When a federal appellate panel sided with the U.S. Federal Trade Commission (FTC) against the Wyndham hotel chain this week, it cemented the FTC as a power to be reckoned with for companies that have poor security.
Especially for payments professionals, the implications of this ruling can be dire as the FTC's criteria for what constitutes acceptable security are vague. Though there are industry standards and hardware and software products that strive to provide a baseline for security, a company can still be held responsible if its implementation of these tools proves sloppy enough to leave the door open to cyberthieves — as Wyndham did, multiple times.
Historically, FTC payments security cases have focused on finding public misrepresentations in a company's fine print, and indeed the Wyndham case includes much of that. But this time, the FTC is pursuing claims based on unfair practices area, an area that may considered subjective enough to give compliance officers pause.
"This is an amorphous standard and no CIO can say 'We are compliant,'" said Mark Rasch, a former federal prosecutor—and one-time head of the high-crimes unit at the U.S. Justice Department—who currently runs his own legal practice. "The word 'unfair,' like all other words, means exactly what I want it to. The FTC will decide, after the fact, whether or not a company's practices were up to snuff."
Payment companies might even find this situation familiar. Companies such as Heartland Payment Systems considered themselves to be compliant with the Payment Card Industry data security standard, only to find that status revoked after a data breach despite passing its previous PCI assessments.
At one level, all that the FTC is asking is that companies maintain reasonable security standards. The dividing line that the appellate panel painted is somewhere between bad security and truly awful security, empowering the FTC to act only in the most egregious of security transgressions.
In the example of Wyndham, the company suffered multiple data breaches in 2008 and 2009 without showing signs that it had learned from its past experiences by making efforts to better protect customer data. The result was "hundreds of thousands of consumers" losing their payment data to a Russian cyberthief attack "leading to over $10.6 million dollars in fraudulent charges," the panel noted.
The FTC has already made its mark on how payment security is handled. In 2014, the agency reached a $32.5 million settlement with Apple over the company's billing practices for in-app purchases. In the App Store's early ears, Apple did not require a password for every purchase made within a short window of time, making it possible for parents to download a game for their kid only to find out later that the kid was able to make in-app purchases of digital items that cost up to $99.99 each.
As a practical matter, though, no company is going to be subjected to FTC scrutiny until that company has a major breach, Rasch argued.
"Most of the time, breaches are caused by someone doing something very stupid," Rasch said, adding that such conduct is almost impossible to isolate to one person.
According to the appellate panel: "The (FTC) complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files and did not require some users to change their default or factory-setting passwords at all."
Although the FTC has been pushing an increasingly aggressive attack on payment security lapses for years, this is "the first court of appeal to take a hard look at what the agency has been doing and it gave us a broad greenlight," said David Vladeck, who served as the FTC's director for the bureau of consumer protection from 2009-2012 and today is a tenured full law professor at the Georgetown Law School. "All we’ve been asking for are reasonable security practices that are consistent with the mainstream marketplace."
Despite repeated requests to congress over the last several years, the FTC has an extremely small arsenal of potential punishments for companies it finds to have violated the law.
"We can't impose a monetary penalty. The tools that the FTC has are not substantial enough," Vladeck said (in the Apple settlement, the $32.5 million was the minimum amount of money Apple promised to refund to customers).
When a company settles with the FTC, the agency can oversee its conduct for an extended period, sometimes 20 or more years. Even if the settlement does not involve any refunds, the company is exposed to civil lawsuits filed by consumers who were affected by the breach. These lawsuits can leverage the FTC's action and all of its findings prominently.
Payment companies can demonstrate their compliance with the PCI standard, but that may not be enough. Companies must also make sure they change default passwords and take other steps to ensure they have covered the basics. "The FTC in practice has essentially said 'if your data gathering or data security practices are not up to some amorphous standard, you have potential liability,'" Rasch said.