– Gavel image courtesy of Shutterstock –
Let’s say you were the victim of a massive cybercrime.
You’d have every right to be aggrieved, to feel hurt, and perhaps even to be fearful of going online in the future.
But what if the crime affected your customers as well?
How much of the blame should you shoulder if you could have done more to protect your network and thus your customers?
What if you could have done a lot more?
Even worse, what if you had led your customers to think you were doing plenty to protect them, but that was just talk?
Where should your customers turn for justice and recompense? Who should help them to see that justice is done?
Who’s responsible?
In turns out that those questions take a long time to answer – or at least they did in the case of US accommodation chain Wyndham Hotels.
Wyndham Hotels suffered three strikes from cybercriminals way back in 2008 and 2009.
In those attacks, the crooks apparently got hold of personal and financial information for hundreds of thousands of Wyndham customers, leading to over $10.6 million dollars in fraudulent charges.
Yet even while the crooks were wandering into Wyndham’s servers and scooping up other people’s data, Wyndham had a privacy policy for its customers that proclaimed:
We safeguard our Customers' personally identifiable information by using industry standard practices... Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc. This allows for utilization of Secure Sockets Layer, which is a method for encrypting data. This protects confidential information — such as credit card numbers, online forms, and financial data — from loss, misuse, interception and hacking. We take commercially reasonable efforts to create and maintain "fire walls" and other appropriate safeguards.
To the average hotel guest, those certainly sound like cybercrime-fighting words.
But if you know anything about cryptography, your eyebrows probably lifted at Wyndham’s very specific mention of “128-bit encryption based on a Class 3 Digital Certificate” alongside the lack of any detail about the other vital parts of its anti-hacking precautions.
Secure Sockets Layer (SSL) depends on several different sorts of cryptographic technology, including both symmetric and public-key encryption, which measure their key sizes quite differently, so merely saying “128-bit encryption” is both incomplete and unapt.
💡 Learn more: Why AES and RSA have different key sizes ►
In any case, by 2008/2009, SSL had long been superseded by Transaction Layer Security (TLS), a more recent and stronger incarnation of SSL.
And, of course, SSL/TLS deals with data security only in transit, so any suggestion that it “protects confidential information from…loss or misuse”, for example after a transaction has been processed, is absurd.
Even the unusal spelling of the word firewall, placed in quotes as if it were something esoteric and exceptional, alongside the glibly vague phrase “and other appropriate safeguards” make this policy read like just so many words.
Perhaps, then, Wyndham was just trotting out the jargon, and misleading its customers by promising more safety and protection than it could deliver?
In that case, perhaps Wyndham carried some of the responsibility for its customers’ problems, for all that it was itself a cybercrime victim?
Protecting the consumer
Eventually, in 2012, the Federal Trade Commission (FTC), the US consumer rights watchdog, decided to act on just that premise.
The FTC argued that Wyndham’s conduct was both unfair and deceptive – behaviour that unexceptionably falls under the remit of a consumer watchdog, you might think – and said that it was acting against the hotel chain:
...to make sure that companies live up to the promises they make about privacy and data security.
Then the wrangling started.
Wyndham argued that this was not the sort of case that should fall within the FTCs bailiwick.
Even though Wyndham had let its customers down, it wanted the court to rule that:
- The FTC has no authority to regulate cybersecurity under the ambit of “unfairness” to consumers.
- And even if it did, Wyndham would not have had reasonable notice that its cybersecurity fell so short of the mark as to be “unfair.”
A cynic might sum this up as you can’t tell us what to do, and anyway you didn’t.
The courts considered the matter, and in April 2014, the US District Court in New Jersey dismissed Wyndham’s claims.
This apparently cleared the way for the FTC to proceed, and established the FTC’s jurisdiction to take action against data breaches in the future.
The answer at last
But that wasn’t the end of it: Wyndham appealed, dragging the matter out for a further year-and-a-bit, until this week.
The US Appeals Court has now upheld the New Jersey decision and found in favour of the FTC.
