On three occasions in 2008 and 2009, hackers successfully accessed Wyndham’s computer system. The hackers stole personal and financial information for hundreds of thousands of customers leading to over $10.6 million in fraudulent charges. Wyndham franchises and manages approximately 90 independently owned hotels. It uses a property management system that collects names, credit card information and other data for its customers or patrons. The FTC alleged that the Wyndham Hotels sometimes stored credit card information in clear readable text. (As an aside, Payment Card Industry or PCI standards, which are widely known and used by merchants, prohibit storing credit card information in clear readable text.)
The Agency also alleged that easily guessed passwords were used such as the name of development company “micro.” The FTC alleged that firewalls were not used to limit access between the hotels’ property management systems, the corporate network and the Internet. The Agency alleged that Wyndham used an out of date operating system and had not updated some of its security software in over three years. Further, Wyndham used default user Ids and failed to make adequate inventory of computers connected to the network. This “failure to inventory” resulted in multiple hacking events and data releases after the first hack. Wyndham failed to adequately restrict access to networks by not providing temporary or limited access to its vendors. It failed to conduct adequate security investigations. It failed to monitor all of its networks for malware.
In 2008, hackers broke into a local network using a brute force method and by guessing users’ login and passwords. They stole approximately 5000 accounts. In March 2009, the hackers attacked again and this attack was not discovered for two months. It appeared that the first attack involved memory scraping malware deposited in about 30 computer systems of different hotels. This resulted in the disclosure of credit card information for about 50,000 customers and nearly 40 hotels. Late in 2009, a third attack occurred but Wyndham did not learn of the intrusion until January 2010. This third attack resulted in credit card information release for about 70,000 customers and 28 hotels.
Of the many arguments raised by Wyndham, one of the compelling arguments involved whether Wyndham had “fair notice” that it’s inadequate data security policies and actions were contrary to the statute. In other words, did Wyndham have fair notice that it’s inadequate cybersecurity policies and actions may have violated the FTC’s statute. The Appeals Court stated that the relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of its enforcement statute but whether Wyndham had fair notice of what the statute itself requires. The Appeals Court said that Wyndham was not entitled to know with “ascertainable certainty” that the FTC’s’s interpretation of what cybersecurity practices are required under the enforcing statute.
The Court then looked to the statute which asks whether “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Section 45(n). Therefore, although the enforcement statute is not very precise, the standard informs parties that the relevant inquiry is a cost-benefit analysis. A number of cases regarding FTC enforcement efforts discuss a relevant factors including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the cost to consumers that would arise from investment in stronger cybersecurity.
The FTC’ complaint alleged that Wyndham failed to use any firewall protection at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change the default our factory set passwords at all.