WEBINAR: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices

WEBINAR: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices

April 29, 2014 2:00 pm

(Save to cal)


>IT privacy and security attorney Tatiana Melnik dives into the implications for business storing personal customer information as FTC enforcement becomes increasingly stringent.  

Title: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has to Punish Companies for Poor Cyber Security Practices

Description: Businesses that collect or use consumer information - including social security or credit card numbers, protected health information, and other sensitive data - are responsible for implementing cyber security measures to safeguard it and live up to the promises made. Those who fail to protect personal information are subject to actions from both state and federal authorities as well as lawsuits from individuals. Most recently, the FTC, with its broad authority to pursue action against any business engaging in interstate commerce, is stepping up its investigation and enforcement activities in 2014 across many industries including healthcare, hospitality, and mobile applications. What does this enforcement environment mean for businesses that are increasingly handling personal digital information in terms of liabilities and information assurance strategies?



View Slides

Mike Klein: Welcome to Online Tech’s Tuesdays at Two webinar series. I’m Mike Klein, co-CEO of Online Tech and I’ll be hosting the presentation today given by Tatiana Melnik. Let me first set the stage a little bit. For those of us who are out there playing in the security and compliance world, most of us are aware -- many of us are very aware -- of the data privacy rules and enforcement that is going on in different regulated industries that are out there. For example, Health and Human Services has the broad authority over PHI or Protected Health Information within the healthcare marketplace and with healthcare data through the HIPAA and the HITECH Acts. There’s significant fines out there for breaches of PHI data by the data holders if that happens.

Sarbanes-Oxley has put a lot of teeth into protecting and securing financial data for publicly traded companies and a broad array of companies that are in the financial industry. Visa and MasterCard on the other hand have driven businesses that touched cardholder data to secure their data through the Payment Card Industry Data Security Standards or PCI DSS. They can put significant fines and penalties in places for breaches of cardholder data.

But until the recent ruling by the US District Court in New Jersey, many of us, myself included, really didn’t realize that there was another authority, the FTC or Federal Trade Commission, that could step in and also have some broad authority where they could touch companies that were playing in both the regulated and the non-regulated industries. Apparently, there has been more than 50 cases where the FTC has stepped in and extracted settlements from companies that have had data breach incidents.

Now, the US District Court has affirmed the FTC’s broad authority to take actions against companies who have had lapses in data security. It’s applied not to just the regulated industries but also to non-regulated industries. In fact, any company that holds personally identifiable information can be subject of an FTC action if they are not properly securing their data.

So here today to talk with us about the case and the legal implications to the IT community and businesses in general is Tatiana Melnik, who is a principal at Melnik Legal PLLC in Tampa, Florida. Tatiana focuses her practice on IT, data privacy and security, and a regulatory compliance. In my experience, it’s always a thrill to be working with Tatiana in areas like this because she brings a real unique capability among lawyers that I’ve worked with in that she has a rare mix of IT and programming background, legal experience, and a practical business perspective that goes beyond the letter and the law into really helping and figuring out what makes business relationships work, especially when we’re working in this kind of tricky area of data privacy and regulatory compliance.

With that, I’d like to introduce Tatiana and turn over the microphone and the presentation to her.

Tatiana Melnik: Thank you very much for that lovely introduction and to Online Tech for hosting this very timely webinar on all of these data privacy and security issues that seem to be heavily in the news since the Target data breached happened late last year. Let’s go ahead and jump right into our session here. I’m trying to … there we go. Great. The session briefly are outlined: Why are we here? Where are we going? Then I’m going to leave time at the end for a few questions. Of course, please feel free to submit your questions as I’m talking. Mike will chime in as appropriate to cross with some questions and then of course, I will leave time at the end to answer additional questions. If I don’t get to your questions or you come up with questions later, feel free to reach out to me directly.

We’re here because of a recent case out of New Jersey. It’s a Federal Court case with the FTC versus Wyndham Worldwide Corporation and a couple of its subsidiaries. Wyndham Worldwide is in the hospitality industry, which is a non-regulated industry as compared to healthcare or the financial services sector. This case is really important because it’s the first court to actually evaluate the FTC’s authority to take action against companies for bad cybersecurity practices. Companies that have lost consumer data or have not secured it in a way … that consumers were expecting their information to be protected.

Who is the Federal Trade Commission? Well, it’s the nation’s leading privacy enforcement agency. I don’t think a lot of people realize the true power of the FTC. They don’t just look at competitions. I think most people when they think of the FTC, they think, “Oh, well, they’re the enforcers of the anti-trust laws.” No, that’s not true. They have a dual mission to protect both consumers and to protect competition. In fact, the agency turned 100 years old this year. They’ve been around for quite some time.

On the consumer front, the FTC has a very broad scope of authority. This authority comes from several statute and several rules that require businesses to protect consumer data. These include, for example, the FTC’s safeguard rule which implements the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act more commonly known as COPPA. If you target kids or provide services to kids in any way, you’re going to have compliance requirement with COPPA.