Indeed, from our unlawyerly viewpoint, the opinion of the Appeals Court is not at all flattering to Wyndham’s point of view.
For example, the Appeals Court considered Wyndham’s suggestion that calling its behaviour “unfair” went too far, because:
A practice is only "unfair" if it is "not equitable" or is "marked by injustice, partiality, or deception."
The Court’s response was uncompromising:
A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.
We agree.
As our friend and colleague Chester Wisniewski put it when he covered the FTC’s action against Wyndham back in 2012, “It is time for organizations to not just talk the talk of data security, but walk the walk.”
What to do?
The Appeals Court document actually provides a surprisingly handy list of security tips, because it lists the FTC’s allegations of where Wyndham went wrong.
To keep on the right side of the FTC, you should at least take good care that you:
- DO NOT store payment card information in cleartext.
- DO NOT use easily-guessed passwords on remote access systems.
- DO NOT directly interconnect all parts of your network to each other and the internet.
- DO establish minimum security standards (e.g. patching) before allowing remote sites to connect.
- DO keep an inventory of devices allowed on the network so that problems can be traced to their source.
- DO investigate reports of security problems and show that you can learn from your mistakes.
- DO NOT overstate your security readiness to your customers.
InfoSecWiz
Personally, I think it depends on the type of breach. If the company can prove it was running proper security controls but were breached by a zero day that revealed Admin credentials for instance then I wouldn’t place too much blame on the company but if the company are shown to be lacking in security controls then they should be blamed. Too many companies refuse to spend on controls because it’s cheaper and easier to pay the fine of a breach.
-vs- Malpractice
I agree with you, and it looks like both the FTC and the courts do to. A big part of this ruling was the evidence of continued negligence on the part of the defendant. Three different breaches, and they never addressed the issues that allowed the first breach.
As I indicate in a different comment, below, I think the general standards of “malpractice” should apply. If your company is keeping up with industry-standard techniques and safeguards, you should be OK. If you are boasting about your security while refusing to address known problems, you are culpable.
Blake
I agree. Companies should be held to reasonable standards (such as the ones outlined at the end of this article). If they are found negligent, they are to blame. Otherwise, don’t blame the victim – blame the perp.
Ron Cook
I think, if a company have audited verification of their Internet-facing security procedures, and audited employee training with regard to data security, the company should have minimal culpability.
If a breach can be traced to the willful or non-willful actions of an employee (email / phone phishing, etc.) then the company should be held accountable.
Should the breach be the loss of backup media, the only thing that should protect the company is encryption of the media.
dissenting opinion
I’m one of the 6 (so far) who noted no, the criminals are to blame. This article really sells the story that overall companies are to blame using this case as an example. While Wyndam is probably to blame in this situation based on their statements, I don’t know that it justifies all companies to be blamed for a breach. Example: I share my house key with my neighbor and vice versa. We have a trust to watch over each others houses while we’re out, traveling, or if we lock ourselves out. We don’t leave the keys out in the open, yet they are behind a locked door at night and when we’re not home. Door locks are not good security as they’re easily picked, right. Am I to blame if someone steals the key and breaks into their house and steals their stuff?
I think, from the security community perspective, its not if, but when you’re going to get breached. Why is that? Bottom line is that most companies don’t stand a chance right now. The gettin is good for the criminal. I would even argue that it is incredibly difficult to judge when a company has been specifically negligent. It’s absolutely a no win situation right now. Theres only two types of companies; those who have been breached, and those who don’t know it yet. And if you pass a PCI audit, and end up getting breached, guess what, you apparently failed to secure everything properly and you get fined anyway. If it’s PCI data we’re talking about, the PCI industry might be just as much to blame as the criminal.
I feel like my company takes security seriously and is doing an OK job. We have many security people all working hard. We have an ownership who cares and a CIO who gets it. I don’t feel like we have been specifically negligent. But I know it’s only a matter of time.
-vs- Malpractice
My feeling is that this is much like well-established malpractice doctrine.
From Wikipedia:
In the law of torts, malpractice is an “instance of negligence or incompetence on the part of a professional”.
