What Exactly Does Reasonable Mean?

The FTC’s maddening attempts to hold companies liable for cybersecurity lapses.

Wyndham Hotel Resort in Naussau, Bahamas, October 2010.
Even paradise needs cybersecurity. Above, the Wyndham resort in Nassau, Bahamas, is pictured in October 2010.

Photo courtesy Greg Grimes/Flickr


Without question, the data breach of the moment is the one Ashley Madison suffered. It’s led to the release of the email addresses of millions of would-be adulterers, as well as a potential class-action suit and possibly even two suicides. By comparison, the series of three data breaches that Wyndham Worldwide Corp.’s hotel chains suffered back in 2008 and 2009 could not seem duller or less relevant. And yet, the Wyndham breaches are the focal point of some equally—if not more—important (albeit less titillating) news this week than the revelation that some of your co-workers may have cheated (or tried to cheat) on their spouses.

On Monday the U.S. Court of Appeals for the 3rd Circuit ruled that the Federal Trade Commission has the authority to take action against Wyndham for its repeated failures to protect customers’ data. The first was in April 2008, when someone connected to the network of a Wyndham-owned hotel in Phoenix was able to guess the password for an administrator account using a brute-force attack and subsequently accessed customer payment card data. Then, in March 2009, there was another breach—an intruder accessed more customer information and also reconfigured the company’s systems to generate text files of guests’ payment card account numbers. A third intrusion occurred in late 2009, when more customer data was stolen.

These breaches are not, in and of themselves, especially noteworthy. What makes the FTC complaint against Wyndham interesting and important is that Wyndham fought back—the company argued that the FTC didn’t have the authority to punish it for its computer security (or lack thereof) and wasn’t sufficiently clear about what specific cybersecurity practices are required in order to avoid punishment. If these sound like two incompatible arguments, it’s because they are: If the FTC has no authority to regulate companies’ computer security practices, then there is no reason for it to be issuing guidelines about how to protect computer networks. And if you think it should be issuing clearer guidelines, then you pretty clearly believe that cybersecurity measures do, in fact, fall under the FTC’s authority.

The 3rd Circuit Court of Appeals didn’t buy either argument. And when you read through the lengthy descriptions of all the ways Wyndham failed to protect its networks, it’s hard to feel much sympathy for the hotel chain. According to the FTC complaint, there were no fewer than 10 practices that “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” These include failing to use firewalls, storing unencrypted payment card information, not fixing known security vulnerabilities on the company’s servers, not changing the default user IDs and passwords for those servers, and not requiring complex, difficult-to-guess passwords. (Apparently both the username and password for a Wyndham property management system developed by Micros Systems Inc. was micros.)

So, to be clear, Wyndham was egregiously lazy and careless—there’s no question about that. As the 3rd Circuit so succinctly said in response to Wyndham’s argument that it may have different opinions from the FTC as to what constitute “unreasonable” data security practices: “Too little and too late.” After all, as the FTC pointed out, it was not alleging that “Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords” (emphasis mine) but rather that the company had no security controls whatsoever in many of these areas.

Wyndham truly went above and beyond when it came to ignoring even the most basic security measures. But it does have a point. Experts disagree on which computer security practices are reasonable and which are unreasonable. None of them would be likely to classify Wyndham’s activity in the former category, and they would be equally unlikely to reach a clear consensus about what security measures would be reasonable.

When the FTC states that Wyndham is at fault not because it had weak defenses but rather because it had no defenses at all, it seems to set the bar awfully low. Would weak firewalls or IP address restrictions or encryption software have provided reasonable protection in the FTC’s eyes? The 2007 FTC guidebook on “Protecting Personal Information: A Guide for Business” that the court cites as offering some guidance to companies like Wyndham about how to protect data suggests that the answer to that question may be yes. It advises companies to “consider encrypting sensitive information” and encourages use of a firewall as well as strong passwords.

In other words, the FTC offers only very vague advice when it comes to cybersecurity. Advice so vague that unless a company completely disregards all of it—as Wyndham did—it’s not obvious that such guidelines would be much help when it comes to identifying negligent data security practices. And if the FTC is going to be monitoring negligence in this arena, the standards should be a little bit higher than just Do one or two of the things listed in the FTC guidebook, even if you don’t do them very well.

So, ideally, the FTC would make a very detailed, specific, rigorous list of the most effective data security practices for companies, and then anyone who failed to meet those standards could be held responsible.

But there are also lots of reasons why the FTC should not make a more detailed, specific, rigorous list of data security practices for companies. For one thing, different companies protect different types of data and face different threats, so it wouldn’t make sense for the FTC to impose a one-size-fits-all set of security requirements. Furthermore, we don’t actually want every company in the United States to employ an identical set of security measures—that would make it much easier for someone who found a way to breach one system to use that same tactic to breach many others. There’s some strength in diversity of security postures if only because it limits the utility of any individual intrusion tactic. Finally, security threats and defensive measures are not static—they change and evolve over time in ways that would likely be difficult for a checklist codified by the FTC to capture effectively.

All of this puts the FTC in a very tricky position—trying to hold companies accountable for failing to implement reasonable security measures without ever defining what those reasonable measures are. From that perspective, Wyndham’s frustration is almost understandable (or it would be if the company had bothered to do even the tiniest bit of data protection): How were we supposed to implement adequate security when no one ever told us what that means?

We will, eventually, need to get a little better at defining reasonable security measures if we want to punish more than just the most outrageously, excessively negligent companies that suffer breaches. Or perhaps we’ll end up feeling that falling victim to these mortifying, high-profile breaches is punishment enough.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.