Now, more than ever, corporate boards must ensure their cybersecurity measures are up to par, funded, and properly implemented to avoid the FTC’s wrath. Corporate boards need to be cognizant of both ensuring that their cybersecurity measures are consistent with best practices and with nationally and internationally recognized data security standards — and that those cybersecurity measures can actually be met through commitment of sufficient resources. Otherwise, the Federal Trade Commission may find fertile ground to scrutinize the company, and even seek to impose sanctions for “unfair” practices by the company.
In Federal Trade Commission vs. Wyndham Worldwide Corporation, et al., Civil Action No. 14-3514 (the “Wyndham Case”), the United States Court of Appeals for the 3rd Circuit held that the FTC does indeed have jurisdiction in connection with cybersecurity matters — pursuant to the FTC Act, 15 U.S.C. §45(a) — to protect consumer rights, to include determining what is an “unfair” practice (which is prohibited by the FTC Act), and also punish companies that act in a “unfair manner” in accordance with the FTC Act. (See opinion) This ruling is particularly important to Corporate Boards and Directors, inasmuch as it hinged on Wyndham’s overstated ability to protect its customers’ sensitive information and Wyndham’s published privacy policy – on which it was unable to make good due to inadequate resources devoted to cyber security.
Because matters of corporate policy, and the resources allocated to implementing those policies, fall squarely within the duties of corporate boards and directors, it is critical that corporate boards pay close attention to the Wyndham Case and its ramifications. I have previously blogged about the risks to corporate boards arising from litigation in connection with cyber incidents and data breaches:
- Corporate Boards: The Challenges and Risks of Maneuvering Through Cybersecurity, June 15, 2015.
- Corporate Boards: The Challenges and Risks of Maneuvering Through Cybersecurity, June 22, 2015.
- Corporate Boards: The Challenges and Risks of Maneuvering Through Cybersecurity, June 30, 2015.
Now, the Wyndham Case adds an entirely new layer of risk of which all corporate boards must be cognizant.
The Wyndham Case instructs that corporate boards must be very sensitive to the privacy policies that they adopt and publish to the public, ensuring that such privacy policies can indeed be achieved through investment of adequate resources in cyber security. Otherwise, corporate boards and/or the companies that they represent could well face scrutiny and liability to the FTC.
For example, although Wyndham’s cybersecurity policy looked solid, the reality was that customer payment information was apparently stored without encryption, passwords were easy to guess and, after at least one breach, the company failed to check to see if the responsible malware was removed from the system – which led to yet another attack that could have been prevented. (The legal intelligencer, “No out for Wyndham in Data Breach Case”, P.J. D’Annunzio, August 25, 2015; Corporate Counsel, “Appeals Courts [sic] Upholds FTC Cybersecurity Oversight”, Rebekah Mintzer, August 26, 2015.) Indeed, something as simple as implementing and enforcing polices that weak passwords not be used, and requiring best practices relative to utilization of strong passwords, can make all the difference; simply training employees to use strong passwords can prevent the battle from being lost (Id.).
Important Practices for Corporate Boards
It is important for corporate boards to ensure that their companies’ cybersecurity practices are consistent with nationally and internationally recognized data security standards, and that adequate resources are deployed to implement such policies. (Id.) Likewise, as was implicated in the Wyndham Case, it is important that contracts with franchisees (and any third-party vendors for that matter) include protection for the franchisor and its network (Id.).
As the recent Target cases make painfully clear, whether the data breach results from a third-party vendor, or from the company itself, is of no moment; the result is the same: Costly litigation and liability to the company itself. The Wyndham Case reinforces the need for companies and their boards to be fully cognizant of this risk, and to protect against it through carefully crafted contracts with franchisees and third-party vendors (to include, as may be appropriate, placement of adequate cybersecurity insurance).