The One Case that Shows How the FTC is Enforcing Data Security Practices

By Megan Gates

01 December 2015

Print Issue: December 2015

US JUDICIAL DECISIONS

Cybersecurity. The Federal Trade Commission (FTC) has the statutory authority to bring enforcement actions against defendants for allegedly “unfair” data security practices, according to a federal appeals court decision.

The ruling stems from a case brought by the FTC against Wyndham Worldwide Corporation after hackers successfully accessed its computer systems three times, stealing personal and financial information for hundreds of thousands of consumers, leading to more than $10.6 million in fraudulent charges.

Prior to the hacks, Wyndham “falsely told consumers that it followed industry standard practices” for cybersecurity to protect their data, the FTC found. In 2012, it filed suit against Wyndham, alleging that its conduct was an unfair cybersecurity practice that “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft,” according to court documents.

Instead of protecting consumer data, the FTC said, Wyndham-branded hotels were allowed to store payment card information in clear, readable text; Wyndham allowed easily guessed passwords to be used to access property management systems; and Wyndham failed to use “readily available security measures…to limit access between the hotels’ property management systems, corporate networks, and the Internet.”

Additionally, the FTC charged that Wyndham allowed hotel property management systems to connect to its network without taking “appropriate cybersecurity precautions,” that it failed to restrict the access of third-party vendors to its networks and servers, failed to employ “reasonable measures to detect and prevent unauthorized access” to its networks, and did not follow proper incident response procedures—hackers used similar methods in each attack, but Wyndham did not monitor its network for previously used malware.

Wyndham, however, challenged whether the FTC had the legal authority to regulate cybersecurity under the Federal Trade Commission Act because it has been bringing administrative actions related to deficient cybersecurity under the act only since 2005.

Wyndham appealed to the U.S. Court of Appeals for the Third Circuit to dismiss the case. The court, however, ruled that the FTC does have the authority to regulate cybersecurity because it has the power to regulate and punish firms that it deems engage in “unfair” or “deceptive” business practices.

“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” the court wrote.

The court also rejected an argument by Wyndham, which suggested that if the FTC were allowed to punish companies for these kinds of data breaches, it could also sue grocers that are “sloppy about sweeping up banana peels,” opening the door to numerous unfair practice claims.

However, the court explained that “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”

Wyndham will now face the FTC’s 2012 lawsuit in a lower court. (Federal Trade Commission v. Wyndham Worldwide Corporation, U.S. Court of Appeals for the Third Circuit, No. 14-3514, 2015)

Discrimination. A federal jury has ruled that an employer engaged in religious discrimination when it refused to accommodate an employee’s religious beliefs, which prohibited him from using a biometric hand scanner.

Beverly R. Butcher, Jr., was a general inside laborer at the CONSOL Energy, Inc., and Consolidation Coal Company mine in Mannington, West Virginia. Butcher had served the company for more than 35 years when, as a new security measure, the company installed biometric hand scanners to track employees’ time and attendance.

Butcher, however, refused to use the hand scanner. He informed company officials that submitting to biometric hand scanning violated his evangelical Christian religious beliefs. He also wrote a letter to company officials, explaining his beliefs about the relationship between hand-scanning technology and the “mark of the beast”—discussed by the Antichrist in the New Testament’s Book of Revelation. Butcher requested an exemption from the hand scanning based on these beliefs.

The companies refused to consider an alternate method for tracking Butcher and told him that he could face discipline up to and including termination if he refused to scan his hand. According to Butcher, the companies’ stance ultimately forced him to retire because they would not provide a reasonable accommodation for his religious beliefs, according to court documents.

Butcher then filed a charge with the U.S. Equal Employment Opportunity Commission (EEOC), which filed a lawsuit on his behalf alleging that the mining companies’ refusal to consider alternative methods of tracking Butcher violated Title VII of the Civil Rights Act.

The jury found that the companies had violated Butcher’s rights and ruled in the EEOC’s favor, awarding Butcher $150,000 in compensatory damages. U.S. District Judge Frederick P. Stamp, Jr., also determined that the companies must pay Butcher an additional $436,860 in back pay and front pay for the violations found by the jury.

Additionally, the court issued a three-year permanent injunction to bar the companies from denying reasonable accommodations for religion in connection with their use of biometric hand screening technologies. The court also issued a requirement that the companies be trained on religious accommodations under Title VII to prevent future violations. (EEOC v. CONSOL Energy, Inc., U.S. District Court for the Northern District of West Virginia, No. 1:13-cv-00215, 2015)

U.S. AGREEMENTS

Data Sharing. The United States and the European Union (EU) reached an “umbrella agreement” that allows the two to exchange more data during criminal and terrorism investigations. The agreement applies to personal data, including names, addresses, and criminal records, that the two use to prevent, detect, investigate, and prosecute criminal offenses.

Under the agreement, the EU and the United States have agreed to standards for limiting personal data use, transferring data, retaining data, granting access and rectification of data, notifying individuals of data security breaches, and creating opportunities for judicial redress and enforceability rights.

Crucial to securing the deal is a provision that allows EU citizens to sue in U.S. courts if their personal data is misused. “Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic,” said EU Justice Commissioner Věra Jourová in a statement. “It will in particular guarantee that all EU citizens have the right to enforce their data protection rights in U.S. courts.”

However, Congress must still pass legislation to give EU citizens this right. The House of Representatives recently passed the Judicial Redress Act (H.R. 1428), which grants these rights to EU citizens. It has been sent to the Senate for consideration.

US LEGISLATION

Cybersecurity. The Senate passed a bill that would allow the federal government to share classified and declassified cyberthreat indicators with private entities, sending it to committee to iron out differences between similar Senate and House bills.

The bill (S. 754) would allow the director of national intelligence and the U.S. Departments of Homeland Security, Defense, and Justice to share cyberthreat indicators with private companies, nonfederal government agencies, and state, tribal, and local governments. The legislation also allows private entities to share and receive indicators and defensive measures with other entities or with the federal government.

S. 754 includes provisions to require the government to use security controls to protect against unauthorized access or acquisition of data and to remove personal identifying information not related to cybersecurity threats before the information is shared.

Critics, though, have questioned if these provisions are sufficient to protect Americans’ privacy and have introduced numerous amendments to the legislation to address their concerns. The bill has been sent to committee to address differences between it and a bill passed by the House of Representatives (H.R. 1560) in April before it can be sent to President Barack Obama to be signed into law.

OTHER LEGISLATION

Germany

Refugees. Germany enacted a new policy that allows Syrian refugees to stay in the country and apply for asylum instead of being deported.

The change was implemented by Germany’s Federal Office for Migration and Refugees as part of the “procedural rules for the suspension of the Dublin procedure for Syrian nationals.” It suspends the previous practice—called the Dublin Regulation—which required Germany to test whether asylum seekers first entered the European Union in another member state. If they had, Germany would deport them to that state to remain there until their asylum claims had been processed.