On August 24, 2015, a US Appeals Court ruled that a company can be sued by the Federal Trade Commission (“FTC”) for the criminal behaviors of a third party; based upon the failure of a company to meet its duty to protect its clients’ data. This is a remarkable shift in both power and scope for the FTC.
The genesis of that case comes from Wyndham repeatedly failing to protect the consumer data of ~619,000 individuals. The FTC found that between 2008-2009 hackers successfully breached and stole data three times, each time using hacked administrator credentials and exploiting network vulnerabilities. While many business leaders, congressmen, and legal pundits are criticizing this case as an overstep of authority, read these highlights of the Wyndham Cybersecurity handbook and decide for yourself:
- PCI Compliance – None, credit card data stored in clear text.
- Password Policy for Network Components – None, default user IDs and passwords permitted (Actual Sun Microsystems login info – ID: micros; password: micros).
- Network Password Policy – None, default passwords and IDs permitted.
- Network Hardware Security – None, firewalls were not used on the network.
- Network Components – No inventory or asset tracking system used.
- Patch Policy – Un-patched operating systems permitted (*Some without patches in three (3) years).
- IP Restrictions – None, Wyndham failed to restrict specific IP addresses, at all.
- Network Intrusion Detection Policy – None, second and third attack undetected until consumers notified Wyndham.
- Incident Response Policy – None, Wyndham failed to fix security gaps after first and second attacks.
What’s amazing is that the above policies remained in place after not one, but two large scale hacking events resulting in hundreds of thousands of people having their data compromised. The nine bullet points above reflect the state of Wyndham data security after the third time they were hacked. It appears that after each attack Wyndham decided to continue with business as usual and not make any changes or improvements to the cybersecurity infrastructure.
As of the date of the ruling, companies are officially on notice that the FTC has the authority to go after companies who fail to be good stewards of our data (Note: The court found that companies were all ready on notice prior to this case). Watch in the coming months for more updates as the FTC fully pursues its case against Wyndham, odds are more is yet to come.
The question on everyone’s mind is what types of security measures should I employ that will help me avoid the FTC wrath? Fortunately for us, in June 2015 the FTC broke ground and became the first government agency to actually set forth data security guidelines: “Start with Security: A Guide for Business.” This document summarizes the ten most important data security lessons a business must heed, all drawn from the FTC’s 50+ data security settlements. Here is my rundown on Data Security Standards in a Post-Wyndham v. FTC World over at Tripwire – State of Security.
Once you’ve read the above, work with your IT and legal departments to audit your data security policies and procedures with an eye towards the FTC’s ten lessons.
Prepare now, or get wynded later.
/s/ HH @LegalLevity