The Federal Trade Commission (FTC) has made ground breaking progress in the war on cybercrime, which means the distinction between the real and digital realm is now so fuzzy that the same law can be applied to both. The FTC has been able to enforce an authority within their act which allows them to specifically target a company that does not protect their customers’ digital information properly.
The specific clause within the act is:
…an unfair act under Section 5 are those that "cause or [are] likely to cause substantial injury to consumers which [are] reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."
The FTC has brought this clause down hard on the global hotel company Wyndham Worldwide Corporation, who cost their clients over $10 million in fraudulent credit card charges by not protecting their data, including payment card details. Wyndham owns several hotel chains including Super 8, Howard Johnson's and Days Inn. The FTC successfully sued Wyndham using this clause, and attempts by Wyndham to overturn the ruling have been unsuccessful. The FTC’s argument was that Wyndham failed to maintain standards that would have protected the privacy and security of its customers’ data. The list of misdemeanors by Wyndham that led to the successful claim by the FTC is lengthy and includes storing credit card details in clear text, not addressing known security vulnerabilities on servers, and failure to maintain security measures to monitor unauthorized computer access.
Wyndham’s challenge to the ruling was that the FTC has effectively overridden current security legislature, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPPA). Wyndham said that the FTC should be publishing rules and regulations to allow companies to follow the directive. However the court dismissed this premise.
What Does This Mean for U.S. Companies in General?
Like it or not, the planets are aligning around the enforcement of cybersecurity protection, especially around consumer data. The United States Federal Government has this year initiated a bill named the Cyber Security Information Sharing Act (CISPA) in recognition of the avalanche of security incidents happening across the USA and worldwide. The FTC win against Wyndham shows the appetite for legal redress of lax security attitudes towards consumer data.
Until now the protection of user data has been handled through a suite of security legislation, such as HIPPA and PCI-DSS, as well as state level security laws of which there are currently 47. This has created a mosaic of regulations, often confusing and many times poorly adhered to. Recent breaches of Personally Identifying Information (PII) such as the Anthem breach, which lost 80 million customers accounts to cybercriminals, show this scatter gun approach to data security is not working. In fact, it seems that Anthem was HIPPA compliant, but the FTC has now decided to prosecute Anthem using the same arguments as the Wyndham case.
The realization that compliance does not equate to security is dawning on us all in the wake of mass cyber-attacks and the change from closed commercial networks to more open and Cloud based working patterns.
The problem comes down to the fact that the cyber security landscape is a moving target. The changes we have seen in the last few years have shown us that the attacks are getting more and more complex. Our firewalls and anti-virus products, mandated by security legislation, just can’t control the tidal wave of cybercrime.
Authorities like the FTC will work to make sure we go beyond the requirements of legislation to create truly comprehensive and effective security policies, and implement security frameworks that actually work. We have to up our game to handle these changing threats, no matter what size business we run. In the wake of the FTC’s win against Wyndham Worldwide Corporation, it is not only our customers that feel pain when we experience a cyber-attack, but our company, through loss of reputation and financially, through fines.
The court document outlining the Federal Trade Commission vs. Wyndham Worldwide Corporation can be found here: http://www2.ca3.uscourts.gov/opinarch/143514p.pdf
