Wyndham and FTC settle data breach dispute — Wyndham got 20 years

On December 9, 2015, the FTC announced that it and Wyndham Hotels had settled their long-running dispute that led to an opinion from the Third Circuit Court of Appeals confirming the FTC’s authority to regulate cybersecurity.

The gist of the settlement is that, for the next 20 years, Wyndham must do the following:

  • obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program;
  • certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
  • certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
  • certify that the auditor is qualified, independent and free from conflicts of interest;
  • in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.

Read more: Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk | Federal Trade Commission

FTC v. LabMD: I always give ’em a fair trial before I hang ’em.

The Devil Inside the BeltwayThe legal findings in FTC v. LabMD.

LabMD was vindicated by the November 15, 2015 Initial Decision in FTC v. LabMD (the Decision). In the Decision, the Chief Administrative Law Judge (ALJ) ordered the FTC to dismiss its Complaint against LabMD based on the following findings as to LabMD’s 2008 “data breach”:

  1. There was “no evidence that any consumer has suffered any injury.”
  2. “[T]he evidence fails to show that . . . [the ‘data breach’] is likely to cause any substantial consumer injury.”
  3. “[T]he theory that, there is a likelihood of substantial injury for all consumers whose information is maintained on [LabMD’s] computer networks, because there is a ‘risk’ of a future data breach, is without merit because the evidence presented fails to demonstrate a likelihood that [LabMD’s] computer network will be breached in the future and cause substantial consumer injury.”
  4. “While there may be proof of possible consumer harm, the evidence fails to demonstrate probable, i.e., likely, substantial consumer injury.”

In summary, “[b]ecause the evidence fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act. (Decision p. 88).

Unfortunately for LabMD, this vindication was too little, too late, and there is much, much more to the story.

 The rest of the story.

I always give ’em a fair trial before I hang ’em.”                      -Judge Roy Bean

FTCLabMD learned a harsh lesson about the dangers lurking in the cybersecurity world from an unlikely source — what was supposed to be the good guys.

Run out of business from years of fighting with the Federal Trade Commission (FTC), the fact that the FTC’s own ALJ issued a 92-page decision vindicating LabMD and highlighting the FTC’s own abuses is now of little consequence. All LabMD is left with is its story.

LabMD gets an offer it can’t refuse.

LabMD was a small medical services company providing cancer detection services to urologists who wanted their patients’ samples analyzed by pathologists who specialized in prostate cancer or bladder cancer. In this business, LabMD was required to securely store its patients’ personal health data and medical records in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

In May 2008, Tiversa, a self-described leading cyberintelligence firm, contacted LabMD and claimed that it had found on the Internet a file containing protected health information and personally identifiable information from LabMD’s patients. The Decision describes this file as the 1718 File. One of LabMD’s employees was using the then-popular music and video file-sharing program LimeWire on a LabMD computer; Tiversa was able to use LimeWire to obtain the 1718 File.

Tiversa offered to tell LabMD where or how it discovered the 1718 File, and “remediate” the issue, in exchange for a $40,000 payment. (See Hounded Out of Business).

LabMD refused.

According to the testimony of Richard Wallace, a former forensic analyst at Tiversa, Tiversa would try to monetize discoveries such as the 1718 File in various ways and, when rebuffed by companies such as LabMD, its CEO would tell them “you think you have a problem now, you just wait.” (Decision ¶ 115). Tiversa would then do things to make it appear as though such information had spread more than it had, and in this case, represented to LabMD that the 1718 File had done so, which the ALJ found to be false. (Decision ¶ 129).

When it became clear that LabMD was not going to use any of Tiversa’s services, Tiversa provided the information about LabMD and the 1718 File to the FTC and, its CEO directed Mr. Wallace to make sure LabMD was at the top of the list of information it was providing to the FTC. (Decision ¶ 141). The details of how this exchange of information took place to the extent of creating an intermediary organization (The Privacy Institute) to keep distance between Tiversa and the FTC reads like a conspiracy theorist’s musings and should be read in its entirety. (See Paragraphs 131 through 168 of the Decision).

LabMD gets another offer it can’t refuse–from the FTC.

In January 2010, the FTC opened an investigation into LabMD, based upon the information Tiversa had provided. (Hounded Out of Business). Despite trying to be cooperative, the FTC would not provide LabMD with any specifics about what it was alleging LabMD had done wrong. Instead, “the FTC demanded that LabMD sign an onerous consent order admitting wrongdoing and agreeing to 20 years of compliance reporting.” (Hounded Out of Business).

LabMD refused.

The FTC files a formal Complaint against LabMD.

On August 28, 2013, the FTC filed an Administrative Complaint against LabMD. The Complaint alleged that LabMD was liable for unfair acts or practices under Section 5(a) of the FTC Act based on charges that it failed to provide reasonable and appropriate security for personal information maintained on its computer networks and that such conduct caused, or was likely to cause, substantial consumer injury. (Decision p. 1).

The FTC charged LabMD with failing to provide reasonable and appropriate security for personal information on its computer networks by specifically alleging that it failed to do the following:

  • develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
  • use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks;
  • use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
  • adequately train employees to safeguard personal information;
  • require employees, or other users with remote access to the networks, to use common authentication-related security measures;
  • maintain and update operating systems of computers and other devices on its networks; and
  • employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks. (Decision p. 1).

[Hint: while the ALJ found the FTC’s allegations against LabMD were without merit, the above-listed allegations are precisely the kinds of things that the FTC will likely for with other businesses as well.]

The ALJ highlights the improprieties of Tiversa and the FTC.

