Should companies be held responsible for a customer data breach? [POLL]

Gavel image courtesy of Shutterstock

Let’s say you were the victim of a massive cybercrime.

You’d have every right to be aggrieved, to feel hurt, and perhaps even to be fearful of going online in the future.

But what if the crime affected your customers as well?

How much of the blame should you shoulder if you could have done more to protect your network and thus your customers?

What if you could have done a lot more?

Even worse, what if you had led your customers to think you were doing plenty to protect them, but that was just talk?

Where should your customers turn for justice and recompense? Who should help them to see that justice is done?

Who’s responsible?

In turns out that those questions take a long time to answer – or at least they did in the case of US accommodation chain Wyndham Hotels.

Wyndham Hotels suffered three strikes from cybercriminals way back in 2008 and 2009.

In those attacks, the crooks apparently got hold of personal and financial information for hundreds of thousands of Wyndham customers, leading to over $10.6 million dollars in fraudulent charges.

Yet even while the crooks were wandering into Wyndham’s servers and scooping up other people’s data, Wyndham had a privacy policy for its customers that proclaimed:

We safeguard our Customers' personally identifiable information by using industry standard practices... Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc. This allows for utilization of Secure Sockets Layer, which is a method for encrypting data. This protects confidential information — such as credit card numbers, online forms, and financial data — from loss, misuse, interception and hacking. We take commercially reasonable efforts to create and maintain "fire walls" and other appropriate safeguards.

To the average hotel guest, those certainly sound like cybercrime-fighting words.

But if you know anything about cryptography, your eyebrows probably lifted at Wyndham’s very specific mention of “128-bit encryption based on a Class 3 Digital Certificate” alongside the lack of any detail about the other vital parts of its anti-hacking precautions.

Secure Sockets Layer (SSL) depends on several different sorts of cryptographic technology, including both symmetric and public-key encryption, which measure their key sizes quite differently, so merely saying “128-bit encryption” is both incomplete and unapt.

💡 Learn more: Why AES and RSA have different key sizes ►

In any case, by 2008/2009, SSL had long been superseded by Transaction Layer Security (TLS), a more recent and stronger incarnation of SSL.

And, of course, SSL/TLS deals with data security only in transit, so any suggestion that it “protects confidential information from…loss or misuse”, for example after a transaction has been processed, is absurd.

Even the unusal spelling of the word firewall, placed in quotes as if it were something esoteric and exceptional, alongside the glibly vague phrase “and other appropriate safeguards” make this policy read like just so many words.

Perhaps, then, Wyndham was just trotting out the jargon, and misleading its customers by promising more safety and protection than it could deliver?

In that case, perhaps Wyndham carried some of the responsibility for its customers’ problems, for all that it was itself a cybercrime victim?

Protecting the consumer

Eventually, in 2012, the Federal Trade Commission (FTC), the US consumer rights watchdog, decided to act on just that premise.

The FTC argued that Wyndham’s conduct was both unfair and deceptive – behaviour that unexceptionably falls under the remit of a consumer watchdog, you might think – and said that it was acting against the hotel chain: make sure that companies live up to the promises they make about privacy and data security.

Then the wrangling started.

Wyndham argued that this was not the sort of case that should fall within the FTCs bailiwick.

Even though Wyndham had let its customers down, it wanted the court to rule that:

  • The FTC has no authority to regulate cybersecurity under the ambit of “unfairness” to consumers.
  • And even if it did, Wyndham would not have had reasonable notice that its cybersecurity fell so short of the mark as to be “unfair.”

A cynic might sum this up as you can’t tell us what to do, and anyway you didn’t.

The courts considered the matter, and in April 2014, the US District Court in New Jersey dismissed Wyndham’s claims.

This apparently cleared the way for the FTC to proceed, and established the FTC’s jurisdiction to take action against data breaches in the future.

The answer at last

But that wasn’t the end of it: Wyndham appealed, dragging the matter out for a further year-and-a-bit, until this week.

The US Appeals Court has now upheld the New Jersey decision and found in favour of the FTC.

Indeed, from our unlawyerly viewpoint, the opinion of the Appeals Court is not at all flattering to Wyndham’s point of view.

For example, the Appeals Court considered Wyndham’s suggestion that calling its behaviour “unfair” went too far, because:

A practice is only "unfair" if it is "not equitable" or is "marked by injustice, partiality, or deception."

The Court’s response was uncompromising:

A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.

We agree.

As our friend and colleague Chester Wisniewski put it when he covered the FTC’s action against Wyndham back in 2012, “It is time for organizations to not just talk the talk of data security, but walk the walk.”

What to do?

The Appeals Court document actually provides a surprisingly handy list of security tips, because it lists the FTC’s allegations of where Wyndham went wrong.

To keep on the right side of the FTC, you should at least take good care that you:

  • DO NOT store payment card information in cleartext.
  • DO NOT use easily-guessed passwords on remote access systems.
  • DO NOT directly interconnect all parts of your network to each other and the internet.
  • DO establish minimum security standards (e.g. patching) before allowing remote sites to connect.
  • DO keep an inventory of devices allowed on the network so that problems can be traced to their source.
  • DO investigate reports of security problems and show that you can learn from your mistakes.
  • DO NOT overstate your security readiness to your customers.

What do you think?