These rules and statute require that companies take reasonable measures to protect information. I emphasize reasonable here because we’re going to hear that throughout this presentation and it’s something that you're going to see in your contract. Usually, it will say something like this company … you agree to take a commercially reasonable effort to do X, Y, and X. Part of the presentation today is to talk about what does it mean to take commercially reasonable efforts. What are the actual expectations for that?

Aside from the other statutes, the FTC also has authority under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” This prohibition applies to all companies and all persons that are indeed in interstate commerce. Given the internet, that means that just about every single company is engaged in interstate commerce, even those small mom and pops stores that sell stuff on eBay. Guess what, now they’re covered by Section 5 of the FTC Act because they’re engaged in interstate commerce.

Section 5 is really what we’re going to focus on today because that’s what the FTC tends to rely on when it pursued enforcement action. It gives it the broadest scope of coverage because of these unfair or deceptive acts of practices. You can see that relatively loose language. What does it actually mean to be deceptive? Well, a company acts deceptively if it makes materially misleading statements or omissions. Remember that, materially misleading. They have to make statements or fail to tell people stuff.

A company acts unfairly if its data security practices cause or may cause substantial injury to consumers that the consumers can’t reasonably avoid. That’s not outweighed by any substantial benefits to consumers or to competitions. Basically, it has anything to do with anything that can damage consumers that they can’t protect themselves against. There’s nothing they could reasonably do to heal themselves from the damages that are likely to result from these bad cybersecurity practices.

Looking at this, you’re probably thinking, “Wow! That is really, really broad. That’s pretty scary because it doesn’t tell me anything … it doesn’t really tell what I’m supposed to do. It just says that if I hurt consumers, now I’m subject to FTC enforcement.” Well, does that mean that anytime you have a breach, you're going to be subject to an enforcement action? The answer to that is no. The FTC has testified before the Senate -- this was actually about a couple of weeks ago, earlier this month I believe -- where they specifically said that the mere fact that a breach occurs does not mean that a company has violated the law. Of course, this doesn’t mean you’re not going to get investigated. It just means that just because something bad happen at your company doesn’t now mean that you're going to be subject to this enforcement action. What they’re going to do, however, is come in and take a look at what are your existing processes. What are you doing to protect consumer information? What could you tell consumers and what should consumers reasonably expect under the circumstances? So eally having good documentation and a good understanding of the processes and systems you have in place to protect consumer data is very, very important.

To the case at hand, the Wyndham case: As I mentioned, Wyndham is in the hospitality industry. It operates a number of well-known brands. I won’t any here but if you go to their website, you will recognize most of their brands are on that list. They’re a large company. And the FTC alleged that their failure to maintain reasonable security practices allowed intruders to break into the system on three separate occasions in less than two years. That’s really what should grab your attention. It’s not just that they had one incident, it’s they had three separate incidents in such a short time span. So of course, the FTC says, “Hey, this looks really suspicious. It looks like we need to come in and investigate and figure out what’s really going on.”

When they started looking at the matter, the FTC found that Wyndham security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud losses, and the export of information to Russia. For those of you who pay attention to what’s happening in the hacking world and the malware stuff, you’ll know that when there’s a larger data breach, a lot of that information for some reason tends to go to Russia. So strange. All of these security breaches happened at their Phoenix, Arizona, data center. Keep in mind that it wasn’t at any of the individual hotels. It was specifically at the data center.

The problem involved here, the property management system. Each Wyndham-branded hotels was required to purchase and configure this system’s specifications that were provided by Wyndham. Just to clarify, Wyndham has franchisees throughout the country. All of these companies were required to purchase the property management system and to put in place based on the specifications that were set out by Wyndham.

The system handled many major functions, including the credit card payment transactions, and also stored a lot of the information like the person’s name, address, email address and all of the credit card details. Anything you need basically to commit credit card fraud, that’s what the system stored. Further, the system was integrated into … was linked into the central reservation system that was also operated by Wyndham and not by the owners of the individual hotels. So Wyndham set the rules of the road and then it collected fees to manage that network.

You’re thinking, “Okay, well that’s great. I don’t really understand what the FTC is saying. Wyndham would’ve had to make somehow deceptive statements to consumers. Where did this happen? How could they have made these statements to consumers if they are not the ones that have this direct face-to-face relationship with consumers?” Well, Wyndham has privacy policies on its website. That’s where this stuff comes from. If you're thinking, “Hey, that privacy policy that I copied from some X, Y, Z company 10 years ago doesn’t really mean anything,” please, please think again because that is exactly what the FTC uses against you when it comes in to investigate. The first thing they do is say, “Hey, what did you tell people? What should they have expected based on your privacy policy?”

