Legal Report July 2014
U.S. JUDICIAL DECISIONS
LIABILITY. A federal court has ruled that the Federal Trade Commission (FTC) can proceed with a lawsuit against a hotel group for allegedly failing to safeguard consumers’ personal information. The FTC has accused the hotel group of failing to provide adequate security for its computer system, which led to three data breaches between April 2008 and January 2010. These breaches, in turn, led to fraudulent activity worth $10.6 million.
Wyndham Worldwide Corporation and its subsidiaries license the Wyndham name to approximately 90 independently owned hotels under franchise and management agreements. Each Wyndham-branded hotel has its own property management computer system that handles payment card transactions and stores information on payment card account numbers, expiration dates, and security codes.
Since 2008, Wyndham Hotels and Resorts subsidiary’s Web site has said that “we recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program.”
In April 2008, Wyndham experienced a security breach that gave intruders access to the corporate network of Wyndham Hotels and Resorts subsidiary and the property management system servers of 41 Wyndham-branded hotels. This access allowed hackers to install memory-scraping malware on numerous Wyndham-branded hotels’ property management system servers and steal payment card account information for consumers, which had been improperly stored in clear, readable text.
Ultimately, the breach led to the compromise of more than 500,000 payment card accounts and the export of hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia. After the initial breach, Wyndham did not remedy known security vulnerabilities, did not employ reasonable measures to detect unauthorized access, and failed to follow proper incident response measures. This led to Wyndham’s security being breached two more times in less than two years, according to court documents.
The second breach took place in March 2009, when hackers gained access to Wyndham’s network using techniques similar to those used in the first breach. The hackers again used memory-scraping malware and reconfigured software at the Wyndham-branded hotels to obtain plain text fi les of the payment card account numbers of guests. During the second breach, hackers were able to access information at 39 Wyndham-branded hotels for more than 50,000 consumer payment card accounts and used that information to make fraudulent charges.
Later in 2009, intruders breached Wyndham Hotels and Resorts’ network, installing memory-scraping malware and compromising the property management system servers of 28 Wyndham-branded hotels. With the third attack, hackers were able to access information for approximately 69,000 consumer payment card accounts and, again, use that information to make fraudulent charges.
After examining the incident, the FTC voted to authorize the fi ling of a lawsuit, as it had “reason to believe” that the law had been or was being violated, and that the suit was in the public interest. The FTC then filed suit in 2012 for alleged data security failures that led to the three data breaches.
The agency charged that Wyndham and its subsidiaries failed to take security measures, such as requiring complex user IDs and passwords, installing firewalls, and establishing network segmentation between the hotels and the corporate network. It also noted that Wyndham allowed improper soft ware configurations on its network, which resulted in the storage of sensitive payment card information in clear, readable text.
Wyndham argued that the FTC did not have jurisdiction to sue over what it says was lax security leading to data breaches and asked for the lawsuit to be dismissed.
Judge Esther Salas of the U.S. District Court for the District of New Jersey ruled in favor of the FTC and has allowed the case to continue. (Federal Trade Commission v. Wyndham Worldwide Corporation, U.S. District Court for the District of New Jersey, No. 13-CV-1887, 2014)
WHISTLEBLOWERS. A federal appeals court has thrown out a False Claims Act (FCA) case against Verizon Communications Inc., ruling that the suit is barred by an earlier case in which the same whistleblower took a large settlement.
On January 16, 2007, Stephen M. Shea filed a complaint on behalf of the U.S. government against Verizon. His complaint alleged the submission of false claims by Verizon, including that Verizon knowingly submitted prohibited surcharges under contracts to provide telecommunications services to the General Services Administration (GSA) of the U.S. government. Shea charged that these additional fees were added to the federal government’s bill “to inflate revenue.”
Shea said he became aware of the alleged conduct through an internal document he received in 2004, which listed the taxes and surcharges that the federal government was responsible for. The federal government intervened in the case, Verizon I, and in February 2011, Verizon settled the case without an admission of liability and Shea received almost $20 million.
Before the settlement took place, Shea filed a second action against Verizon, Verizon II, and on September 12, 2012, filed a second amended complaint. The complaint was similar to the action Shea filed in 2007 and alleged a scheme by Verizon “to defraud the United States by knowingly billing the government for non-allowable surcharges.” It also traced Shea’s knowledge of the action to the same 2004 document he used in his previous complaint. The only difference in the new complaint was that it expanded on Shea’s allegations to more contracts, more charges, and more government agencies.
In November 2012, a district court dismissed Shea’s complaint and held that under the FCA’s first-to-file bar, Shea’s complaint in Verizon I barred the court from considering his complaint in Verizon II. The first-to-file bar prevents anyone other than the government from intervening, or fi ling a related claim, based on facts underlying the original claim.
The district court also concluded that Verizon II was barred from its consideration because it alleged “a fraudulent scheme the government already would be equipped to investigate” based on the claims made in Verizon I. Shea appealed the decision, which was taken up by the U.S. Court of Appeals for the District of Columbia.
In his appeal, he alleged that Verizon I and Verizon II were not related because they involved different contracts and different agencies. Shea also charged that the district court dismissed Verizon II improperly because Verizon I had been settled when he fi led his second amended complaint.
