Federal Trade Commission v Wyndom; the FTC has significant win in the US Court of Appeal regarding privacy regulation

August 27, 2015 |

When, or even if, the Privacy Commissioner exercises his powers under the Privacy Act in relation to poor privacy policies and standards it could do worse than consider some of the US Federal Trade Commission (the “FTC”) litigation as well as ACCC cases. That would require the Privacy Commissioner to do that which he has steadfastly refused or failed to do to date.

The FTC has had a very significant win in the US Court of Appeals for the Third Circuit in Federal Trade Commission v Wyndom Worldwide Corporation & ors.  The Court of Appeal has affirmed the FTC’s jurisdiction to regulate and enforce data security.  The FTC alleges that Wyndham failed to reasonably protect consumers personal information.  The basis of the claim is section 5 of the Federal Trade Commission which prohibits unfair acts or practices.

The FTC listed the deficiencies in Wyndom’s privacy and security structure as being:

1. The company allowed Wyndham- branded hotels to store payment card information in clear readable text.
2. Wyndham allowed the use of easily guessed passwords to access the property management systems. For example, to gain “remote access to at least one hotel’s system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.”
3. Wyndham failed to use “readily available security measures”—such as firewalls— to “limit access between [the] hotels’ property management systems,… corporate network, and the Internet.”
4. Wyndham allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions. It did not ensure that the hotels implemented “adequate information security policies and procedures.” Also, it knowingly allowed at
least one hotel to connect to the Wyndham network with an out-of- date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham’s network even though “default user IDs and passwords were enabled . . ., which were easily available to hackers through simple Internet searches.” And, because it failed to maintain an “adequate[] inventory [of] computers connected to [Wyndham’s] network [to] manage the devices,” it was unable to identify the source of at least one of the cybersecurity attacks.
5. Wyndham failed to “adequately restrict” the access of third party vendors to its network and the servers of Wyndham-branded hotels…For example, it did not “restrict[] connections to specified IP addresses or grant temporary, limited access, as necessary.” It failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.”
7. It did not follow “proper incident response procedures.” The hackers used similar methods in each attack, and yet Wyndham failed to monitor its network for malware used in the previous intrusions. 

These problems are depressingly familiar,

The Court of Appeal also made clear that the claim does not have to based on actual injury suffered but rather likely injury.  That can be a significant matter in privacy regulation.  The Court of Appeal stated:

Although unfairness claims “usually involve actual and completed harms,” Int’l Harvester, 104 F.T.C. at 1061, “they may also be brought on the basis of likely rather than actual injury,” id. at 1061 n.45. And the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs. 15 U.S.C. § 45(n) (“[An unfair act or practice] causes or is likely to cause substantial injury” (emphasis added)). More importantly, that a company’s conduct was not the most proximate cause of an injury generally does not immunize liability from foreseeable harms. See Restatement (Second) of Torts § 449 (1965) (“If the likelihood that a third person may act in a particular manner is the hazard or one of the hazards which makes the actor negligent, such an act[,] whether innocent, negligent, intentionally tortious, or criminal[,] does not prevent the actor from being liable for harm caused thereby.”); Westfarm Assocs. v. Wash. Suburban Sanitary Comm’n, 66 F.3d 669, 688 (4th Cir. 1995) (“Proximate cause may be found even where the conduct of the third party is . . . criminal, so long as the conduct was facilitated by the first party and reasonably foreseeable, and some ultimate harm was reasonably foreseeable.”). For good reason, Wyndham does not argue that the cybersecurity intrusions were unforeseeable. That would be particularly implausible as to the second and third [hacking] attacks [that Wyndham experienced].

The applicability of the detailed analysis in the decision is not directly relevant to the Australian context.  There is a longstanding body of law involving civil penalty proceedings in the Federal Court.  That said the Corporations or Consumer law decisions are not directly applicable to privacy and data protection claims.  There would need to a different formulation of such claims.  In that respect the manner in which the claim is framed in these US cases may be of use.

The FTC media release provides:

Federal Trade Commission Chairwoman Edith Ramirez issued the following statement in response to a ruling today by the U.S. Court of Appeals for the Third Circuit, regarding the FTC’s case against Wyndham Hotels and Resorts for allegedly failing to reasonably protect consumers’ personal information:

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

Today’s decision affirms a federal district court ruling, which upheld the FTC’s authority to bring data security cases under the provision of Section 5 of the FTC Act that outlaws unfair acts or practices in or affecting commerce.

One Response to “Federal Trade Commission v Wyndom; the FTC has significant win in the US Court of Appeal regarding privacy regulation”

  1. Federal Trade Commission v Wyndom; the FTC has significant win in the US Court of Appeal regarding privacy regulation | Australian Law Blogs

    […] Federal Trade Commission v Wyndom; the FTC has significant win in the US Court of Appeal regarding p… […]

Leave a Reply