By: Aaron Krowne

A heated battle regarding the general province of federal regulators over businesses’ privacy and data security practices is currently raging. We are referring to the pending case of FTC v. Wyndham Worldwide Corp., which is being much-watched in the data security world. It pits, on one side, the Federal Trade Commission (“FTC”), with its general authority to prevent “unfair or deceptive trade practices,” against Wyndham Worldwide Corp. (“Wyndham”), a hotel chain-owner which was recently hit by a series of high-profile data breach hack-attacks. The main question to be decided is: does the FTC’s general anti-“unfair or deceptive” authority translate into a discretionary (as opposed to regulatory) power over privacy and data security practices?

Background of the Case

On July 30, 2014, FTC v. Wyndham was accepted on appeal to the Third Circuit, after Wyndham failed in its attempt to have the case dismissed. However, Wyndham was granted an interlocutory appeal, meaning that the issues it raised were considered by the Circuit Court important enough to determine the outcome of the case and thus needed to hear an appeal immediately.

 The case stems from a series of data breaches in 2008 and 2009 resulting from the hacking of Wyndham computers. It is estimated that personal information of upwards of 600,000 Wyndham customers was stolen, resulting in over $10 million lost through fraud (i.e., credit card fraud).

The FTC filed suit against Wyndham for the breach under Section 5 of the FTC Act, alleging (1) that the breach was due to a number of inadequate security practices and policies, and was thus unfair to consumers; and (2) that this conduct was also deceptive, as it fell short of the assurances given in Wyndham’s privacy policy and its other disclosures to consumers.

The security inadequacies cited by the FTC present a virtual laundry-list of cringe-worthy data-security faux pas, including: failing to employ firewalls; permitting storage of payment card information in clear readable text; failing to make sure Wyndham-branded hotels implemented adequate information security policies and procedures prior to connecting their local computer networks to Hotels and Resorts (Wyndham’s parent company’s); permitting Wyndham-branded hotels to connect unsecure servers to the network; utilizing servers with outdated operating systems that could not receive security updates and thus could not remedy known vulnerabilities; permitting servers to have commonly-known default user IDs and passwords; failing to employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess; failing to adequately inventory computers connected to the network; failing to monitor the network for malware used in a previous intrusion; and failing to restrict third-party access.

Most people with basic knowledge of data security would agree that these alleged practices of Wyndham are highly disconcerting and do fall below commonly-accepted industry standards, and thus, anyone partaking in such practices should be exposed to legal liability for any damage that results from them. The novel development with this case is the FTC’s construction of such consumer-unfriendly practices as “unfair” under Section 5 of the FTC Act, which thus brings them under its purview for remedial and punitive action.

Wyndham resisted the FTC’s enforcement action by attempting to dismiss the case, arguing (1) that poor data security practices are not “unfair” under the FTC Act, and that (2) regardless, the FTC must make formal regulations outlining any data security practices to which its prosecutorial power applies, before filing suit.

Wyndham’s dismissal attempt based on these arguments was resoundingly rejected by the District Court. This Court’s primary rationale was, in effect, its observation that the FTC Act, with Section 5’s “unfair and deceptive” enforcement power, was intentionally written broadly, thus implying that the FTC has domain over any area of corporate practice significantly impacting consumers. Additionally, this broad drafting provides that this power is largely discretionary, which would be defeated by requiring it always be reduced to detailed regulations in advance.

Addressing the “unfairness” question directly, the FTC argued (and the District Court agreed) that, in the data-security context, “reasonableness [of the practices] is the touchstone” for Section 5 enforcement, and that, particularly, “unreasonable data security practices are unfair.” As to defining unreasonable security practices, Wyndham advocated a strict “ascertainable certainty” standard (i.e., specific regulations set out in advance), but the District Court (again, siding with the FTC) shot back that “reasonableness provides ascertainable certainty to companies.” This argument seems almost circular and fails to define what exactly is “reasonable” in this context. But the District Court observed that in other areas of federal enforcement (e.g., the National Labor Relations Board and the Occupational Safety and Health Act), an unwritten “reasonableness” standard is routinely used in the prosecution of cases. Typically, in such cases, reference is made to prevailing industry standards and practices, which, as the District Court observed, Wyndham itself referenced in its privacy policy.

