “unfair or deceptive practice” the FTC is charged with stopping, as Wyndham’s privacy policy deceived its customers into thinking their data was safe.
What Should Businesses Do?
Businesses should carefully examine their privacy policies to determine whether their cybersecurity policies and procedures meet or exceed what they promise their customers in their terms of use and privacy policies. Many privacy policies use boilerplate language similar to Wyndham’s privacy policy, such as: “We follow generally accepted industry standards to protect the personally identifiable information submitted to us.”
If your privacy policy includes similar language, it is important to have adequate measures in place that actually follow the industry-standard practices and to maintain records of your compliance.
In addition to meeting the promises made in its policies, a business must maintain “reasonable and appropriate” data security measures. Unfortunately, the Third Circuit in Wyndham affirmed that the FTC does not have to define what “reasonable and appropriate” means; it can provide adequate notice of what is required under the law through its enforcement process. Furthermore, the FTC can pursue acts that are likely to cause substantial injury even if no breach or injury has actually occurred. Therefore, it is imperative that businesses periodically review the complaints that the FTC files against businesses and consult the FTC’s prior consent decrees to determine what is required under the law and implement new measures to best protect consumers’ security.
Taking into account what the FTC considers proper measures, businesses should investigate potential cybersecurity gaps and work with technology staff to determine whether their practices cover those gaps. Per the Wyndham decision, businesses should at least:
- Have firewalls at critical network points;
- Encrypt certain customer files;
- Restrict specific IP addresses;
- Change the default or factory-setting passwords; and
- Have a breach response plan in place for when a breach does occur.
Investigation and implementation of proper measures will require attention to detail, a strong IT department, and counsel that is knowledgeable on cybersecurity principals. In addition to an understanding of the legal issues and minimizing liability, a business may benefit from the attorney-client privilege that comes with consulting an experienced attorney.
In 2007, the FTC issued a guidebook, Protecting Personal Information: A Guide for Business, which describes a checklist for creating a “sound data security plan.” While the guidebook does not state what is required under the FTC Act to be compliant with the law, it is a beneficial resource for determining what the FTC considers inadequate data security measures.
If you need help revising your privacy policy to better reflect your actual practices or evaluating your legal exposure, contact an attorney.