Just two weeks after announcing settlements with an auto dealer and a debt collector over their shoddy data security practices (see “FTC Charges Car Dealer and Debt Collector with Exposing Sensitive Personal Information on File Sharing Networks,” from the June edition of Basis Points), the Federal Trade Commission filed another data security case against Wyndham Hotels on June 26. This latest “shot across the bow” is another reminder that dealers, lenders – and anyone else who stores sensitive personal information – must be proactive in protecting that data.
The FTC brought its case against four companies in the Wyndham family following a series of three (!) major data breaches of Wyndham’s computer networks by identity thieves in less than two years. The FTC charged that, because of multiple shortcomings in Wyndham’s security procedures, hackers were able to steal the payment card information of hundreds of thousands of Wyndham customers. The information was then transferred to an Internet domain address in Russia (where many of the largest identity theft rings operate); ultimately, consumers reported millions of dollars in fraudulent charges on their credit and debit cards.
Some background on how Wyndham does business is useful to understand what happened. Wyndham and its subsidiaries license the Wyndham name to 90 or so independently owned hotels. Each Wyndham-branded hotel has its own computer system that handles credit and debit card transactions and stores account numbers, expiration dates, and security codes. These individual systems connect to the Internet and to the Wyndham corporate network.
According to the FTC complaint, the first breach occurred when intruders hacked into the local network of an individual Wyndham hotel, which gave them access to the corporate network and the networks of 41 other individual hotels. Once inside, the intruders were able to open files that stored account information in clear (unencrypted) text. Less than a year later, intruders used similar techniques to again access the corporate network and again grab account information. The third breach occurred just a few months later, with the intruders gaining access to the corporate network and the networks of 28 individual Wyndham hotels.
The FTC complaint catalogs a host of deficiencies in Wyndham’s data security procedures:
The FTC challenged these practices under the FTC Act, which bans unfair or deceptive practices, on two grounds: Wyndham’s privacy policy that claimed it had strong data protections was deceptive, and its failure to exercise sufficient caution, resulting in millions of dollars in consumer injury, was an unfair practice. Note that, unlike every other past FTC data security case, there is no settlement at this point, and the case will be tried in federal court.
So, what relevance does this case have for dealers and lenders? All dealers and lenders collect reams of sensitive consumer information, both from customers and employees. In some cases, individual networks and corporate networks may interconnect. Also, most dealers and lenders use various third-party vendors who may have access to their systems. No doubt, most dealers and lenders have made at least some effort to adopt data security procedures that address these concerns. But, when is the last time you actually tested and updated your procedures to respond to ever-changing threats? Data security is not a static, one-time obligation – it needs to be integrated into your operations on a permanent and ongoing basis. It sounds daunting … and expensive. No doubt, having adequate data security requires attention and money. Remember, though, that the FTC isn’t demanding perfection, only “reasonable” procedures.
Bottom line: The “ostrich” approach won’t get it done. You should be taking steps now to avoid being the next target of a hacker or, ultimately, FTC prosecution.
Joel C. Winston is a partner in the Washington, D.C., office of Hudson Cook, LLP. He can be reached at 202-327-9716 or by email at jwinston@hudco.com.
Copyright © 2024 CounselorLibrary.com, LLC. All rights reserved.