The hospitality industry is an attractive target for criminals who want to steal a valuable asset: data. However, the damage caused by a data breach extends beyond theft. It can include, among other things, the impact on a company’s reputation and lost consumer confidence. And even though the company was itself the victim of the crime, the injury may be compounded by regulatory action and penalties for failing to comply with privacy and cyber security laws and regulations.
Since 2000, the Federal Trade Commission (the “FTC”), the agency tasked with enforcing consumer protection laws, has positioned itself as the principal federal agency regulating privacy and cyber security. The primary statute relied upon by the FTC is Section 5 of the FTC Act, which contains a very broad definition of unfair and deceptive acts or practices. In August 2015, the Third Circuit Court of Appeals affirmed the FTC’s authority to regulate unfair and deceptive cyber security practices in F.T.C. v. Wyndham Worldwide Corporation.
The Wyndham case stems from an FTC investigation following three separate data breaches. Between 2008 and 2010, hackers gained access to Wyndham’s network on three occasions, stealing payment card information from over 619,000 Wyndham customers. The theft resulted in more than $10.6 million in fraudulent purchases. After investigating the breaches, the FTC filed suit against Wyndham claiming that the company engaged in unfair and deceptive business practices in violation of Section 5 of the FTC Act. The FTC alleged that, among other things, Wyndham allowed its hotels to store payment card information without encryption, failed to use readily available security measures, such as firewalls, and failed to employ reasonable measures to detect and prevent unauthorized access to its computer network.
Following the ruling, the FTC issued a press release affirming its continued enforcement activity: “[i]t is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
The FTC is not the only agency enforcing privacy and cyber security laws and regulations. Companies have to comply with a patchwork of federal and state laws and regulations, as well as industry specific guidelines, governing privacy and cyber security. The myriad of laws and regulations creates a significant compliance challenge. One way to comply with the complicated (and ambiguous) regulatory landscape is to identify standards and best practices in the FTC’s publications and prior cyber security related enforcement actions.
Be proactive when it comes to cyber security. Companies should regularly conduct “data audits” to understand what information they collect, how they collect it, where and how it is stored and transmitted, and who has access to the data. A comprehensive audit will help companies identify any weak links that criminals can exploit, as well as mitigate their enforcement exposure vis-à-vis the FTC.
Assess and update policies and procedures on a regular basis. This includes those that address network security, identity theft prevention, responding to data breach incidents, use of personal devices for company business, and social media. Cyber security policies should address both physical and electronic security such as passwords, firewalls, and encryption, as well as cultural security. Even the strongest firewall or password protocols will not prevent a breach caused by an uninformed employee who, for example, uses a compromised USB drive at work or posts a selfie from work with confidential information visible in the background.
Secure data across all channels. The data that is at risk includes more than credit card information or personally identifiable information. It can include loyalty program account information, loyalty reward points, recipes, and other confidential proprietary information. Accordingly, a company’s cyber security protocols need to address strategies to defend against theft and comply with an evolving regulatory environment.
Insurance coverage.Finally, with the emergence of niche cyber security insurance policies, riders, and exclusions, it is important to review existing insurance policies to verify coverage for data breaches in the environment in which the company operates.
Vojtek “VK” Karpuk is an Associate attorney at Jennings, Strouss & Salmon, focusing his practice on corporate and securities law, intellectual property law, government relations and energy law. Michael K. Kelly is Chair of the firm’s Intellectual Property Practice Group. He has over 27 years of experience in dealing with intellectual property related matters.