Here are a couple of excerpts that the FTC called out specifically in their complaint as being some of the more problematic or the broader statements that give them this authority to pursue this action. First, Wyndham said that they recognized the importance of protecting the privacy of their customer’s information. Second, they told consumers that they safeguard their information using industry standard practices. Again, “industry standard practices” is very broad. They’re not saying what industry. They’re not saying exactly what practices they follow. They do tell people that they make commercially reasonable efforts to make sure that their collection of the information is consistent with all applicable laws and regulation. Finally, they tell consumers that the website uses a number of different security measures to protect information, including encryption, and they take commercially reasonable efforts to create and maintain firewalls and other appropriate safeguards.

Again, they’ve told folks all of these consumers that are coming to their website, that are using their systems, that they’re engaging in all of these practices to protect their information. When we look data security broadly, we consider the protection of those, the information systems, the networks and software and so forth and the data and the messages that are transmitted by these systems. When you’re looking at do I have the proper processes in place, you have to look at both your entire IT infrastructure as well as what you’re doing to specifically protect the data. Generally, these practices are divided into three categories: the physical security measures, the technical security measures and, of course, the administrative security measures. For those of you who are familiar with HIPAA, you’ll know that that’s basically how HIPAA categorizes the protection that you’re supposed to put in place: physical security, technical security, and administrative security. That’s the same process and the same system you would use in any sector. You’re looking at protecting consumer information or protecting any information that you store.

You’re probably wondering” “Okay. I’m seeing all of these comments about commercially reasonable effort, but I don’t really know what that means. What am I actually supposed to do? What does it say with respect to these industry sectors? What am I supposed to do with it?” That is a tough question to answer. I wish I had a better answer other than to say it’s hard. That’s because it depends on your industry. For example, banks have set programs they’re supposed to have in place. Healthcare companies have set programs they’re supposed to have in place because they have statutory obligations. Those that are in non-regulated industries, what does that actually mean? Well, you’re going to look at more broadly at what did the folks who are in your line of business typically do? That’s one. Two, what do companies who handle the kind of data that you handle, what do they do? What are reasonable expectations based on the kind of information you handle? And ,of course, what does your state law say? What would the consumers expect? Things like that. I think the easiest way to sort of discuss some of the … what it means to be commercially reasonable and what will trigger FTC’s scrutiny, and the scrutiny, I might add, of state attorney general and other regulators in your state because it’s not just federal stuff you have to be concerned about. You also need to worry about what your state will do. For example, if you’re in California, California tends to be more active than other states in terms of enforcement. Something you’d want to keep an eye out.

Now, let’s talk about some other things that the FTC specifically raised as being problematic. You remember in the privacy policy I mentioned that Wyndham consumers, they put in firewalls to protect their information. Well, the FTC says, “Hey, you didn’t actually put firewalls in. You didn’t segregate the different systems that you have in place. You didn’t segregate the property management systems from the corporate network and the internet.” If you don’t do that, that means someone who breaks into one system has that much of an easier chance to traverse to your other network, to your other systems and to get even more data than they would otherwise. They also didn’t put in encryption. This problem, I think, is a little bit deceiving on the part of the FTC because as you may recall, I mentioned that Wyndham had three separate data breaches. In the second data breach, when the hackers got in, they put in malware to translate the payment card data into clear readable text. It wasn’t that Wyndham didn’t prevent the information from being encrypted, it allowed software to be configured inappropriately in a way to not encrypt the information. It’s because they let those hackers in and those hackers basically put in that programming.

Mike: Tatiana, when you were on the issue of encryption, a couple of questions that came up. The one question that came up here is “How might encryption-base software be used to prevent cyber attacks like this to nullify the FTC, FCC, Department of Justice as well as regulators on the other side of the Atlantic, where an international firm has global offices?” Is that a good time to talk about that?

Tatiana: Yeah. We can talk about that. How can encryption be use to prevent some of these stuff? I think it’s not just encryption by itself, it’s a whole policy process. For example, if you look at this notion of firewalls and encryption. They should work together. Once you break into the system, if you don’t have data walled off from other points of entry, someone can get in and hack over to your other data points. Then they can install software to possibly circumvent your encryption. Then you have to think about, “Okay, what processes and what technologies can I put in place that … let’s assume someone could do that.” How can I avoid that? Do I do encryption at two points? Do I do encryption at one point? Do I do … maybe I don’t need to do encryption at the server level. Maybe I want to do encryption at the PC level and send that data into the server so that I avoid those issues. On other hand, what if someone then breaks into that PC while then the encryption you have in place and the PC doesn’t work. Having these processes work together ... and that’s why when the FTC looks at these issues, they don’t look at just one because they’ll think it’s very easy to miss one point. It’s really easy. You don’t know how … people are very creative. You can’t plan for everything. If you have all of the processes in place, or at least a good amount where it’s clear that you’ve thought through the issues and the concerns, then there’s significantly less chance that a regulator will pursue action against you. Again, you can’t plan for everything.

Mike: Okay. The other question that comes up is you’re talking about credit information getting out, do we know whether Wyndham was PCI-compliant or being held accountable by the credit companies to be PCI compliant as well?

