FTC v Wyndham – Is Data Security a Fair Business Practice?


A federal appeals court ruled on August 24, 2015 that the Federal Trade Commission has the authority to enforce cybersecurity standards. In FTC v. Wyndham, the agency sued Wyndham hotels after the company exposed financial data of hundreds of thousands of customers. The cornerstone of Wyndham’s case was that the FTC lacked authority to enforce security standards, but the court upheld FTC’s position. Wyndham lawyers then appealed to the U.S. Court of Appeals for the Third Circuit which in turn upheld the decision of the lower court.

For organizations still dragging their heels over improving their security posture, the addition of data security and consumer privacy to the FTC’s remit should be a warning signal.  It was interesting to read that in the initial complaint the FTC stated that Wyndham between 2008 and 2010 had:

§  failed to use readily available security measures, such as firewalls;

§  stored credit card information in clear text;

§  failed to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;

§  failed to address known security vulnerabilities on servers;

§  left default user names and passwords for access to servers;

§  failed to require employees to use complex user IDs and passwords to access company servers;

§  failed to inventory computers to appropriately manage the network;

§  failed to maintain reasonable security measures to monitor unauthorized computer access;

§  failed to conduct security investigations

§  failed to reasonably limit third-party access to company networks and computers.

The list of failings that an organization can be dinged for has only grown since then.  Key reasons for this are the exponential growth of mobile and the increasing need to secure hybrid environments, with resources and applications being in data centers, internally hosted or in the cloud.  It’s easy to focus on one specific area but throw in the others and try and get a holistic view and all the models of the past are useless. 

The time has finally come for companies to take stock.  No longer are security controls and solutions “nice to haves” that can keep moving into next year’s budget.  The days when doing the bare minimum was enough are over.  Accountability is going to need more than a good PR/marketing department and knee jerk investments to mollify impacted users and the general public.

For those of you who have read my earlier ramblings, you might remember that a few months ago I stated that the true victims of a security breach were the users whose data was stolen.  At the time I hoped that someday there would be regulations enacted and enforced to make organizations far more accountable.  It seems to me that the court ruling a few weeks back is a start and we are slowly but surely getting there. Who says I am not an optimist..?