Fears & Concerns

The upshot of the case is that if the FTC’s assertion of the power to enforce “reasonable” data security practices is affirmed, all privacy and data security policies must be “reasonable.” This will in turn mean that such policies must not be “unfair” generally, and also not “deceptive” relative to companies’ privacy policies. In effect, the full force of federal law, policed by the FTC, will appear behind privacy and data security policies – albeit, in a very broad and hard to characterize way. This is in stark contrast to state privacy and data security laws (such as Delaware’s, California’s or Florida’s), which generally consist of more narrowly-tailored, statutorily-delimited proscriptions.

While consumers and consumer advocates will no doubt be heartened by the Court’s broad read on the FTC’s protective power in the area of privacy and data security, not surprisingly, there are fears from both businesses and legal observers about such a new legal regime. Some of these concerns include:

  • Having the FTC “lurking over the shoulders” of companies to “second guess” their privacy and security policies.
  • A situation where the FTC is, in effect, “victimizing the victim” – prosecuting companies after they’ve already been “punished” by the direct costs and public fallout of a data breach.
  • Lack of a true industry standard against which to define “reasonable” privacy and data security policies.
  • A “checklist culture” (as opposed to a risk-based data security approach) as the FTC’s de facto data security requirements develop through litigation.
  • A wave of class-action lawsuits emboldened by FTC “unfair and deceptive” suits.
  • Uncertainty: case-by-case consent orders that provide little or no guidance to non-parties.

These concerns are definitely real, but likely will not result in much (if any) push-back in Wyndham’s favor in the District Court. That is because, while the FTC may not have asserted power over data security practices in past (as Wyndham made sure to point out in its arguments), there is little in the FTC’s governing charter or relevant judicial history to prevent it from doing so now. Simply put, regulatory agencies can change their “minds,” including regarding what is in their regulatory purview – so long as the field in question is not explicitly beyond their purview. Given today’s new reality of omnipresent social networks and, sensitive, cloud-resident consumer data, we can hardly blame the FTC for re-evaluating its late-90s-era stance.

No Going Back

Uncle Sam is coming, in a clear move to regulate privacy and data security and protect consumers. As highlighted recently in the New York Attorney General’s report on data breaches, the pressure is only growing to do something about the problem of dramatically-increasing data breaches. As such, it was only a matter of time until the Federal Government responded to political pressure and “got into the game” already commenced by the states.

Thus, while the precise outcome of FTC v. Wyndham cannot be predicted, it is overwhelmingly likely that the FTC will “get what it wants” broadly speaking; either with the upholding of its asserted discretionary power, or instead, by being forced to pass more detailed regulations on privacy and data security.

Either way, this case should be a wake-up call to businesses, many of whom are in fact already covered by state laws relevant to privacy and data security, but whom perhaps haven’t felt the inter-jurisdictional litigation risk is significant enough to ensure their policies and practices are compliant with those of the strictest states (such as California and Florida; or even other nations’, such as Canada).

The precise outcome of FTC v. Wyndham notwithstanding, the federal government will henceforth be looking more closely at all data breaches in the country – particularly major ones – and may be under pressure to act quickly and stringently in response to public outcry. But “smaller” breaches will most certainly be fair game as well; thus, small- and mid-sized businesses should take heed as well. That means getting in touch with a certified OlenderFeldman privacy and data security attorney to make sure your business’s policies and procedures genuinely protect you and your users and customers… and put you ahead of the blowing “Wynds of change” of federal regulation.

Survey finds that only 61.3% of apps have privacy policies, reflecting perceived need for increased app privacy regulations.

By Alice Cheng

A recent survey conducted by the Future of Privacy Forum (FPF) examined whether popular free and paid mobile apps provided users with access to a privacy policy visit this website. The survey found that 61.3% of the 150 apps examined had a privacy policy, while more free apps than paid apps had privacy policies. While the numbers of apps with privacy policies are still low, these findings mark an overall increase from the previous year.

The FPF credits the consumer privacy efforts of various groups, including the Federal Trade Commission and the California Attorney General. The FTC has made continuous efforts to develop companies develop best consumer privacy practices, and has been involved in battling privacy violations. In February, California Attorney General Kamala Harris persuaded six major companies with mobile platforms (including Apple, Microsoft, and Google) to ensure that app developers include privacy policies that comply with the California Online Privacy Protection Act. More recently, Harris also announced the formation of the Privacy Enforcement and Protection Unit to oversee privacy issues and to ensure that companies are in compliance with the state’s privacy laws.

