Joanne Furtsch, Director of Product Policy
Saira Nayak, Director of Policy
Part I: The Legal Stuff
Since June 2012, Wyndham Hotels has been the focus of an FTC complaint, alleging that the company acted “unfairly” when it failed to provide “reasonable” measures to secure customer data (Wyndham had suffered three data breaches in two years). In response, Wyndham filed a motion to dismiss – challenging the FTC’s authority to even bring such an action under Section 5 of the FTC Act which prohibits “unfair” and “deceptive” actions (Covington & Burling has an excellent summary of the case so far, available here.).
Last week, Judge Salas (District of New Jersey) dismissed Wyndham’s motion, and allowed the FTC’s case to proceed. Her decision was significant, because it was the first time that a federal judge has weighed in on the scope of the FTC’s unfairness authority under Section 5.
For privacy watchers (including several of us at TRUSTe), this is an important case. The question of whether the FTC has the authority to regulate data security practices, and what that standard should be, has also received its fair share of attention from industry, prompting several amicus briefs (including this must read from US Chamber of Commerce et al.).
One of the central questions in this case is what constitutes “reasonable” when it comes to data security standards. As both Wyndham and the Chamber point out, the FTC has not articulated what this standard should be (the FTC has stated it can’t articulate such guidance, because industry standards change constantly in response to evolving threats and vulnerabilities).
Wyndham’s argument in response is that the FTC’s lack of guidance is essentially a constitutional violation of due process – because there’s no “fair notice” of the prohibited conduct. Judge Salas rejected that particular argument from Wyndham, stating that there was enough guidance in recent FTC complaints and orders for companies to develop reasonable data security practices. However, her ruling was in the context of whether the case should proceed – the issue will still need to be litigated. And we may not get a comprehensive answer, or the answer to other important issues in this case, if Judge Salas is reversed on appeal, or if Wyndham settles.
But one thing is clear. The FTC has emerged as the leading enforcer of data security practices (don’t forget the 4th Circuit’s recent decision in FTC v. Ross, affirming the FTC’s Section 5 authority in cybersecurity cases, including holding defendants personally liable for unfair and deceptive practices).
Plus, the lack of FTC guidance does not mean that there aren’t industry defined best practices - including several embodied in TRUSTe’s own program requirements – for implementing reasonable data security measures. These are best practices that you should already be including in your data governance programs.
In the second part of this post, we outline 6 simple steps that are a must for any company that considers their customer’s personal data an asset.
Part II: The Best Practices
1. Make sure that your privacy disclosures reflect your actual practice.
If you talk the talk, then you need to walk the walk. Make sure you are doing what you say – especially when it comes to promises you are making in your privacy statement about how you manage the information you collect, process, share, and retain.
Look at the scope of your company’s privacy statement and how it is defined. Assess what the scope means and what aspects of your business it applies to. Take steps to verify that all your online properties (web site, mobile app), products, services, business units and parties covered under the defined scope comply with your privacy disclosures and statements. When a company fails to abide by its stated privacy disclosures, it can open itself up to Section 5 liability. Just ask Goldenshores Technologies, maker of the popular “Brightest Flashlight” app, which failed to disclose that it was collecting and sharing consumer data – and now find themselves the subject of a 20 year FTC decree.
2. Be proactive and actively identify, monitor and address vulnerabilities.
Through proactive management, and a plan of action to address vulnerabilities, steps can be taken to help prevent a data breach or escalate a solution. Part of having a plan in place in the event of a data breach is a swift plan of action – to quickly identify and remedy a problem to make sure the problem doesn’t happen again. One good resource to help you start creating such a plan is the 2014 Data Protection & Breach Readiness Guide, published by our friends at the Online Trust Alliance. And if you want to learn more about how not “patching” vulnerabilities can get you into Section 5 trouble, take a look at the FTC’s settlement with HTC over lack of “reasonable” data security practices.
3. Understand your data flows
By understanding how data flows throughout your organization, and with third parties, a data flow map can be developed. A data flow map should be the first step when conducting a privacy assessment as it helps to identify where potential risks exist and where additional in-depth assessments are needed.
4. Put password management rules in place and reinforce them frequently.
Review your password protocols and rules for customers, employees and vendors who have access to your information systems. Assess what type of information is accessed and put protocols and policies in place to manage which information is available to users.
Sensitive data will require stricter protocols – such as the use of stronger passwords e.g. rules for minimum password length and complexity (e.g. not allowing dictionary words and requiring the use of special characters). Passwords should have a set expiration period (e.g. six months) requiring users to update their password. It may also be worth looking at the guidance on passwords in the FTC’s guidance to consumers on keeping personal data secure.
5. Manage access to data.
Plug the holes within your company’s system to restrict/manage vendor access to data, and have processes in place to revoke vendor access when it is no longer required. Assess servers connecting to your network to verify those servers do not have commonly known default IDs enable that could leave systems vulnerable to unauthorized access.
By reviewing your system, you will also learn how business units within your organization or vendors use customer data. Assess who has access to customer data, what information they have access to and why they’re using it. Take steps, such as employing firewalls, to restrict access only to what is necessary for the business unit or vendor’s needs.
6. Encrypt sensitive data
Review how your organization classifies data it collects and retains, and assess whether data classified as sensitive data is transmitted and stored using encryption mechanisms. This also includes login credentials customers, employees, and vendors may use to access collected information. This provides an extra layer of protection in the event in of data breach where it is less likely sensitive data such as financial information including credit card numbers will be compromised. The FTC recently addressed the importance of protecting data in transit in its consent decrees against Fandango and Credit Karma.
Companies – including those that are certified by TRUSTe – are already using the steps outlined above to protect valuable customer data. For more information on how you can integrate similar best practices into your data governance programs, contact us today!