Tatiana: As I understand from the Wyndham filings, they were PCI compliant. From their submissions to the court, they have said that they have PCI compliant. They had a third party auditor. Certainly, they’ve come back now and said that since these incidents, they are most certainly PCI compliant. I don’t know. It’s not clear -- because some of the documents aren’t made public in terms of the deposition -- where they stood, at what point there were issues. Clearly, as we’ll discuss a little bit more in the slides, there were definitely issues for them in terms of some of their practices they had in place. It’s not clear, I guess, to what extent they were PCI compliant. As we’ve seen sometimes, companies will have audits come in and they’ll get a certification of PCI complaince, but they’re not necessarily PCI compliant. That’s a concern. Certainly, most of the concerns but Wyndham, they have proper contracts in place because then they can get indemnification for those issues. That’s something to keep in mind.

Mike: Okay.

Tatiana: You also keep …

Mike: I’m sorry. Just one other comment here, because they have clear text on the credit information, like you talked about, there will be some indication that perhaps they had some violations or they weren’t fully PCI compliant, correct?

Tatiana: Absolutely. Absolutely. Keep in mind that when you have the PCI audit, as with any audit, the audit is done at one point in time. What if your situation changes three months later? Now, that audit’s no longer good because your IT circumstances changed, which is why it’s important to have internal audit processes in place to have ongoing security risk assessment so that you have systems that are software testing abilities. You can see if particular settings in your systems are being changed. Again, I’ll get to that a little bit later because there were some other issues that were raised by the FTC which highlight some of the issues with respect to encryption and firewall.

Mike: Terrific. Great. Thank you.

Tatiana: Yeah. The other issue that the FTC raised was policies and procedures of partners. This one I think is probably one of the more important issues here aside from some of the technical stuff. At what point, I guess the question is, are you as a business actor supposed to be responsible for the actions or lack of actions by your business partners? You enter into a contract with someone, you’re trusting them to be a good actor and do everything they’re supposed to do and everything they said they’re supposed to do in your contract. At what point are you going to be held responsible because of that other company failed to live up to their expectations? The FTC specifically said that Wyndham failed to ensure that their partners implemented adequate information security policies and procedures prior to connecting to their local network. Now, do I think that this can be applied more broadly to just about every company? Probably not, because it stems from the kinds of relationships that Wyndham had with its franchisees where they certainly has significantly more control than other companies, than other circumstances would have.

At this point, you should be thinking, “Hmm, I probably need to review my contracts to see what they say and what the requirements are.” I will note that this issue of policies and procedures and responsibility for partners recently came up in another FTC action against a medical transcription company. In that case, it was the same thing where there was a breach at the vendor … quite actually different … but there was a breach at the vendor in that case that FTC said that was problematic for the medical transcription company because the medical transcription company didn’t put any policies and procedures in place, and then new requirements in place for those vendors to meet certain security and privacy obligations.

For those of you who have third party handling and processing, and doing other stuff with consumer data or any kind of data that has to do with the PII, really consider whether or not you need to be putting additional provision into your contract that specifically address requirements for them to store and handle that data in certain ways. Think about whether you need to put in provisions so they have firewalls, that they have antivirus software and things of that nature.

Wyndham also failed to fix known problems. This is a particular issue I think right now with Windows XP, with support for Windows XP ending, because this was one of the examples that the FTC used when they said that they failed to fix known problems. That was using servers that had outdated operating systems. I think we all know that if you use servers or any kind of technologies that outdated the operating systems, they no longer have that support, they’re that much more susceptible to data breaches. Now, there’s malware specifically being written for those operating systems that there is no program in place to track for that and to check for that. If you’re still working, if your infrastructure contains this kind of stuff, they should be sending a red flag for you because it does a send a red flag to all the regulators.

Another issue that they highlighted was using default passwords and not having password rules. When you get your new server and you install your operating system, there’s usually some default password that’s in there which is generally made public. If you search online, you're out with the default password because it’s the default password. Having password rules in place is also important. You can’t have someone using the same username and password. You need to have something a little bit more complicated and the examples the FTC had in the complaint was that Wyndham, to allow remote access to a hotel’s property management system which was developed by a software developing company named Micro Systems Inc., Wyndham used the phrase “micros” as both the user ID and the password … I’m sorry the name of the development company was Micros System, so they used the first name “micros” as both the user ID and password. Now, I think anybody in the IT world will tell you that it’s highly a big no-no. Step one, change those usernames and passwords. Not having policies and procedures in place and not having ways to check for that is problematic.

A couple of other issues the FTC highlighted as being problematic is Wyndham did not have an inventory in place of the computers that were connecting to their network and the devices that we’re connecting to their network. They also didn’t have intrusion detection system in place. They didn’t have an intrusion response system in place. They did not have processes in place to control who would be accessing the systems and where they were accessing, what portions of the systems they were accessing, so they were not limiting access only to the specific portions. This is important with respect to BYOD. For those of you who allow folks, who allow your employees to bring their own devices and use their own devices for work purposes, you need to have an inventory of those devices. They could be causing problems and you need to know who owns them and where they are. The intrusion detection and intrusion response, you need to have processes in place and have technical capability in place to track what’s going on in your internal network so that you can respond as necessary. If you have one computer infested with malware, it doesn’t … you can remove that computer from your network quickly before it damages the rest of your network. Of course, having controlled access, someone who has access to a payment system does not necessarily need to have access to all the PHI, to all the Protected Health Information. We really have to put processes in place and audit how your staff members are accessing information and what they’re accessing. Whether or not, the stuff they’re accessing should really be accessed by them because it can cause a lot of problems when you have too many people who have access to sensitive systems. We’re going to talk about that briefly as we get into what happened in the actual data breaches.

