Wyndham – A Case Study in Cybersecurity: How the cost of a relatively small breach can rival that of a major hack attack

Thursday, March 19, 2015 - 09:50

Cybersecurity and data privacy are real risks: in the wake of a data breach, C-level employees may be terminated or even face personal liability, the company may face a multitude of lawsuits and regulatory investigations, the stock price may fall, business may be disrupted, and the company’s reputation may falter. The high price of defending private plaintiff lawsuits and class actions is well-known to many companies and their risk advisors. But few companies realize the expense of government investigations – unless they themselves have been through the proverbial wringer.

The United States Federal Trade Commission (“FTC”) – the self-proclaimed principal federal cybersecurity regulator – enforces Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices, and the FTC has taken a broad view of how that applies in the cybersecurity context. Cybersecurity and data privacy are at the top of the FTC’s enforcement and policy agendas, as well as similar agendas at other U.S. agencies. A near-majority of the speeches given by FTC commissioners over the past year addressed those topics. And just over a month ago, the FTC released its report on the Internet of Things, which focused on both cybersecurity and data privacy.

The sufferings that befell Wyndham Worldwide Corporation, when it was attacked three times by hackers between 2008 and 2010 and was subsequently investigated by the FTC, are an excellent example of the investigatory burden a company faces after a data breach and offers valuable lessons learned for others. The Wyndham Worldwide saga provides a unique window into the regulatory risks and costs associated with a data breach and with taking an adversarial approach to a government investigation.

Wyndham Worldwide appears to be one of the few companies that has challenged the government's authority as an enforcer in this area. The documents Wyndham Worldwide filed with the government are particularly illustrative of the resources and time involved in fighting government intervention. Wyndham's breach involved far less customer data than other well-known breaches (e.g., Home Depot and Target), but the regulatory cost to Wyndham at the end of the day may be no different than that of those other companies and is likely much greater.

The Wyndham Data Breach

Wyndham Worldwide is a Delaware corporation, with its headquarters located in New Jersey. The company, through its subsidiaries, manages and franchises hotels located around the world. As part of its normal business in collecting deposits and accepting payments, the company collects personal and financial information from customers, including credit card information.

Three times between 2008 and 2010, hackers invaded the main network of one of Wyndham Worldwide's operating subsidiaries and stole information for over 619,000 Wyndham customers. The information that was stolen was primarily credit card information.[1]

After announcing the breaches, Wyndham Worldwide embarked on a risk and liability journey, suffering the tribulations and burdens of a drawn-out regulatory investigation, only to be followed by civil lawsuits brought by regulators and private plaintiffs alike. Wyndham Worldwide’s trials are summarized below.

Wyndham’s Regulatory Burdens

On April 8, 2010, the FTC began to investigate Wyndham Worldwide and three of its subsidiaries (collectively "Wyndham"), sending Wyndham a voluntary request for information. The FTC's investigatory focus, as stated in that April 8, 2010 letter, was to determine: "whether Wyndham's information security practices comply with Section 5 of the [FTC] Act, which prohibits deceptive or unfair acts or practices, including misrepresentations about security and unfair security practices that cause substantial injury to consumers."[2] The FTC's request contained 14 detailed inquiries (most with subparts) and sought information about Wyndham's IT architecture, cybersecurity policies, and the three data breaches that occurred. It took Wyndham more than five months to locate all responsive documents. [3]

During 2010 and the first half of 2011, the FTC sent three supplemental requests for information and documents, and also posed oral requests at meetings between the parties. In total, 29 document requests and 51 information requests were issued to Wyndham prior to December 2011.[4] Wyndham produced over 1 million pages of documents and written responses that totaled 72 pages single spaced. In addition, Wyndham Worldwide's CFO and head of Information Security – along with attendant inside and outside counsel – attended seven in-person meetings with the FTC.[5] The time and cost associated preparing for each of those meetings was likely significant.

Wyndham estimated that its response cost exceeded $5 million in legal and vendor fees.[6] And that estimate did not include the time employees spent responding to the requests or the business disruption caused thereby, nor the costs associated with preparing for meetings with the FTC.

