Emerging Tech Challenges in Legal: Data Insecurity as an Unfair Business Practice

By Lisa LaForge, Director-Technology Transactions & Chairperson of the Open Source Steering Committee, Legal Department, SanDisk Corporation

Lisa LaForge, Director-Technology Transactions & Chairperson of the Open Source Steering Committee, Legal Department, SanDisk Corporation

CIOs should be aware of a recent Third Circuit appellate decision which affirms the Federal Trade Commission’s (FTC) authority to prosecute enterprises which fail to adopt reasonable data security measures. While many states have laws about data breach on the books already, the prospect of increasing regulatory action on the part of the FTC significantly raises the legal stakes.

On August 24, 2015, the Third Circuit’s appellate court upheld a 2014 district court decision which said that the FTC has the authority to hold companies responsible for failing to use reasonable security practices as an unfair business practice and, that failure to adopt reasonable security measures creates substantial injury to consumers which consumers cannot reasonably avoid themselves (FTC v. Wyndham Worldwide Corp.). The appellate decision is a major win for the FTC. In a press release following the appellate court decision, FTC Chairwoman Edith Ramirez said, “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

FTC alleges that Wyndham caused significant consumer harm writing in its complaint that: “Defendant’s [Wyndham] failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts, LLC and several hotels franchised and managed by Defendants on three separate occasions in less than two years. Defendant’s security failures led to fraudulent charges on consumer’s accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information.”

Though the case against Wyndham has not been finally adjudicated, FTC has broad enforcement powers it can use against Wyndham should the FTC prevail. For example, in the In re Snapchat (2013) settlement, FTC entered into a consent order and proposed settlement agreement under which Snapchat is subject to twenty years of privacy audits, and prohibited from making false claims about its privacy policies. Because FTC publicly discloses the existence and nature of regulatory enforcement against specific enterprises, the prospect of credibility loss is perhaps the FTC’s strongest weapon. In addition, given the precedential nature of the Wyndham decision, generations of law students may come to

associate Wyndham with the case which settled the question of whether or not the FTC has the authority to regulate data security practices.

What is a “Reasonable Security Practice”?

The Third Circuit appellate court also held that the FTC's recent enforcement actions give ample notice of what constitutes an inadequate security program and, by inference, some indication of adequacy. The Wyndham complaint reads as a laundry list of what not to do. Among other things, FTC alleges that Wyndham: (i) stored credit card information in clearly readable text, (ii) permitted the use of easily guessed passwords, (iii) failed to use reasonable measures to protect against attack, such as firewalls, (iv) failed to implement adequate policies and procedures (such as permitting the network to be accessed using an out-of-date operating system, (v) permitting individual hotel servers to connect to Wyndham’s network through default passwords and IDs which were easily discoverable by hackers, and (vi) insufficiently restricting third party access to the Wyndham network, etc.

To demonstrate that they have reasonable security practices in place, enterprises must understand what software’s are used throughout the organization, how it is used and constantly monitor code for potential vulnerabilities. In addition, CIOs should consider working more closely with their internal procurement organizations to identify secure code during the sourcing process.

Is Some Code More Secure than Others?

A traditional argument in favor of the use of open source software has been that open source is more secure than proprietary code. In theory, more eyeballs on open source software should result in fewer bugs and less potential for the inclusion of security vulnerabilities but 2014 was an awakening for the open source community in terms of software security— think Heartbleed and Shellshock. Heartbleed remediation was a logistical nightmare for enterprises which lacked visibility into the open source used in their infrastructure.

"The Federal Trade Commission (FTC) has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information"

Today, the open source community is putting more emphasis on security in open source code and the ability to demonstrate that open source code is secure. But at an August 2015 Linux Foundation event (LinuxCon) in Seattle, Linus Torvalds, the driving force behind the Linux kernel and its chief architect struck a sobering note on the subject of cyber security. In his keynote, Torvalds said, “Security is bugs, completely stupid bugs that some clever person comes around and takes advantage of. We'll never get rid of bugs so security will never be perfect.” Torvalds continued “Open source is doing fairly well, but anyone who thinks we'll ever be completely secure is foolish."

Lulling Consumers into a False Sense of Security

It is a settled legal question that the FTC can prosecute enterprises which mislead or deceive consumers. Snapchat’s claim that user photos and videos that would self-destruct permanently after the recipient viewed them when in fact, Snapchat images were not actually deleted from users’ phones, is the deceptive practice which lead to a twenty year requirement of privacy reviews.

Similarly, the FTC brought a claim for deceptiveness based on the Wyndham privacy policy because Wyndham’s policy claimed the company safeguards, “Our Customers information by using standard industry practices” and “We make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations”.

As privacy policy review is a continuing theme in FTC enforcement actions and a ready source of deceptive claims, enterprises should avoid over-promising or misleading consumers regarding data security practices.

It will be interesting to see what claims the FTC might bring against Ashley Madison in light of recent events.

Three Takeaways:

1) Work with your supply chain to source secure code.

2) Track all code in your infrastructure both open and proprietary.

3) Don’t over-promise in a privacy policy.