Types include medical malpractice (“A doctor’s failure to exercise the degree of care and skill that a physician or surgeon of the same medical specialty would use under similar circumstances”) and legal malpractice (“A lawyer’s failure to render professional services with the skill, prudence, and diligence that an ordinary and reasonable lawyer would use under similar circumstances.”).
That really seems to be what the FTC is saying, too. If the industry standard for computerized-record security is thus-and-so, then not meeting or exceeding those standards is essentially “computer malpractice”.
Jasper
I think the argument here is about companies taking reasonable precautions. Passing a PCI Audit would show you are taking reasonable precautions. Companies like Wyndham that blatantly choose to “accept the risk” and not comply with PCI are who we are discussing. When Wyndham was breached PCI DSS 1.1 and subsequently 1.2 was in effect, which did require not storing Credit Card Numbers in plain text, or in encryption types that were considered broken. It also required no direct connection to the internet and the Cardholder Data Environment. Wyndham broke both of these tenants of the DSS, as well as many others.
When it comes to security, there is no 100%, but if you have a fair number of successful PCI audits under your belt and you get hit with a zero day then you will not suffer as badly when managing, stopping, and identifying the breach. Your company may also not be fined, unless your PCI audits were, how should I put this, back filled BS.
Legally, yes the bad actors that broke in and stole the data are the criminals. But the company that failed to exercise Due Care and Due Diligence in their security when there are clear standards (PCI), is criminal as well, just less criminal, the legal term that applies is Negligence.
Paul Ducklin
There’s a bit of a difference between a house-key swap with your neighbour and what happened here…
This case is a bit more like you and offering a paid “house key guarding” service for 1000s of people in your neighbourhood, telling them that you’ll keep emergency spare keys for them in a safety deposit box…and then stuffing the keys in an old shoe box in the cupboard under the stairs.
Anonymous
I think the problem is that the average person always expects security (or don’t know anything about it) from the websites and services they use, and are also unaware of the potential consequences.
I get your point, but in your case you are both aware of what could happen and the consequences, so it’s not really a great analogy.
Y.Pudding
Many regions have laws that specifically cover it, it’s the reason companies like Sony get fined in Europe for not doing enough to protect customer data.
George Merriman
I believe anyone holding sensitive personal information ought to be held to a standard of strict liability if that information should be disclosed in a way that causes personal damage.
See https://en.wikipedia.org/wiki/Strict_liability/
After all, the only reason most entities store this information is so they can profit from it. I think this is the only way we can get the web commerce community to clean up its act.
Paul Ducklin
The US Appeals Court actually made a similar point in this matter – the fact that Wyndham chose to collect the data to make money, and kept the money even though it wasn’t living up to its end of the security “bargain”.
4caster
The poll should not have been presented as either/or. Both answers are true. No one would dispute that criminals are responsible for their crimes. But companies also owe it to their customers to keep data safe.
If I were to go out all day and leave my front door wide open, and all my valuables were stolen by walk-in thieves, the thieves would still be guilty of their crime, but I would be blameworthy for almost inviting them in.
Paul Ducklin
Actually, one of the reasons for presenting a poll with just two answers that are mutually exclusive is clarity. Too many answers and some people will complain that we’re leading them, or that we have subdivided things incorrectly, or that the answers overlap, or we should have had an “other”. Too few answers, and some people say, “But I can’t make my mind up.”
In other words, it’s a case of pleasing some of the people some of the time. So, in this case, we decided to keep it straightforward. Yes or No, like jury duty.
Tehcnically, your answer is a clear “Yes, companies should carry reponsibility,” even though you think there might be extenuating circumstances. But we’re happy to have your comment instead of your vote. That’s better than a 7-way poll with shades of answer you aren’t sure about…is it not? :-)
roy jones jr
I’m glad Mr.Ducklin has been responding. We can’t turn parts of the stories into semantics.
The companies do have an overarching responsibility in the timeline. Just like banks have an overarching responsibility to make sure when we go to drop off our money, the exact amount is tallied & recorded. And when we go to pick up some money, they exact amount is tallied and recorded.