The FTC later sought compulsory process, issuing a civil investigative demand ("CID") to the company on December 8, 2011. The CID included approximately 25 pages of information and document demands, including 89 interrogatories and 38 document requests. Wyndham fought the issuance of the CID for six months and moved to have it quashed. An initial opinion by the FTC partially granted the motion, modifying the CID in two minor respects, but otherwise denied the motion. The CID was later withdrawn in June 2012, when the FTC filed its lawsuit.

While the investigation proceeded, Wyndham and the FTC attempted to negotiate a settlement. Wyndham submitted a white paper outlining why it believed the FTC's settlement demands were unreasonable. Negotiation talks eventually collapsed.

The FTC initiated legal proceedings against Wyndham in June 2012. The FTC alleged that, in violation of Section 5 of the FTC Act, Wyndham failed to employ reasonable data security measures, and that failure enabled hackers to obtain consumer data. Among the alleged harms are "fraudulent charges on consumers' accounts, more than $1.6 million in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to a domain registered in Russia."[7] The FTC's lawsuit seeks injunctive and equitable relief (as the FTC Act does not contemplate monetary damages for Section 5 violations).

Wyndham responded to the FTC's lawsuit by challenging the action on multiple grounds, including that the FTC lacked congressional authority to regulate cybersecurity and had otherwise failed to provide "fair notice" of what it intended to regulate. Unfortunately for Wyndham, the court had little difficulty fitting cybersecurity into the FTC's mandate to regulate unfair trade practices. Far from being too broad to encompass cybersecurity, as Wyndham asserted, the court concluded that Congress wanted a flexible definition of unfairness that did not enumerate the particular practices to which it was intended to apply.[8] Faring no better was Wyndham's contention that cybersecurity legislation in particular industries reflected congressional intent to limit the FTC authority. The court found, on the contrary, that these statutes,[9] all of which contained detailed provisions granting the FTC substantive authority over data security practices, complemented – rather than precluded – the agency's authority. Nor was the absence of preexisting FTC rules and regulations inconsistent with "fair notice" of the statutory meaning of unfairness.[10] Notice to companies was sufficient, according to the court, by virtue of any number of FTC statements (in complaints, consent decrees, public pronouncements, and business guidance brochures, among other things), particularly in light of the deference owed to the agency on the question of when rulemaking is warranted.[11]

The Third Circuit Court of Appeals has recently agreed to hear Wyndham's challenge to the FTC's authority, meaning that Wyndham's fees and expenses continue to grow.

Wyndham’s Private Plaintiff Legal Proceedings

Following the FTC's initiation of legal proceedings, Wyndham shareholders sent letters to the board of directors demanding that they bring a lawsuit based on the cybersecurity breaches. After a review of the demands, Wyndham's board decided not to bring any legal action. Certain of the shareholders that had taken part in the demand letters then brought a shareholder derivative action against the board.

Because Wyndham is a Delaware corporation, the decision of its board as to whether to bring a lawsuit is protected by the business judgment rule. Under the business judgment rule, the court presumes that the board refused the demand "on an informed basis, in good faith and in the honest belief that the action taken was in the best interest of the company."[12] To win a lawsuit, the plaintiff shareholder must overcome this presumption – a difficult task under most circumstances, as courts are willing to "uphold even cursory investigations by boards."[13] And indeed, it was an insurmountable task for the Wyndham shareholder plaintiffs. The court held that the board acted reasonably, noting that before the board received the demand request, it had met 14 times to discuss the cyber breach, the board was given a presentation by Wyndham's general counsel on the situation at every quarterly board meeting, and the board's audit committee discussed the issue in at least 16 meetings. As a result, the board "had a firm grasp of Plaintiff's demand when it determined that pursuing it was not in the corporation's best interest."[14]

Nonetheless, the company faced significant legal fees defending the shareholder action, and a less reactive board might have faced liability. And it is not clear whether consumers, financial institutions or other injured parties will mount a class action against the company.