Wyndham suffered three data breaches. The first one happened in April 2008. It was a brute force attack. It caused a multiple user lockouts. I think we all know that when we start seeing all of the blockouts come up that there is definitely something going on in the system and we need to start investigating because why would all of a sudden half the staff members be locked out and not being able to get into their computers? This is where the issue of having an adequate inventory comes in because Wyndham did not have an adequate inventory, even though they were able to determine that the account lockout were coming from two computers on their network, they were not able to physically locate those computers. They didn’t know where they were. As a result, they didn’t find out that their network was compromised until four months later. That is a really, really long time to have some hacker from Russia in your network stealing all your data. That’s quite problematic.

The next attack happened in March 2009. This is where we’re reminded that you have to limit people’s access. This had happened because someone gained access to the networks through a service provider’s administrator account in the Phoenix data center. This is again why somebody who is working at the data center level, do they need access to your PHI? Should they have access into that system? No, absolutely not. More problematically here, Wyndham didn’t find out until customers started complaining. They didn’t even know their systems were breached. They searched the network and they found the same malware that was used in attack number one. Think about it. Okay, well, you’ve been attacked. You were breached. Don’t you think that you would have some process in place to now gain your systems or at least the malware that was used the first time around so that if you see it again, you know that there’s something going on, something fishy there?

Then their final attack happened in late 2009, and again, they did not learn of their attacks from their internal processes and controls. They learned about the attack from a credit card issuer. When they got a call saying that, “Hey, listen. We are seeing a lot of frauds from credit cards that were used at your facility.” Certainly not the best way to find out that there is an incident.

The FTC filed suit in Federal Court in Arizona in June 2012, in Arizona because that’s where the data center is. The case was remanded to New Jersey, which is where Wyndham is headquartered. Then this decision was released by the New Jersey Court earlier this month and the judge denied Wyndham’s motion to dismiss the case.

Now, Wyndham made three primary arguments in saying that their case should be dismissed. I won’t go into too much detail with all of these. I’ll just mention them briefly. First, Wyndham argued that the FTC does not have authority to assert an unfairness claim in the data security context. Again, remember that the FTC asserted its authority under this very broad Section 5 power. Their argument was, “Wait a second. There’s nothing in there that says that this authority is supposed to extend to things that have to do with data security. That’s completely ridiculous. How would anybody ever know that that kind of information, that kind of action would extend to use data security?” The Federal Trade Commission Act was passed … oh, gosh, many, many years ago. I don’t know the exact year, but about 50 or so years ago, I mean it’s quite an old statute. Now, at that point, it was passed before computers were even in existence. So to say that this authority should extend to data security practices and procedures when data security didn’t even exist when it was passed would be crazy. That was one argument.

The second argument was that the FTC, in order to exert this authority, has to formally promulgate regulations before bringing these kinds of claims. Again, how are companies supposed to know what they’re supposed to comply with if they don’t have any rules of the road setting out for them exactly what they’re supposed to do? Again, very good argument because truly how are you supposed to know your obligations if there’s no regulators telling you what to do? Remember, in their own policies and procedures, they say: we’re going to use commercially reasonable efforts. Well, commercially reasonable effort doesn’t mean that you have to have a regulator to tell you what to do. Generally, that means what do other companies in your same circumstances do? What would they tend to do? Or what do the industry practice today? For example, a common industry guidance is the NIST standard. Those are the things that companies are expected to comply with. When they say they’re going to use industry standards practices, well if there was no industry standard practice, how would they know what it is? We have plenty of … some would say more than enough industry standard guidance about how to protect consumer data and how to protect the PII.

Their last argument was that FTC’s allegations are pleaded insufficiently. I won’t get into that. I think that’s only interesting to lawyers.

Recall again, that Wyndham is not in a regulated industry. They’re not in healthcare and they’re not in the financial market. For them, this may have been a little bit of a shock to say, “Hey, you’re not in these regulated industries, but you still have these minimal expectations of what you’re supposed to do with consumer data. On the other hand, keep in mind that the Section 5 power is very broad. It may be applicable to these other industries and the FTC has the impact. It is applicable to these other industries. I’m going to talk a little briefly about that just in a couple of minutes.

