The Federal Trade Commission (FTC ) is the most active and aggressive federal government agency to investigate and enforce data privacy and security laws against businesses. Section 5 of the FTC Act empowers the agency to bring enforcement actions against businesses for unfair or deceptive trade practices. Thanks to Section 5, the FTC has already brought over 50 data privacy and security actions against businesses that have resulted in settlements and consent decrees.
So, it was with some surprise that, when the FTC filed suit against the Wyndham hotel franchisor following a data security breach initiated by hackers from Russia, Wyndham was not anxious to settle the case. Instead, Wyndham challenged the FTC’s basic authority to assert an unfairness claim against a business based upon data security practices and brought a motion to dismiss the claim. A ruling in favor of Wyndham would have sent shockwaves through the privacy world and stymied FTC actions going forward. This, however, was not to be.
On April 7, Judge Esther Salas denied Wyndham’s motion to dismiss and affirmed the FTC’s authority to initiate and enforce such actions relating to data privacy and security. The case will now proceed to determine Wyndham’s potential liability, unless Wyndham folds and settles.
TOP TEN LESSONS LEARNED FROM THIS FIRST ROUND IN WYNDHAM:
2. Perform a data privacy and security compliance audit. Perform an audit as necessary to determine what policies, procedures, and practices are in place at your business relative to the collection, use, and sharing of personal information. What federal, state, and international laws apply? Are your policies and procedures appropriate and do they follow best practices? Consider both administrative and technical safeguards.
3. Include privacy concerns in all vendor agreements. Data privacy and security issues should be covered in all vendor agreements and not just those that are related to computer software and related technology. The recent Target data breach was the result of an HVAC vendor’s lax protection of its password credentials, which ultimately allowed the unauthorized access to the Target point of sale system.
4. Make sure you have a data breach response plan in place. Do not wait until you have a data breach to have an action plan in place. Appoint a person or team responsible for handling any data breach and have in place a process for dealing with breaches. Legal counsel, upper management, IT, public relations, and employees must all be included in the plan and process.
5. Provide ongoing and appropriate training. Data privacy and security can be easily compromised by lax employees who are not sufficiently trained in the data privacy and security policies and procedures of a business. Through inappropriate activities employees may inadvertently allow for unauthorized access. Training of both employees and management is essential to assure compliance with data privacy and security policies and laws and to mitigate risks of a data breach.
6. Consider available insurance. New forms of cyber insurance are available to mitigate risk of a data breach but should be scrutinized for value and coverage.
7. Learn from past FTC consent decrees and settlements. While consent decrees and settlements are supposed to be limited to the specific facts and circumstances, there are clearly best practices that can be discerned from these actions, and they also highlight activities that should be avoided. In the absence of any specific FTC rules or regulations that set forth reasonable data security practices, a business is almost forced to consider the inadequate data security practices cited in its enforcement actions. For more on this, see this recent article by Daniel J. Solove and Woodrow Hartzog.
8. Franchisor Liability. Of particular interest to the franchise community was the court’s finding that Wyndham, as a franchisor, was potentially liable. The court rejected Wyndham’s contention that “as a matter of law, it [Wyndham] is necessarily a separate entity from Wyndham-branded hotels,” such that each maintain their own computer networks and engage in separate data collection practices. Franchisors should review their relationship with franchisees relative to network access, connectivity, and control of information.
9. Judge Salas’ April 7 decision is not the final round. This decision was reached by a single federal district court judge and it only denied a motion to dismiss the FTC’S complaint. The FTC’S authority could still be challenged in other district courts or appealed. More importantly, as the district court itself noted, “a liability determination is for another day.” For this reason, “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked. Instead, the Court denies a motion to dismiss given the allegations in this complaint—which must be taken as true at this stage—in view of binding and persuasive precedent.”
10. Stay tuned for possible federal legislation. In light of the NSA/Snowden affair and the Target data breach, we may finally see some action in terms of federal data privacy and security law. There has been a flurry of activity in Congress, and several legislative proposals are being considered relative to data privacy and security. Five bills have been introduced that would set nationwide standards for data security and breach notification. These bills would pre-empt the patchwork of state laws that currently exist. One of these laws may even become law before the Wyndham case is finally resolved.