A US court recently declared that the Federal Trade Commission (FTC) can sue Wyndham Worldwide Corp. (Wyndham) for failing to take reasonable steps to secure sensitive consumer information. According to the FTC, hackers accessed Wyndham’s computer network three times between 2008 and 2009, stealing the personal credit card information of approximately 619,000 customers and leading to at least $10.6 million in fraudulent charges.
Significantly, throughout the period at issue, Wyndham posted on its website that it took “commercially reasonable” data security measures. In its complaint, however, the FTC alleged just the opposite - that Wyndham stored personal credit card information in unencrypted text, allowed employees to use easily guessable passwords to access its network, did not use “readily available security measures” such as firewalls, did not adequately restrict third-party vendor access to the network, failed to take steps to prevent and detect unauthorized access, and failed to respond appropriately when hackers attacked.
The court’s decision now allows the case to proceed to trial; it remains to be seen which of these allegations the FTC can prove at trial. Nonetheless, the court’s decision validates the FTC’s ability though its consumer protection mandate to hold companies accountable for not taking adequate measures to protect data security.
What does this mean for General Counsels and Corporate Compliance Officers (GCs/CCOs)?
The Wyndham case is the most recent example of why GCs/CCOs may want to assess the security of the personal data (often referred to as “personally identifiable information” or “PII”) your company holds. Consider the following questions:
- Where are your company’s risks? Whether you are setting up a compliance or oversight program to guard against corruption, fraud, data breaches, or other potential sources of liability, your first step should be to holistically assess your risks in that area. In the area of data security, consider (i) what kinds of data your company collects from individuals (including both customers and employees); (ii) where this data is held, and how; (iii) who has access to the data, and how; (iv) under what circumstances this data is transferred, and by what means; and (v) what kinds of security measures are in place, and how often these measures are tested and updated. Each aspect of the company’s attack surface (data entry or extraction points) should be evaluated in terms of its vulnerability to breach.
- Are your security efforts (still) commercially reasonable? Given the speed of change on the information highway, don’t assume that the data security program you put in place a few years ago is still good enough. Companies should regularly assess current industry leading practices and trends against their own existing measures, gauged towards specific company risks.
- How is the data security process communicated throughout your company? Employees and others with access to confidential information held by the company should understand their responsibilities under the company’s data security compliance program. Given the real threat that data breaches represent to most companies, periodic communications and training on both the company’s program and newsworthy general data security developments are advisable.
- How are you responding to problems? Make sure you have specified and tested procedures for responding to and remedying the causes of data breaches. In the Wyndham case, the court pointed out that all three data breaches occurred in nearly the same way—Wyndham could have avoided later breaches by taking appropriate action after the first breach.
- Are you actually following your data security policy? Creating and posting your policy is not enough. Corporate actions must be consistent both with policy and what is represented to clients and other third parties. One of the FTC’s allegations against Wyndham was that it deceived consumers by posting on its website that it was taking commercially reasonable efforts to safeguard customer data when in fact it was not.
- Finally, who owns the data security process? The lines of accountability should be clear. Ideally, a high-level executive should have the responsibility for corporate data security, to include tracking leading practices. Other individuals can be delegated responsibility for day-to-day compliance issues.
In short, if your company collects PII and stores it on a network, the Wyndham decision is additional confirmation that your data security measures matter.