The FTC won on all three grounds. The FTC has been engaging in these compliance efforts for many, many years. For someone to come out and say, “Well, the FTC doesn’t have this authority.” I guess it’s certainly one argument to make because, again, this is the first case where you have a Federal Court actually speaking on whether or not the FTC does have this broad authority to police, so to speak, the privacy and procedure practices of companies. The FTC has testified on this issue on numerous occasions before Congress and there’s been no action from Congress to suggest that the FTC doesn’t have authority. So the court came back and said, “Look, that’s one thing you can certainly argue that but we’re not buying your argument.” The case continues.

You may be wondering, “This case has been going on for a really long time.” This incident first happened in 2008. The case was brought in 2012. That means there were at least investigations or probably at least I’d say about a year for the FTC to come in and investigate. Wouldn’t this money be better spent by Wyndham simply improving their privacy practices and improving their systems? Why is Wyndham fighting so hard? Well, it’s fighting hard because, one, it’s not in a regulated space. No one told the company the rules of the road and that they could be held all of these higher standards of compliance. They’re also concerned because … I should preface these comments that I don’t know why Wyndham is fighting so hard. I am guessing based on my experience of what companies would generally view and why they would make these arguments. I have no personal knowledge of why Wyndham decided to pursue this action. Although, on the other side, I’m glad they did because now we have some authority on FTC’s power in this case. Back to this, Wyndham is also arguing and concerned that they’re being held responsible for lapses in security at their business partners. One of the portions of the privacy policy that the FTC did not quote in their complaint was the part of the policy that specifically told consumers that the policy applies only to the records and responsibilities of Wyndham and not to that of any of their franchisee. Now, to what extent that’s really applicable here, I don’t know because as I mentioned, Wyndham had control of the systems and part of its responsibility was to manage those IT systems. I’m not sure to what extent that would cover them but it certainly something that’s a concern when you have a company that now was found to be held responsible for all the act and omissions of their business partners. This should be nothing new to those in the healthcare state because those who are covered entities and these business associates or subcontractors are familiar with this type of framework where covered entities in the end are basically responsible for everything that’s done on their behalf.

The other issue is that when the FTC settles, they don’t generally extract a monetary penalty. You don’t usually have to pay them money when they settle with you. Generally, though, what you have is a 20-year compliance period. Think about how long 20 years is. It’s a really long time. Toys R Us, who was subject to an antitrust action many years ago where they were accused of monopolizing the market, recently filed with the FTC for permission to be relieved some of its obligations because it was no longer monopolizing the market. Think about how much the market has changed in that respect in such a short time frame. 20 years in terms of business practices and how your policies and procedures are stymied because of this compliance requirement could be quite problematic for many companies in terms of if they want to be competitive in the market. Certainly, can be a hindrance.

Where are we going here? You should expect more enforcement actions. You should expect enforcement certainly to continue both from the FTC as well as other several regulators that FTC has become increasingly interested in the cybersecurity practices and IT security practices of the companies that it regulates. The state attorney general continues to be interested. As more and more data breaches are as they happen and they are in the news, these issues will simply continue to get that much more attention.

It’s also time to review your existing process. If you take a look at your practices, would you say that they are commercially reasonable based on what you know your competitors are doing or based on what you know the expectations should be given the changes in PCI and HIPAA, and NIST. It’s really important for you to actually evaluate not only what your policies say but what your practices are. You have to look at all three of those elements that administrative, the technical, and the physical. It shouldn’t be just, “Well, we have the software installed that’s going to cover everything.” No, very rarely can software protect you from everything. That just doesn’t happen.

Other thing you want to look at is what are your requirements for vendors? Do you need to have requirements for the vendors that give you business that handles PII. In some cases, depending on what they’re doing and who you’re vendors are you may need to have additional requirements for them. May be it’ll vary based on the type of vendor you have. Maybe if you have a smaller company, you need to have some additional support services in place for them that can help them figure out the kinds of processes they need to have in place to comply with these requirements.

Finally, also take a look at what your contracts say. When was the last time that you actually reviewed that privacy policy that you copied from somebody else’s website 10 years ago? Was it 10 years ago? If it was, it’s definitely time to review, especially if you have customers in California. If you’re in California yourself or you serve customers in California, it’s time to review that policy and Massachusetts, actually.

Also take a look at what you’re indemnification provision say. Do you have caps on damages? Do you need to have caps and damages? My view is you should always cap damages. No matter what the damages are because you don’t want to have one contract to put out of business. That’s something you want to certainly assess internally. Also of course, take a look at do you need to have additional insurance? Are the insurance provisions you currently you have in place, particularly with your data breach insurance, do you have enough coverage to really pay for the kind of things that will come up if there is a data breach? The last numbers I looked at said to remedy a data breach is about $200 a record. If you’re storing thousands and thousands of records, that’s going to add up pretty quickly. You want to make sure you take a look at those policies.