In finding for LabMD, the ALJ found the allegations in the Complaint were not justified because the “evidence” against LabMD was not credible: “In order to retaliate against LabMD for refusing to purchase Tiversa’s services, Mr. Wallace testified, Tiversa reported its discovery of the 1718 File to the FTC; and Mr. Wallace, at the direction of Mr. Boback, manipulated Tiversa’s Data Store to make it appear that the 1718 File had been found at four IP addresses, including IP addresses of known identity thieves, and fabricated a list of those IP addresses, which Complaint Counsel introduced into evidence as CX0019.” (Decision pp. 9-10).

Despite the combined efforts to make it appear to the contrary, the only evidence of a “breach” that the FTC could offer was Tiversa obtaining the 1718 File from LimeWire. There was no other exfiltration of data from LabMD’s computer network. None!

The only exposure of the 1718 File, outside of LabMD, was to Tiversa, an expert, and the FTC.

The FTC, however, is not relenting, even after the ALJ spilled 92 pages of digital ink outlining its improprieties in this case. On November 24, 2015, the FTC filed a Notice of Appeal of the Initial Decision (see Office of Inadequate Security).

What does this mean for business?

Stop and think about this:

  • LabMD’s greatest “crime” was having an employee who used LimeWire on the company network [Hint: Do you see why I always preach policies, procedures, and workforce training?].
  • Tiversa deliberately targeted LabMD’s information, found it, then demanded LabMD pay it $40,000 to keep it quiet.
  • When LabMD refused to pay up, Tiversa used its pipeline with the FTC to have the FTC then force LabMD to suffer the consequences for not paying up.
  • The FTC willingly obliged, bringing to bear all of its resources, going against LabMD with a vengeance until finally running it out of business.
  • Over what? Over one document. One document that was intentionally targeted, delivered to the FTC, and never seen by anyone outside of LabMD other than Tiversa, an expert, and the FTC itself.

In 2011, I wrote my most popular data breach post ever, Data Breach — Who’s Gonna Get It?, in which I wrote about a future company that would be put out of business from litigation over a data breach, by a jury, based on a jury’s learning the company had done a cost-benefit analysis and decided it would save more money by not protecting consumers’ data and having a data breach than it would spending the money to fix the problems. That is, I looked to the analogy of the Ford Pinto. While I still believe that is going to happen, perhaps I was a bit naive because I did not expect this to happen to a company simply because it got on the wrong side of an administrative agency.

This is the new reality for business in America. And, given the wind that has now to the FTC’s back following the Third Circuit’s FTC v. Wyndham Worldwide Corporation decision (also see FTC Blog: “the Third Circuit upheld the District Court’s ruling that the FTC could use the prohibition on unfair practices in section 5 of the FTC Act to challenge the alleged data security lapses outlined in the complaint”), businesses can expect to see more of it.

This is a serious threat to all businesses.

LabMD has learned firsthand about the dangers lurking in the world of cybersecurity and the dangers of finding oneself in the cross-hairs of a federal regulatory agency. It also learned a harsh lesson about justice, as exemplified by one of the infamous Judge Roy Bean’s favorite sayings, “I always give ’em a fair trial before I hang ’em.” (See Bean n.63).

RIP, LabMD.

_________________________

This blog post only covers a few of the highlights of this story. If you want the full flavor, you really owe it to yourself to read the FTC’s resources on this case, Dan Epstein’s article, Hounded out of Business by Regulators, the full 92-page Initial Decision, as well as LabMD’s CEO, Michael Daugherty’s book, The Devil Inside the Beltway.

SEC v. R.T. Jones shows the SEC has a role in regulating cybersecurity

The federal security laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. SEC v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).

  • “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
  • R.T. Jones violated this “safeguards rule” during a four-year period when it had no such policies and hackers accessed more then 100,000 records of individuals, including its clients. The attack was traced to China; no individuals have reported financial harm.
  • This violated Rule 30(a) of Regulation S-P of the Securities Act of 1933. In settling, R.T. Jones agreed to censure and a $75,000 penalty.

 

FTC v. Wyndham Worldwide Solidifies the FTC’s Role in Regulating Cybersecurity

The FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act and companies have fair notice that their specific cybersecurity practices could fall short of that provision. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).

Here are a few key points from the court’s opinion to consider:

  • Wyndham was hacked three times in 2008 and 2009 that resulted the compromise of over 619,000 consumer payment card records.
  • Information used to commit over $10.6 million in fraudulent charges.
  • Cybersecurity posture was very rudimentary and contravened recommendations in the FTC’s 2007 guidebook, Protecting Personal Information: A Guide for Businesses.
  • Website Privacy Policy made representations about its cybersecurity practices that were not true and, therefore, deceptive.
Rocky Dhir & Shawn Tuma - Cybersecurity at State Bar of Texas - Texas Bar TV

Rocky Dhir Interviews Shawn Tuma About Cybersecurity for Lawyers at State Bar of Texas 2015 Annual Meeting

I had the wonderful opportunity to visit with and get to know Rocky Dhir (@rockydhir) at the State Bar of Texas 2015 Annual Meeting in San Antonio. Rocky is the Founder and CEO of Atlas Legal Research, LP (@atlaslegal), “the world’s leading legal outsourcing company.”

Rocky and I did a brief interview where we talked about a lot of things — but also cybersecurity and, more specifically, cybersecurity for law firms. Rocky is a pro at this and he does them all of the time for the State Bar of Texas’ Texas Bar TV channel — and it really showed, but I had a great time doing it and, in the end, that’s what matters, right?

Thanks Rocky!