by David Adler

FTC v. Wyndham and corporate cybersecurity

Sep 01, 2016

The widely-watched case of FTC v. Wyndham Worldwide Corp. isn't just about cybersecurity.

The case of FTC v. Wyndham is one of the most important security and privacy cases decided in the last 10 years. The case affirms several important principles governing data security, and it is a must-read for business executives and attorneys. First, it cements the FTC’s authority to act as the nation’s privacy and security watchdog. Second, it identified a laundry list of privacy and security missteps. Third, it stands for the proposition that if a company was not on notice that it has to meet certain privacy and security standards, even if they are not readily and specifically ascertainable, it is now.

The FTC alleged, and the Third Circuit ostensibly agreed, that Wyndham’s security practices were “unfair” and, therefore, legally insufficient because “taken together [they] unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” These missteps, when reviewed can create a baseline for best practices.

The following practices should be followed:

  • Store sensitive information in encrypted format.
  • Prohibit use of easily-guessed passwords (especially avoid using “default”/factory-settings).
  • Use “readily available security measures,” such as firewalls, to limit access to systems, the company’s network and the internet.
  • Implement information security policies and procedures that prohibit using out-of-date operating systems and software and require maintaining security updates.
  • Prohibit the use of “default” user IDs and passwords. 
  • Maintain an inventory of computers connected to the network.
  • Restrict access of third-party vendors by specified IP addresses or time-limited access.
  • Employ reasonable detection and prevention measures.
  • Follow “proper incident response procedures” (e.g. identifying attack tools, methods and targets to avoid similar attack methods or malware).

While the FTC v. Wyndham case provides a baseline for incompetence, it does not provide a clear rule on minimum adequate practices. Each company must judge for itself whether its security practices and policies reflect the company’s risks given the varieties of industries, customers, vendors, markets and regulations. However, deciding to avoid all the mistakes made by Wyndham is a good start.