There are a couple of other FTC settlements that you’ll want to review. In the matter of HTC America, particularly if you developed software because that was the issue in HTC. Some of the things that the FTC called out in the HTC case was that HTC failed to implement an adequate programs that asses the security of products it shipped to consumers. Again, we see that whole you’re not testing things that you're providing to costumers as being problematic. They also failed to implement adequate privacy and security guidance or train its engineering staff. Again, we see this issue of you need to train your employees and you need to train your workforce members. If you have people on staff that are developing the software, usually it’s been my experience that in companies who do software development, they have their development folks and then they have their security folks. Those folks don’t seem to talk to each other. Security doesn’t really get considered until after the software is designed. That is not a good approach to developing software just because there are a lot of security issues that can be avoided at the beginning if there’s proper planning. Those team members really should be working together to make sure that these risks can be avoided right from the start.

Another issue that the FTC highlighted in the HTC case is that HTC failed to test for potential vulnerabilities. Again, this is if you're developing software or if you’re releasing any product to any of your consumers, any of your customers, you need to make sure that you are actually testing what you’re getting out there that you're testing for certainly for known vulnerabilities. We see this a lot with people who use PHP. They have the injection attack. They have open doors. You need to make sure that those things are closed before you ship out the software.

The other settlement you want to take a look at is in the matter of GMR Transcription Services. That’s the case I mentioned earlier with the medical transcription company. The one thing I want you to know about GMR Transcription is that in that case, the FTC settlement is both with the company and it’s for 20 years and also with the two individual owners, independently. Generally, you won’t see the FTC settle with the owners but in this case, this was the second case I’ve seen in the last six months where the FTC settled both with the company and the individual owner. The individual owners have a 10-year compliance period. Imagine, you individually, you can’t even escape from the FTC by selling the company. That could be a pretty, I think, traumatizing I would say.

The final case I want to talk about is in the matter of LabMD. In this case, there’s an administrative case against LabMD and there’s also a federal case where LabMD has sued the FTC for basically putting the company out of business. If you should fight the FTC, one of the reasons that, as Mike mentioned earlier, there’s been about 50 settlements. One of the reasons that there are settlements and companies tend to settle is because it’s generally less expensive than a full-blown litigation with the FTC. Most of the companies settle and LabMD saying that the actions that the FTC took against LabMD basically put the company out of business. I don’t know to what extent that’s legitimate, but certainly it is never an inexpensive process to fight a federal regulator. That’s something to keep in mind when you’re evaluating the cost of compliance, certainly the cost of if you get caught for not being compliant, what’s going to happen to you. That should be taken into consideration.

In the administrative case, one of the primary reasons I mentioned this is because in the administrative case, the judges in that case issued a decision saying that they have the authority to enforce Section 5 against companies who are subject to HIPAA. For those of you who are in the healthcare space, in the financial services space, this is something that really should be keeping your interests because now the FTC is saying there’s basically dual jurisdiction. That’s not uncommon so that happens a lot. I mean the FTC has taken action against companies to other regulators before, so this is not particularly unusual. This is just the first time that’s been made clear that the FTC is definitely going to exert this authority.

Mike: Tatiana, how does that work … so now you’ve got Health and Human Services that is watching on the HIPAA side, they can come after you. You got the PCI -- and we’re talking about a lot of probably PCI not-best-practices that Wyndham was doing. Now you’ve got the FTC consider that and say, “By the way, we’re going to go after you too.”

Tatiana: Yeah. Think about what happens in a data breach. You have a data breach. You’re healthcare provider, you have a data breach. You’re in a large hospital. You're going to have typically the Office of Civil Rights come investigate. You're going to have the FTC come investigate, depending on what happened you man, given that we know how the data was released. You’re also going to have the state attorney general come in and investigate. Then you’re going to have your private class action. In the context of Target, for example, they’re being investigated by the FTC. They’re being investigated by a number of state attorneys generals. And it has at least a hundred private class actions filed against them. Granting the scope of their breach is significantly more than what I think most businesses would have. It’s quite problematic that even in the Target case, they’re still finding more records that were breached. Even now, they’re still finding more information that was lost.

This is what I’m saying. It’s generally significantly less expensive to have proper policies and procedures in place and try to address some of these. Now, this is not to say that the FTC is going to come back and say, “Oh, Target, we’re definitely … we need to enter into a settlement with us because you weren’t compliant. That’s not the case. It doesn’t necessarily mean that they’re going to be found to be in violation of something.

Mike: So it’s hard to say that my exposure is limited to … if I find that healthcare that I’m just limited to the $1 million per record, or whatever the health and human service is saying. My exposure can be much greater than any single regulatory enforcement action could be is what you're saying.

Tatiana: Yes. This is why you want to have … I mean this is part of the reason why you want to have a good contract with your vendors. You want to limit damages in those instances that you can because you have to plan for the instances where you can’t limit damages. Under HIPAA, you have the cap of $1.5 million. The move that the Office of Civil Rights can assign you for is $1.5 million per incident within the same year. You have that cap. The FTC doesn’t generally issue financial penalties. They ask you for a 20-year compliance period. You agree to report to the FTC for 20 years and usually part of that includes a third party audit of your processes and systems every two years. Your exposure in that case is how much does it cost you to have a third party audit and how much does it cost you to continue to report to the FTC every time you have a change in your systems and processes. I mean it’s not to say that your damages are unlimited. The more problematic issue is how much does it cost you to fight litigation. Because in those cases, even though the data breach cases are hard to win, fighting in any of these circumstances is not cheap. This is why having insurance and really thinking about how much coverage you need at the beginning is very important, and making sure you read those policies so you understand where you're going to get coverage and where you’re not. Generally, what happens, the first thing that happens is that as the insurance companies want to come in and say, “We’re not covering anything because we didn’t know.” You need to make sure that your policy actually to the extent you can get a data security policy to cover these costs. That’s what you want to do.