Remedial Measures

A data-breached company not only faces the expense of complying with regulatory investigations and defending litigations, but also has to repair the leak. After the cyberattacks occurred, Wyndham initiated a series of security upgrades and hired an independent firm to review its security. Wyndham also required its franchisees execute an addendum to their franchise agreements that addressed cybersecurity. Such remedial measures can be costly.

Lessons Learned

From the Wyndham case study, one can derive several lessons.

First, the Wyndham case illustrates the importance of cooperating with regulators once a cyber breach occurs. Wyndham made the decision not to self-report the breach and to take an aggressive stance in the investigation by contesting the formal order, failing to agree to a settlement, and ultimately challenging the FTC's authority in court. All of these actions likely resulted in significant additional costs for Wyndham.

Second, data breaches are expensive endeavors. Even when the number of accounts hacked is relatively small (compare the 600,000 accounts hacked in Wyndham against the 100 million accounts hacked in Target and Heartland Payments Systems), the costs of regulatory investigations and litigations can be high. An FTC investigation can take years and significant legal resources to resolve. It can also be disruptive to the business, for both C-level employees and business persons assisting with gathering requested material. In Wyndhams's case, the cost of the regulatory investigation already exceeds $5 million, and the company is just beginning to litigate against the FTC. Defending attendant civil litigations and class actions is likely to add another $5 million to the tab, if not more. Couple those expenses with renumeration, potential FCC fines, remedial cyber defense measures, SEC filings, business disruption and reputational loss, and the data-breached company faces a hefty charge. Companies are better to invest in prophylactic security measures, rather than expend even more toward legal fees and settlements down the road.

Third, and building on the first lesson, a solid cyber defense program is essential to cybersecurity. In its report on the Internet of Things, the FTC set forth several guidelines for structuring a company’s cyber defense architecture.[15] The FTC’s recommendations include assessing the cybersecurity in place, minimizing data collection and retention, testing and retesting cybersecurity, training personnel to use data protection best practices, retaining competent service providers and overseeing their work, employing a “defense in depth” multi-layered cybersecurity approach, implementing access control to prevent unauthorized access on the consumer side, and reassessing and monitoring. The program needs to be supervised at the highest levels of the company. Today’s directors should seek outside assistance in understanding the company's data security and compliance policies, be cognizant of the personal and financial data that the company holds, and routinely ensure that those measures are tested and updated.

Fourth, companies need to reduce their cyber exposure. Companies should minimize the likelihood that they are targets for a data breach. In addition to building a formidable cyber defense, minimizing measures can include limiting the amount of data collected and retained, and publicizing the data protection that the company employs. Companies should limit the third-party applications employees are able to upload on work computers. These unnecessary applications, such as file-sharing programs, are often entry points for hackers. Similarly, companies should ensure that employees only have access to personal information necessary to conduct that employee's job functions. A central tenet to any security program is deterrence, and letting others know that the company is serious about cybersecurity may deter hackers.

Fifth, when a data breach occurs, management needs to take a hands-on approach. Directors need to be in the know and actively participate in resolving cybersecurity problems after a breach. One lesson from the Wyndham derivative litigation is that the company may escape derivative actions if the directors are actively involved in resolving the company’s data security issues. The topic should be raised at each regular board meeting until the issue is resolved, and a committee should be charged with overseeing implementation of remedial measures.

Sixth, companies need a comprehensive data breach response plan. The response plan should include contacting legal counsel and technical specialists immediately upon learning of a data breach. In the wake of a data breach, many states require prompt notice to those affected. Additionally, derivative actions and FTC investigations are not the only legal problems that companies with data breaches face.

As Home Depot and Target learned after their networks were infiltrated, class action lawsuits by injured consumers, financial institutions, and credit card companies often follow data breaches, especially when there is a publicized regulatory investigation. Home Depot, for example, announced that it faced as many as 44 lawsuits relating to the data breach it suffered.[16] The response plan should include contacting legal and technical counsel that are already familiar with the company’s cybersecurity architecture and procedures.

