Fri, Jun 21, 2019
A few years ago, the Federal Trade Commission wrote a blog post that highlighted key issues companies should expect to be asked about in cyber investigations. Among other things, the FTC explained that the agency looks at “privacy policies and any other promises the company has made to consumers about its security.”1 Indeed, most FTC cyber enforcement cases turn on allegations that a company made misleading statements regarding the type, strength, or even presence of security measures associated with its product or services. Offending statements can appear in a variety of contexts, including privacy policies, terms of service, marketing materials, and even investor-relations materials, just to name a few.
In this vein, the Third Circuit’s landmark decision in FTC v. Wyndham Worldwide Corp.2 is instructive. On three occasions in 2008 and 2009, hackers allegedly exfiltrated payment card data of more than 619,000 Wyndham guests. The FTC brought an enforcement action under the unfairness prong of section 5 of the FTC Act,3 arguing that Wyndham’s security practices “unreasonably and unnecessarily” exposed personal data to unauthorized access and theft. The complaint also raised a deception claim for allegedly misleading statements in the company’s privacy policies. Those policies contained allegedly false representations that data was protected according to “industry standard practices” and “commercially reasonable efforts,” such as using “128-bit encryption,” “fire walls,” and “other appropriate safeguards.”
Although the FTC’s deception claim was not on appeal, Wyndham’s privacy policy emerged as a critical factor in the decision upholding the unfairness claim. The court noted that a company does not act equitably when it “publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.” Moreover, “consumers could not reasonably avoid injury by booking with another hotel chain because Wyndham had published a misleading privacy policy that overstated its cybersecurity.”4 Finding it plausible that consumers were misled by Wyndham’s privacy policy, the court deemed the policy “directly relevant” to whether the company’s conduct was “unfair.”
Private plaintiffs routinely allege that companies not only fail to protect data (thereby resulting in a breach) but deceive consumers in privacy policies with security-related misrepresentations. For example, these types of allegations featured heavily in complaints against Marriott following its 2018 announcement that Starwood databases had been breached starting in 2014 (e.g., “Ultimately, Marriott could and should have prevented the data breach by implementing and maintaining reasonable safeguards, consistent with the representations Marriott made to the public in its marketing materials and privacy statements, and compliant with industry standards, best practices, and the requirements of [ ] State law. Unfortunately, Marriott failed to do so, and as a result, exposed the personal and sensitive data of hundreds of millions of consumers.”)5
We offer the following tips for identifying potential privacy-related cyber exposure points:
Read Tips from the Trenches: Make Your Company Less Attractive to Cyber Enforcement
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
Sources
1 M. Eichorn, If the FTC Comes to Call, FED. TRADE COMM’N BUS. BLOG (May 25, 2015), www.ftc.gov/news-events/blogs/business-blog/2015/05/if-ftc-comes-call.
2 FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
3 15 U.S.C. § 45(a).
4 Wyndham, 799 F.3d at 245–46.
5 Complaint, Hiteshew v. Marriott Int’l, Inc., No. 8:18-cv-03755 (D. Md. Dec. 6, 2018).
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Services include drafting communications, full-service mailing, alternate notifications.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.