The final case I want to mention is Patco Construction which was a case from a couple of years ago. There was another decision that came out last year in that case. It specifically looked at what it means to pay commercially reasonable efforts in the banking sector. More broadly though, the case is really good at showing how courts look at commercially reasonable efforts. In that case, the bank for example receives a red flag that had audit notices that there was fraud being committed but no one ever looked at those report. That would not be commercially reasonable. If you’re going to audit, you need to make sure someone’s actually reviewing the audit reports that you're mitigating any kinds of liabilities. That’s another case and if someone needs that citation, please just reach out to me and let me know. I’ll be happy to provide you that decision. That’s it for me. My disclaimer slide, can’t use anything against me.

Mike: You can’t be a lawyer without a disclaimer slide right.

Tatiana: Right. No, I can’t.

Mike: Well, there were a couple of questions Tatiana. Great job on informing us all. One question that came up is you mentioned that the Wyndham is a franchisor with a number of franchisees. Could you expand just a little bit on is the FTC really reaching in to the franchisors on what is going on with the franchisees? Is there some line there? Or does it go all the way through to the franchisees and the franchisors, the umbrella that has to take the responsibilities for all of that.

Tatiana: Yeah. That’s a really great question. I think generally, the reason you have separate entities is to mitigate some of the risks and liabilities of these other companies. I think the issue in this case isn’t necessarily the franchise. I know that Wyndham’s argument in their response has had a lot to do with … well these are separate entities. We’re not responsible for these other entities. Our privacy policy doesn’t apply to these other entities. Then you come down to the actual operational nature of what was happening and who had control of the IT system. The FTC has made a clear case that regardless of what the contract says and what the actual legal relationships are, it’s Wyndham that had control of the IT infrastructure. In the end, they’re the ones responsible because they’re the ones that had control. The extent that you can say no, no in these cases, actually these other entities that had control of these systems and we had nothing to do with it, you can certainly bring those parties into the litigation with you. You could seek indemnification for any damages that arise. Notably, Wyndham hasn’t done that. They haven’t brought in their franchisees in this because most of the time, these companies are smaller.

Imagine if McDonald’s got sued and they try to bring in all of these small mom and pop McDonald’s locations that they have. Certainly, these are the larger corporations are in a better position to defend everybody. Then to the extent they need to, they’ll sue for cost and coverage from the franchisees as they feel it necessary. But, no, I think it comes down to … I think that just shows that the FTC is going to look at the actual relationship and not your contract structure.

Mike: Okay. Good. Another question came in, how did the FTC become aware of the Wyndham cyber attacks and did PCI launch investigation?

Tatiana: I don’t know how the FTC became aware of the attacks. I’m assuming that at some point they became public in the news and the FTC found out because they read the newspapers. I mean a lot of their cases and a lot of their enforcement actions stems from what consumers are complaining about. To the extent that there were losses because of credit card fraud, they would’ve gotten notice because I’m sure some enterprising reporter wrote an article saying, “Hey, this is a third breach in two years at Wyndham hotels. What’s going on there?” The FTC saw that article and started wondering the same thing. They pay attention to the news. Any time your name is in the news with some bad, that should scare you because there are regulators that routinely … I mean they’re scanning the papers just like everybody else.

Mike: Stay out of the news is a good thing, huh?

Tatiana: Yeah. For the good things, you should be in the news but for the bad things, try to stay out of the news.

Mike: Okay. Terrific. Well, let’s wrap up right there. We just hit our one hour mark. Tatiana, thank you very much for what I think was a very interesting presentation. I want to thank all the attendees for joining us at the Tuesdays at Two webinar series. We will be mailing out a link to the final webinar, the slides that were used as well. With that we’ll log off and have a great day. Thank you.

Tatiana: Thanks Mike.

Mike: Bye, bye.

Tatiana Melnik, Attorney
Tatiana-Melnik2Tatiana Melnik is an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance. Ms. Melnik regularly writes and speaks on IT legal issues, including HIPAA/HITECH, cloud computing, mobile device policies, telemedicine, and data breach reporting requirements, is a Managing Editor of the Nanotechnology Law and Business Journal, and a former council member of the Michigan Bar Information Technology Law Council.

Ms. Melnik holds a JD from the University of Michigan Law School, a BS in Information Systems and a BBA in International Business, both from the University of North Florida. www.melniklegal.com

Webinars    |    Online

Get started now. Exceptional service awaits.