By Alastair J. Warr
When the topic of cybersecurity arises, many companies react by burying their heads in the sand. However, playing an ostrich when it comes to cybersecurity will not save you. The recent 3rd Circuit Court of Appeals opinion in FTC v. Wyndham Worldwide Corp. (14-3514, Aug. 24, 2015), provides insight as to how the Federal Trade Commission may look at cybersecurity planning in the context of a civil action alleging deceptive trade practices by the corporate target of a data breach.
Specifically, the FTC allegations against Wyndham included:
• Allowed hotels to store payment card information in clear readable text (not encrypted);
• Failed to use “readily available security measures” (e.g. firewalls) to limit access between hotel IT systems, corporate network, and the Internet;
• Failed to employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations; and
• Did not follow “proper incident response procedures.” (The hackers used similar methods in each attack, but Wyndham failed to monitor its network for malware used in the previous intrusions.)
Conduct can be unfair before actual injury occurs. 15 U.S.C. § 45(n). The intervening criminal act (hacking) generally does not immunize liability from foreseeable harm. (See Restatement (Second) of Torts § 449 (1965)) With all the recent cybersecurity attacks, can one reasonably argue a cybersecurity risk is no longer foreseeable and keep their head stuck in the sand? Subsection 45(n) asks whether “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The relevant inquiry is a cost-benefit analysis involving a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.
The Court of Appeals confirmed the FTC can pursue unfair and deceptive practices claims relating to failed cybersecurity practices. The FTC’s allegations provide some guidance as to what types of acts or omissions may give rise to regulatory or civil liability. Companies should now, not after a breach occurs, take the opportunity to perform self-assessments to determine how their practices fare against current de facto standards of care.
First, after an attack, do not try to cover it up and act as if nothing happened. Cybersecurity includes a perpetual process to take lessons learned and to improve procedures against future attacks. Second, engage in periodic self-assessments to determine how the organization measures against industry standards. This is not a one-time event and should be reviewed at least annually. Third, review the organization’s vendor contracts to confirm adequate cyber safeguards exist. Fourth, provide appropriate training to employees regarding social engineering, require frequent password changes and insist on using strong passwords.
Organizations should consider and adopt the following: (1) create a multi-functional incident response team, (e.g. legal, IT, PR, CEO, CFO, outside counsel) for potential cybersecurity events; (2) make cybersecurity and necessary resources a regular topic of discussion; (3) designate a board committee to have cybersecurity oversight; (4) engage consultants to test cybersecurity systems and to suggest enhancements; (5) have outside counsel familiar with the company and incident management on retainer; (6) align internal policies with risks, e.g. network monitoring; and (7) document remedial measures to enhance cybersecurity.
Don’t be an ostrich.•
• Alastair J. Warr is a partner and chairs the Intellectual Property and Technology Practice Group Chair at Krieg DeVault LLP. The opinions expressed are those of the author.