"On the Hook" With the FTC: Companies can be Held Accountable for Inadequate CyberSecurity Programs

Articles & Publications

Segal McCambridge Litigation Blog
September 9, 2015

A company that fails to develop and maintain a reasonable cybersecurity program exposes itself to potential liability with the Federal Trade Commission.  In today’s day and age, the risk of a cyberattack is well known, and no company can reasonably take the position that this risk is unforeseeable. Last week, a federal court addressed these very issues in an opinion which highlights the critical importance of cybersecurity. In FTC v. Wyndham Worldwide Corp.,2015 WL 4998121 (3d Cir. August 24, 2015), a federal appellate court held that a company which fails to maintain reasonable and appropriate data security to protect consumers’ sensitive personal information can be subject to liability for unfair business competition. The court’s decision reaffirms the authority of the FTC to take administrative actions against companies with deficient cybersecurity.

In this case, hackers stole, from Wyndham, personal and financial information for hundreds of thousands of its customers, which resulted in $10.6 million in fraudulent charges. The FTC then sued Wyndham in federal court, charging it with unfair business practices and contending that its privacy policy deceived customers.

In support of its complaint, the FTC leveled specific allegations against Wyndham including that it (1) allowed the use of passwords that were easy to guess, (2) utilized an insufficient firewall as well as an out of date operating system, (3) failed to limit the access of third party vendors to servers and networks, and (4) failed to adhere to appropriate incident response procedures. The FTC also alleged that Wyndham failed to act consistently with its privacy policy. The legal opinion explains that a company has acted unreasonably when it fails to "make good" on the promises stated in a security privacy policy, or fails to develop and maintain an adequate cybersecurity program.

Notably, this case involved three separate cyberattacks against Wyndham in 2008 and 2009, and Wyndham was unaware of at least one of the attacks for two months, during which time the hackers had access to its network. The fact that Wyndham was, itself, a victim of cyberattacks does not immunize it from liability, and the occurrence of multiple attacks highlighted the purported inadequacy of Wyndham’s cybersecurity. The court also emphasized that Wyndham could not reasonably take the position that the risk of a cyberattack was unforeseeable.

It is abundantly clear that the failure to adhere to best practices or industry standards in the cybersecurity arena can detrimentally impact business. History shows that inadequate or non-existent cybersecurity can lead to liability, significant cost, as well as lost business. In some cases, a cyber event can even force a company to close its doors. Fortunately, there are steps that a company can take now to minimize the risk of a cyberattack. In addition to the development and maintenace of a cybersecurity program, best practices require corporations to develop an incident response plan that is triggered in the event of a breach. The involvement of legal counsel in this area is critical, in order to ensure the protection of the attorney-client privilege. The Wyndham case is a sobering reminder of the realities faced by companies in today’s current business climate.