It is unlikely that the FTC will remain the sole enforcer of cybersecurity laws and regulations. Other regulators, such as the FCC and SEC, have the authority to levy fines and have already voiced their intent to be active cybersecurity enforcers. State attorneys general are also beginning to take an interest in cybersecurity enforcement. Thus, future corporate targets of data security breaches are likely to face a host of legal proceedings and significant financial exposure, and they will need strong legal and technical advisors to help them through the thicket.

Seventh, directors and officers need to review the company's insurance to assess their cyber coverage and/or exposure. Some D&O insurance policies do not cover cyberattacks (and with the prevalence of such attacks, an exclusion from coverage may be more common). Data breach exclusions are also becoming more commonplace in general liability policies. Directors and officers should review the company’s general liability and D&O insurance to determine whether cybersecurity breaches are covered, and if not, ensure that they have sufficient funding to respond to such a breach. Companies should also inquire about the availability of cyber-risk-related policies.

Companies would be wise to heed these lessons learned to avoid the fate of companies like Wyndham, Target and Home Depot. While it may be nearly impossible to ensure that a data breach will never occur, companies should take all reasonable actions to prevent such a breach. And, if one occurs, companies should follow a response plan and prepare for the almost certain investigations and litigation.



[1] According to Wyndham, the theft of credit card information limits its liability because: “card brand rules protect cardholders from suffering any financial injury when their card is compromised." January 20, 2012 Petition to Quash, In the matter of Wyndham Hotels, FTC No. 1023142, available at http://www.ftc.gov/sites/default/files/documents/petitions-quash/wyndham-hotels-resorts-llc/120120wyndhampetition.pdf. This latter point is contested by regulators and consumers. Indeed, the experience of Home Depot and Target tell a different story.

[2] April 8, 2010 Letter from the FTC to Kirsten Hotchkiss, SVP-Legal, Wyndham Hotels and Resorts, LLC, available at http://www.ftc.gov/sites/default/files/documents/petitions-quash/wyndham-hotels-resorts-llc/120420wyndhamreview.pdf.

[3] January 20, 2012 Petition to Quash, In the matter of Wyndham Hotels, FTC No. 1023142, available at http://www.ftc.gov/sites/default/files/documents/petitions-quash/wyndham-hotels-resorts-llc/120120wyndhampetition.pdf.

[5] January 20, 2012 Petition to Quash, In the matter of Wyndham Hotels, FTC No. 1023142, available at http://www.ftc.gov/sites/default/files/documents/petitions-quash/wyndham-hotels-resorts-llc/120120wyndhampetition.pdf.

[7] Complaint, FTC v. Wyndham Worldwide Corp., No. CV 12-1365-PHX-PGR (filed August 9, 2012).

[8] Federal Trade Commission v. Wyndham Worldwide Corp., No. 13-cv-01887 (ES)(SCM), 10 F.Supp.3d 602, 614 (D.N.J. Apr. 7, 2014) (citing FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 239-40 (1972); American Fin. Servs. Ass'n v. FTC, 767 F.2d 957, 967 (D.C. Cir. 1985)).

[9] Wyndham cited the Gramm-Leach-Bliley Act (financial institutions); the Health Insurance Portability and Accountability Act (health plans, healthcare clearinghouses, and healthcare providers who transmits health information in electronic form) and the Fair Credit Reporting Act (credit reporting agencies).

[10] Id. at 619.

[11] Id.

[12] Palkon v. Holmes, No. 2:14-CV-01234, 2014 WL 5341880 (D.NJ Oct. 20, 2014).

[13] Id. at *6.

[14] Id.

[15] FTC, Staff Report, Internet of Things: Privacy & Security in a Connected World, January 2015.

[16] Home Depot Inc. Form 10-Q (November 2014).

 

Tim Cornell is a counsel in Clifford Chance’s Antitrust practice and resident in the firm’s Washington, D.C. office. He has advocated on behalf of dozens of clients before the U.S. Federal Trade Commission and U.S. Department of Justice, and has litigated antitrust and other high-profile cases before arbitration panels and in federal and state courts across the U.S.

Please email the author at timothy.cornell@cliffordchance.com with questions about this article.