Together with the FPF survey results, these recent strides reflect a growing nationwide concern for information privacy. However, mere access to privacy policies does not ensure that consumers are aware of what happens to information collected about them. Many policies are long and onerous, and can be confusing for consumers. As many privacy laws focus on protecting the consumer’s privacy interests, providing a clear privacy policy is oftentimes a best practice for all companies.

Check Cloud Contracts for Provisions Related to Privacy, Data Security and Regulatory Concerns

Check Cloud Contracts for Provisions Related to Privacy, Data Security and Regulatory Concerns“Cloud” Technology Offers Flexibility, Reduced Costs, Ease of Access to Information, But Presents Security, Privacy and Regulatory Concerns

With the recent introduction of Google Drive, cloud computing services are garnering increased attention from entities looking to more efficiently store data. Specifically, using the “cloud” is attractive due to its reduced cost, ease of use, mobility and flexibility, each of which can offer tremendous competitive benefits to businesses. Cloud computing refers to the practice of storing data on remote servers, as opposed to on local computers, and is used for everything from personal webmail to hosted solutions where all of a company’s files and other resources are stored remotely. As convenient as cloud computing is, it is important to remember that these benefits may come with significant legal risk, given the privacy and data protection issues inherent in the use of cloud computing. Accordingly, it is important to check your cloud computing contracts carefully to ensure that your legal exposure is minimized in the event of a data breach or other security incident.

Cloud computing allows companies convenient, remote access to their networks, servers and other technology resources, regardless of location, thereby creating “virtual offices” which allow employees remote access to their files and data which is identical in scope the access which they have in the office. The cloud offers companies flexibility and scalability, enabling them to pool and allocate information technology resources as needed, by using the minimum amount of physical IT resources necessary to service demand. These hosted solutions enable users to easily add or remove additional storage or processing capacity as needed to accommodate fluctuating business needs. By utilizing only the resources necessary at any given point, cloud computing can provide significant cost savings, which makes the model especially attractive to small and medium-sized businesses. However, the rush to use cloud computing services due to its various efficiencies often comes at the expense of data privacy and security concerns.

The laws that govern cloud computing are (perhaps somewhat counterintuitively) geographically based on the physical location of the cloud provider’s servers, rather than the location of the company whose information is being stored. American state and federal laws concerning data privacy and security tend to vary while servers in Europe are subject to more comprehensive (and often more stringent) privacy laws. However, this may change, as the Federal Trade Commission (FTC) has been investigating the privacy and security implications of cloud computing as well.

In addition to location-based considerations, companies expose themselves to potentially significant liability depending on the types of information stored in the cloud. Federal, state and international laws all govern the storage, use and protection of certain types of personally identifiable information and protected health information. For example, the Massachusetts Data Security Regulations require all entities that own or license personal information of Massachusetts residents to ensure appropriate physical, administrative and technical safeguards for their personal information (regardless of where the companies are physically located), with fines of up to $5,000 per incident of non-compliance. That means that the companies are directly responsible for the actions of their cloud computing service provider. OlenderFeldman LLP notes that some information is inappropriate for storage in the cloud without proper precautions. “We strongly recommend against storing any type of personally identifiable information, such as birth dates or social security numbers in the cloud. Similarly, sensitive information such as financial records, medical records and confidential legal files should not be stored in the cloud where possible,” he says, “unless it is encrypted or otherwise protected.” In fact, even a data breach related to non-sensitive information can have serious adverse effects on a company’s bottom line and, perhaps more distressing, its public perception.

Additionally, the information your company stores in the cloud will also be affected by the rules set forth in the privacy policies and terms of service of your cloud provider. Although these terms may seem like legal boilerplate, they may very well form a binding contract which you are presumed to have read and consented to. Accordingly, it is extremely important to have a grasp of what is permitted and required by your cloud provider’s privacy policies and terms of service. For example, the privacy policies and terms of service will dictate whether your cloud service provider is a data processing agent, which will only process data on your behalf or a data controller, which has the right to use the data for its own purposes as well. Notwithstanding the terms of your agreement, if the service is being provided for free, you can safely presume that the cloud provider is a data controller who will analyze and process the data for its own benefit, such as to serve you ads.