The appeals court upheld the lower court’s opinion, ruling that Verizon I and Verizon II were related and that the first-to-file bar applied to Shea. Additionally, the court ruled that the bar remains effective for a second complaint even after the first complaint has been settled. (Shea v. Verizon Wireless, U.S. Court of Appeals for the District of Columbia, No. 12-7133, 2014)
PRIVACY. Australia has enacted a new amendment that will broaden the definition of personal information and require more transparency from organizations on how that personal information is stored. The Privacy Regulation 2013, part of the broader Privacy Amendment Act of 2012, went into effect in March and expands personal information to include data types that were not considered personal in 1988.
The new law applies to any companies with revenues of more than AUD $3 million that collect information such as names, contact data, payment information, or other details related to a specific person, for any purpose. Additionally, Australian organizations will have to be more transparent and responsive as to how they handle customer data. The new law requires organizations to know where their information is stored—on which servers in which countries—so they can be transparent with their customers and can remain compliant with the law.
The new requirements also come with heavy penalties for noncompliance, including fines of up to AUD $1.7 million.
SURVEILLANCE. The House Permanent Select Intelligence Committee has introduced a bill to end the bulk telephone metadata program overseen by the National Security Agency (NSA). The bill (H.R. 4291), known as the FISA Transparency and Modernization Act of 2014, would end bulk collection of metadata under the Foreign Intelligence Surveillance Act, including telephone, e-mail, and Internet metadata. If passed, the bill would also ban the bulk collection of fi rearm sales records, library records, medical records, tax returns, educational records, and other sensitive personal records.
The bill was introduced by Committee Chairman Mike Rogers (R-MI) and ranking member Rep. C.A. Dutch Ruppersberger (D-MD) and has strong bipartisan support within the committee with 11 cosponsors. It was developed over the past several months as the committee has been evaluating a number of ways to “increase transparency and restore trust in critical national security programs” after a series of reviews of the NSA telephone metadata program.
“If the government has a reasonable and articulable suspicion that an individual phone number is associated with terrorism, the government could, under a program with significant court and congressional oversight, direct communication companies to query their records and provide the government with numbers connected with that suspect number,” according to a press release issued by the committee.
As part of the oversight of the program, the government would be required to seek court approval before and after obtaining metadata from communication companies. The prior approval would be used to ensure that the government obtains only metadata associated with “legitimate terrorist and foreign intelligence targets.” The later approval would require the government to submit the evidence supporting its request for metadata to the Foreign Intelligence Surveillance Court for judicial review. If the court disapproves of the evidence, it can order the government to “purge any metadata it received.”
President Barack Obama has proposed his own set of reforms for the NSA program, which would also require new procedures for judicial approval before asking phone companies for telephone metadata for a specific number. However, once the Foreign Intelligence Surveillance Court has approved gathering records associated with that number, phone companies could be required to turn over data associated with that number on an ongoing basis. This process could be waived, though, in the event of a national security emergency.
The bill has been referred to the House Permanent Select Intelligence Committee and the Judiciary Committee for review.
SECURITY CLEARANCES. Senators Claire McCaskill (D-MO), Jon Tester (DMT), and Mark Begich (D-AL) have introduced legislation to prevent security clearance contractors from reviewing and approving their own background investigations. The bill (S. 2061) is designed to prevent conflicts of interest in background investigation fieldwork services and investigative support services.
If passed, it would prevent the director of the Office of Personnel Management (OPM) from awarding contracts to a company that would allow it to review its own process for background investigation fieldwork services or background investigation support services. The bill has been referred to the Senate Homeland Security and Governmental Affairs Committee for review.
McCaskill and Tester introduced another measure related to security clearances in the Senate, but a similar bill introduced in the House was signed into law. The law, the OPM IG Act (P.L. No. 113-80), allows the inspector general of the Office of Personnel Management to use resources from the agency’s $2 billion revolving fund to more thoroughly investigate cases where the integrity of the background check process may have been compromised.
Gun control. A Georgia law allowing guns in bars, schools, restaurants, churches, certain government buildings, and airports went into effect on July 1 after Gov. Nathan Deal signed the measure earlier this spring. Called The Safe Carry Protection Act of 2014, the measure was sponsored by Rep. Doug Holt and amended Georgia law to expand gun rights.
The new law (formerly H.B. 60) allows religious leaders to “opt-in” to allow guns on their worship premises, where violators cannot be arrested or fined more than $100 each. Also, the law allows citizens to carry firearms in bars, nightclubs, libraries, sports facilities, senior citizen and youth centers, and on K-12 premises by authorized administrators and teachers.
Along with expanding the areas where firearms are allowed, the law also allows felons to claim the Stand Your Ground defense—where someone who “reasonably believes” his life is in danger does not have to walk away and can shoot to kill.
In addition, the law allows permit-holders to carry guns into the general areas of airports, including restaurants and waiting areas prior to the Transportation Security Administration (TSA) checkpoints. Those who carry guns into TSA checkpoints are referred to law enforcement and may face criminal penalties, according to the TSA.
This column should not be construed as legal or legislative advice.