In the United States, the Federal Trade Commission (FTC) has taken an aggressive regulatory approach in response to cybersecurity lapses in the private sector, commencing proceedings in a number of cases where consumers have suffered loss and damage as the result of cyber-attack.
Could this happen in Australia? So far, the Australian Competition and Consumer Commission (ACCC) has preferred to take an educational role in relation to cybercrime and cybersecurity.
The ACCC has powers under the Australian Consumer Law (ACL) that are analogous to statutory powers available to the FTC. If developments in the US are any guide, it is conceivable that the ACCC could look to take a more interventionist approach in the case of more serious and systemic IT security lapses, potentially including taking action under the ACL.
This article examines the case of Federal Trade Commission v Wyndham Worldwide Corporation1 and draws out important lessons to be learned and applied by Australian entities.
US Federal Trade Commission Act
The US Federal Trade Commission Act proscribes “unfair or deceptive acts or practices affecting commerce”2.
Since 2005, the FTC has exercised its statutory powers under this provision to protect consumers against corporations taking inadequate cybersecurity measures.
Federal Trade Commission v Wyndham Worldwide Corporation
The facts in the Wyndham case
“Wyndham Worldwide”4 is “a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries”5. At the time of these proceedings, there were approximately 90 independently-owned hotels utilising the Wyndham brand under licence as franchisees.
In an arrangement common in many franchise systems, each franchisee is required to purchase and configure a property management system which interfaces with a central data centre operated by Wyndham Worldwide.
Each hotel’s property management system processes customer information, including payment and credit card information.
Wyndham’s systems – including its corporate network and the hotel’s property management systems – were attacked on three occasions in 2008 and 2009. In 2008, hackers were able to obtain unencrypted information for more than 500,000 accounts which were “sent to a domain in Russia”6.
In a second attack in 2009, “hackers obtained unencrypted payment card information for approximately 50,000 consumers from the property management systems of 39 hotels.”7
And again, later in 2009, “hackers obtained payment card information for approximately 69,000 customers from the property management systems of 28 hotels”.8
Overall, the FTC alleges that:
the hackers obtained payment card information from over 619,000 consumers, which … resulted in at least $10.6 million in fraud loss.
The FTC has alleged a number of breaches of cybersecurity practices9, including the following:
- it was alleged that payment card information was stored in clear readable text
- it was alleged that franchisee property management systems were protected by “easily guessed passwords”; for example, in respect of one hotel’s system, which was developed by Micros Systems, Inc, “the user ID and password were both ‘micros'”10
- it was alleged that basic security measures, such as firewalls, were not employed to limit and control access between individual hotels’ property management systems, the corporate network and the internet
- it was alleged that individual hotels were permitted to access the corporate network via their property management systems without adequate safeguards and practices being in place; for example:
- one franchisee’s property management system had not had security updates applied “in over three years”
- it appears that in a number of cases, default user IDs and passwords were not changed
- at the corporate network level, there was inadequate control over who could connect and have access to the corporate network, meaning the source of at least one cyber-attack could not be identified
- third party vendor access to the corporate network and to franchisees’ systems was apparently poorly controlled; e.g., access was not limited to specified IP addresses and/or provided on a temporary, limited basis as required for a particular vendor to provide the relevant services
- it was alleged that reasonable measures were not in place to detect and prevent unauthorised access or to conduct security investigations
- it was alleged that proper “incident response procedures” were not followed, so that, despite there being three cyber-attacks in all, with similar methods used in each, Wyndham failed to sweep or monitor its systems for malware used in previous intrusions.
Comparing the US Federal Trade Commission Act with the ACL
The “unfair or deceptive acts or practices affecting commerce” provision of the US Federal Trade Commission Act has a number of direct parallels in our own Australian Consumer Law.
In addition, a number of other consumer protection provisions of the ACL are potentially enlivened by the scenario alleged by the FTC.
Misleading and deceptive?
We safeguard our Customers’ personally identifiable information by using industry standard practices. Although “guaranteed security” does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations … our Web sites utilize a variety of different security measures … including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by VeriSign Inc. … We take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards”.
It was part of the FTC’s case (but not considered by the Court of Appeals) that such representations were “deceptive” within the meaning of 15 U.S.C. § 45(a).
In our view, the ACCC could take analogous action under s 18 of the ACL, if any such statements published in respect of security measures are “misleading and deceptive” or “likely to mislead or deceive” within the scope of s 18.
For example, a person may be induced, in reliance on a website statement about privacy and/or security measures, to transact on line with an entity. The causal link to such policies and statements (for the purposes, for example, of an award of damages under s 236 of the ACL) is readily established by the requirement that a consumer “agree to” or “accept” such statements and other terms and conditions before engaging in transactions on a website.
Other provisions of the ACL
It is not difficult to envisage Wyndham-type scenarios potentially giving rise to ACCC action under other provisions of the ACL, including:
- s 19(1)(b): false or misleading representation that services are of a particular standard
- s 34: misleading conduct as to the nature, the characteristics or suitability for purpose of services
- s 60: guarantee that services will be rendered with due care and skill
- s 61: guarantee that services will be reasonably fit for purpose.
In the Wyndham scenario, although the group’s primary business is providing holiday accommodation, in the author’s view, it is strongly arguable that Wyndham is also providing accommodation booking, reservation and payment services, providing a tie-in for the ACL provisions referred to above.