Regardless, when sharing data with cloud service providers (or any other third party service providers)), it is important to obligate third parties to process data in accordance with applicable law, as well as your company’s specific instructions — especially when the information is personally identifiable or sensitive in nature. This is particularly important because in addition to the loss of goodwill, most data privacy and security laws hold companies, rather than service providers, responsible for compliance with those laws. That means that your company needs to ensure the data’s security, regardless of whether it’s in a third party’s (the cloud providers) control. It is important for a company to agree with the cloud provider as to the appropriate level of security for the data being hosted. Christian Jensen, a litigation attorney at OlenderFeldman LLP, recommends contractually binding third parties to comply with applicable data protection laws, especially where the law places the ultimate liability on you. “Determine what security measures your vendor employs to protect data,” suggests Jensen. “Ensure that access to data is properly restricted to the appropriate users.” Jensen notes that since data protection laws generally do not specify the levels of commercial liability, it is important to ensure that your contract with your service providers allocates risk via indemnification clauses, limitation of liabilities and warranties. Businesses should reserve the right to audit the cloud service provider’s data security and information privacy compliance measures as well in order to verify that the third party providers are adhering to its stated privacy policies and terms of service. Such audits can be carried out by an independent third party auditor, where necessary.

What do I need to look for in a privacy policy?

What do I need to look for in a privacy policy?Privacy policies are long, onerous and boring. Most consumers never read them, even though they constitute a binding contract. Here is a handy checklist of some quick things to skim for.

As we’ve previously discussed, even “non-sensitive” information can be very sensitive under certain circumstances. When reviewing a company’s privacy policy, you should focus on determining the following:

  • The type of information is gathered by the website, including information which is voluntarily provided (i.e., name, date of birth, etc.) and electronic information (i.e., tracking cookies).
  • What information is optional (i.e., requested but not required for website use) versus what information you must provide if you want to use the website.
  • With whom your information is shared, and if it is shared with affiliates, you should learn the identity of the affiliates.  The more information you provide, the more concerned the user should be about this answer.
  • How your information is used (i.e., for targeted advertising, for general marketing, for selling data to third-parties, etc.).  Similar to above, the more information you provide, the more concerned the user should be about this answer.
  • How long the website retains your information, and similarly, what rights you have to have all of your information deleted by the website (including information the website has already shared with third-parties).

Generally speaking, all website users should start with the assumption that all information provided is optional and will ultimately be shared with other companies or individuals.  Starting with that assumption then makes it easier psychologically to skim through the privacy policy or terms and conditions and pick out the exceptions which may protect your privacy.  If you are unable to quickly pick out those exceptions, or if the language is too confusing, the user should proceed with caution and assume his or her information will not be kept confidential – a decision which will dictate how and whether you proceed on the website.  Better to be safe than sorry with the information you provide.

On Tuesday, October 18th, a 40-something year old actress filed a law suit against IMDb and Amazon for publishing her real name and age on IMDb’s website. Entertainment Weekly asked Michael J. Feldman, Esq., CIPP, to weigh in on the merits of the plaintiff’s privacy claim.

Feldman, a partner at OlenderFeldman who is also not involved in the IMDb suit, believes “the most pivotal issue in the case” will be the clarity of IMDb’s Privacy Policy and Subscriber Agreement. According to Feldman, IMDb’s “mistake here is that neither the Privacy Policy nor the Subscriber Agreement are clear as to the purpose for obtaining credit card information, and how that information will be used.” Without that confusion, Feldman speculated that IMDb could have avoided this lawsuit altogether. Still, he agreed that Doe “has numerous hurdles to overcome,” primarily that she “appears to confuse promises made in those agreements concerning security of information provided to IMDb and the privacy rights afforded to subscribers of the website.”

Making the case even less promising, Feldman thinks the $1 million price tag on Doe’s suit is unreasonable: “She will have an extremely difficult time proving damages under the facts alleged.” Added Feldman, a founding member of privacy and data protection consulting firm Acentris: “Even if IMDb is at fault, damages are limited to the total amount [she] paid” as an IMDbPro subscriber.

To read more on this intriguing matter, click here.