From: The National Law Review
A recent United States District Court decision emphasizes the importance of business owners to assess and implement data security measures that comply with industry standards. In recent years, the Federal Trade Commission (FTC) has become increasingly active in regulating data security practices, initiating over 50 enforcement actions to date. In the first case to legally challenge the FTC’s authority to regulate data security measures, the court’s ruling has potentially opened the door to more cyber-security compliance and legal risks for businesses.
On April 7, 2014, the United States District Court for the District of New Jersey held that the FTC could proceed with a lawsuit against Wyndham Worldwide based on its allegation that the hotel company’s security practices violated Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” that are “unfair” or “deceptive.” Prompted by three data breaches suffered by Wyndham between 2008 and 2010, the FTC brought suit against Wyndham in 2012, alleging that it had violated the Act by misrepresenting in its online privacy policy that it “had implemented reasonable and appropriate measures to protect personal information against unauthorized access” when it had not. In particular, the FTC alleged that Wyndham’s security included, among others, the following insufficiencies:
failing to use firewalls; permitting storage of payment card information in clear readable text; allowing its hotels to connect insecure servers to its computer network; permitting servers on its networks with commonly-known default user IDs and passwords; failing to use commonly-used methods to require user IDs and passwords that are difficult for hackers to guess; failing to monitor its computer network for malware used in a previous intrusion; and failing to restrict third-party access.
Leave a Reply