FTC Takes On Wyndham For Security Lapses

Lawsuit alleges deceptive practice in privacy policy following three breaches in two years
In another sign that it is cracking down heavily on businesses that put consumer privacy at risk by failing to protect their sensitive data, the Federal Trade Commission (FTC) launched a lawsuit against hospitality company Wyndham Worldwide. The FTC accuses Wyndham of deceptive practices in the claims it made in its privacy, using three different breaches Wyndham suffered in the course of two years as evidence of failure to live up to promises to protect customer information.

"At the root of it the FTC is saying to Wyndham, 'You're not living up to your privacy statement and that's unfair and deceptive,'" says Todd Thiemann, senior director of product marketing for Vormetric,. "It should be a wakeup call to enterprises understanding they need to not just pay attention to PCI DSS, but make sure across the board that they're living up to they say about privacy protection in terms of what they're advertising to their customers.

The FTC complaint names three breaches in the case, occurring in 2008 and 2009. The first was a networked server breach that gave hackers the capability to install malware that exfiltrated half a million credit card numbers to a domain registered in Russia. Even after that incident, FTC claims Wyndham didn't do enough to prevent two additional breaches that gave hackers access in a similar method and resulted in more than 100,000 more customer details from being exported.

"In its complaint, the FTC alleges that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury," the FTC said in a release this week. "The agency charged that the security practices were unfair and deceptive and violated the FTC Act."

According to Torsten George, vice president of worldwide marketing for Agiliance, the suit is a clear sign to the security industry that it is no longer good enough to follow check-box compliance practices.

"You have to step up and really show that you care about security," he says. "And that it's really important once you get burned the first time to really dramatically change how you approach security within an organization."

He also believes that businesses will watch this case closely for clues as to how privacy policies should be written in the future. He believes that Wyndham was "naïve" in how it wrote its privacy policy, offering far too many safety guarantees in an environment rife with security breaches.

"I believe that this is a watershed event and that a lot of lawyers of commercial companies are currently reviewing their legal information on their websites," he says.

It could also be an important case in setting precedence about what constitutes due diligence on the behalf of companies offering privacy guarantees.

"The current FTC statements against Wyndham allege that Wyndham did not perform proper due diligence with respect to various areas of information security. The question most likely weighing on many organization’s minds as they watch this story unfold is, 'What constitutes proper due diligence?'" says Jason Rhykerd, consultant for SystemExperts Corporation, explaining it is an answer that is not as easy as we'd like to believe. "How can you be sure that one person’s best practices are the best practices for your organization? Due diligence is a relative term; properly inventorying assets and assessing risk will allow an organization to realize gaps and implement controls and/or mitigation processes and polices. "

He says that the "basics" like strong passwords, monitoring, and applying the rule of least privilege are still being missed today. It may take more actions like this from the FTC to convince organizations to pay more attention.

And the FTC may be happy to oblige. This is the third case this month that the agency has brought forward as it relates to data security. In two others, the FTC is suing two companies for exposing customer data through P2P downloads.

"It’s unfortunate that the stick of the FTC is required to force the change in mindset and action for some organizations," says Mike Reagan, chief marketing officer at LogRhythm. "But for others, they’re recognizing the importance of this strategic imperative and are taking the right steps to increase their visibility and response capabilities to minimize loss and protect their customers and businesses."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.