Will the Government tell us what to do?
Commonwealth agencies, in particular security agencies such as the Australian Signals Directorate, have for some years now been publishing cybersecurity guidance and recommendations for businesses. ASIC has also published recommendations in this area.14
The Wyndham case tells us that corporations would do well to avail themselves of such free advice, if they have not already done so.
It was an element of Wyndham’s appeal case that FTC had “failed to give fair notice of the specific cybersecurity standards the company was required to follow”.15
The Court of Appeal rejected this argument, citing an FTC publication from 2007 which counselled against many of the failures in Wyndham’s cybersecurity policies alleged by the FTC. Those FTC recommendations covered areas such as:
- encrypting sensitive information stored on a computer network
- installing patches and updates to ensure the latest identified security vulnerabilities are addressed
- using firewalls
- setting access controls
- using “strong” passwords (and in particular, changing default passwords)
- developing a breach plan.
Many similar recommendations can be found in various Commonwealth publications and guidance16 and also in industry-published standards and codes of practice.17
If the ACCC decides to follow the lead of the FTC in the area of cybersecurity, woe betide the organisation that has not implemented cybersecurity standards consistent with such published guidance (to the extent relevant).18
So far the ACCC has not made any moves to go down the litigation path in this area. However, it would seem that FTC-type actions could be open to the ACCC in suitable circumstances.
This seems to us to be another reason, if one was needed, for corporations to take cybersecurity issues very seriously, including at senior management and board levels. Nobody will want to be the first to be a test case for the ACCC flexing its potential muscle in this area, on top of all of the other pain that a cyberbreach would inflict.
In particular, corporations should:
- take reasonable cyber security measures to protect customer information and access to its systems (and, where relevant, those of its franchisees)
- ensure that cybersecurity measures, at a minimum, meet requirements identified in relevant government and industry publications
- check public statements, including those published on websites, in relation to cybersecurity measures to ensure that such statements are not misleading and deceptive.
|Sean Field | Special Counsel
T +61 3 9258 3397
1 Federal Trade Commission v Wyndham Worldwide Corporation, a Delaware Corporation; Wyndham Hotel Group, LLC, a Delaware limited liability company; Wyndham Hotels and Resorts, LLC, a Delaware limited liability company; Wyndham Hotel Management Incorporated, a Delaware Corporation; Wyndham Hotels and Resorts, LLC, Appellant; United States Court of Appeals for the Third Circuit, No. 14-3514 (Court of Appeals Judgment).
2 15 U.S.C. § 45(a).
3 The author is indebted to the Australian Strategic Policy Institute’s “Cyber wrap” of 2 September 2015, by Zoe Hawkins, for bringing this judgment to his attention: http://www.aspistrategist.org.au/cyber-wrap-86/. The author of this article also commends to readers the media reporting in the US on this case as referenced in ASPI’s Cyber wrap, for example, “Court ruling leads to fears of FTC litigation on cybersecurity” by Katie Bo Williams on thehill.com at http://thehill.com/policy/cybersecurity/252217-court-rules-leads-to-fears-of-ftc-litigation-on-cybersecurity.
4 Wyndham Worldwide Corporation, a Delaware Corporation
5 All defendants in the District Court action – see Federal Trade Commission v Wyndham Worldwide Corporation, p.7, para. I.A. In keeping with the Court of Appeals judgment, when used in this article, the term “Wyndham” will refer generally to all of the defendants.
6 Court of Appeals Judgment, p.10.
7 Court of Appeals Judgment, p.11.
8 Court of Appeals Judgment, p.11.
9 Court of Appeals Judgment, pp.7-10.
10 Court of Appeals Judgment, p.8.
11 The author consulted the Wyndham Group’s current “Privacy Notice” at http://www.wyndham.com/terms-policy/privacy-policy on 4 September 2015 at 10.23 am AEST and notes that the section headed “How Do We Safeguard Your Information?” now provides as follows:
Security of Your Information: We will take reasonable steps to protect the information you provide us from loss, misuse and unauthorized access, disclosure, alteration and destruction. We have implemented appropriate physical, electronic and managerial procedures to help safeguard and secure your information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Unfortunately, no security system is 100% secure, thus we cannot ensure the security of information that you provide to us via the Services.
12 Court of Appeals Judgment, p.9
13 Court of Appeals Judgment, p.10
14 See ASIC Report no. 429, Cyber Resilience: Health check, March 2015
15 Court of Appeals Judgment, p.26.
16 See for example, ASD’s “Strategies to Mitigate Targeted Cyber Intrusions”, February 2014; “Cloud Computing Security Considerations”, April 2011, updated September 2012; “Questions senior management need to be asking about cyber security”, updated August 2012.
17 For an indicative list of IT security standards published by AusCERT, see https://www.auscert.org.au/render.html?it=2248. For standards relating specifically to the card payments industry, see https://www.pcisecuritystandards.org/. For ISPs, see Industry Code C650:2014, Internet Service Providers Voluntary Code of Practice, published by the Communications Alliance Ltd.
18 Such published guidance can also provide some content to Australian Privacy Principle (APP) no. 11 under the Privacy Act 1988 (Cth). APP 11 requires APP entities to “take such steps as are reasonable in the circumstances” to protect personal information from misuse, interference and loss; and unauthorised access, modification or disclosure.