Federal court sets banana peel standard for consumer data protection

7 September 2015 by Steve Blum

Not best cybersecurity practice.

Companies that let bin loads of customer data get hauled away have one more thing to worry about: being sued by the Federal Trade Commission. A federal appeals court in Philadelphia ruled that the broad authority to police “unfair methods of competition in commerce” that congress gave the FTC 100 years ago extends to cyberspace. That means the FTC can move ahead with legal action against Wyndham Hotels, which let crackers transfer data from more than 600,000 customers to a server based in Russia in 2008 and 2009.

The 47 page decision is mostly a discussion of what “unfair” means, but the bottom line is…

A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.

Wyndham’s objections included raising the specter of the FTC regulating banana peels. The court said yeah, that’s right

Were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under [federal law].

We are therefore not persuaded by Wyndham’s arguments that the alleged conduct falls outside the plain meaning of “unfair.”

Judging from the decision, Wyndham’s data security practices were laughable. Its systems were widely dispersed over franchisees and vendors, and no one was watching the big picture. One vendor – Micros Systems, Inc. – used “micros” as both its user name and password.

No telling yet how aggressive the FTC will be in managing consumer data security. It’s one thing to leave virtual banana peels all over the place, and another to fall prey to a sophisticated outside attack or an inside job – ask the federal Office of Personal Management or the National Security Agency about that. If the FTC wants another test case, it need look no further than its own employee data.