ARUN RATH, HOST:
As a country, we love to shop online. Such convenience, such great deals. Still, there is a downside.
(SOUNDBITE OF NEWS REPORTS)
UNIDENTIFIED MAN #1: Federal officials trying to stop a major hacking attack from happening...
UNIDENTIFIED MAN #2: The prying eyes of a hacker are to blame for...
UNIDENTIFIED WOMAN #1: ...some names, emails, addresses and passwords have been compromised.
UNIDENTIFIED WOMAN #2: Twenty-four million people at risk for identity theft.
UNIDENTIFIED WOMAN #3: ...how to keep your data safe and secure in 60 seconds.
RATH: Of course, there are laws to make sure companies protect your sensitive data. Well, actually, no.
WOODROW HARTZOG: There is no one law in the United States that mandates that websites and phone applications have good data security.
RATH: That's our cover story today: Who is the sheriff of cybertown?
(SOUNDBITE OF MUSIC)
RATH: There is no one law to make sure your data are protected in the cyberspace. Even the question of who should be protecting the consumer's up for debate. The Federal Trade Commission, under its authority to protect consumers, has stepped in to fill the void and police data security. Since the early 2000s, the FTC has brought close to 50 cases against companies with lax data security practices that they say have put consumers at risk. But now, one of those companies, Wyndham Worldwide Corporation, is fighting back, basically telling the FTC, sorry, you're not the boss of us.
Jessica Rich is the director of the FTC's Bureau of Consumer Protection.
JESSICA RICH: We allege that Wyndham's unreasonable data security practices permitted hackers to access its network on three separate occasions over the course of two years.
RATH: Wyndham Worldwide Corporation is challenging the FTC's authority to bring complaints against companies in the first place. Here's what happened. Computer servers at the hotel chain were hacked. The hackers exported credit card information from hundreds of thousands of consumers to a Russian domain. The result? Close to $11 million in fraudulent charges. Rich claims there were simple steps that could've been taken to prevent the damage.
RICH: Just some examples: Wyndham didn't require complex passwords for systems that managed consumers' payment card information; Wyndham stored credit card numbers in clear readable texts, making it much more available to hackers.
RATH: Wyndham declined to provide a comment on the air because the case is still in active litigation. In a statement, the company said that Congress has not provided the FTC with the broad authority to pursue such cases against American businesses. The FTC's Jessica Rich disagrees.
RICH: We have authority to bring action against companies that engage in either deceptive or unfair practices. Deceptive practices means that companies have made misstatements about the level of security they provide, or unfairness basically means putting consumers at unreasonable risk of injury.
RATH: To protect the consumer, the FTC wants companies to take strong measures to prevent personal data from falling into the wrong hands.
RICH: There have been so many breeches of data in recent years. Identity theft has really been on the rise. It's a high priority at the Federal Trade Commission to promote better data security, including by bringing action against companies that fail to do so.
RATH: When the FTC finds a company has failed to sufficiently protect consumers, it levies penalties. Companies are required to implement a data security program, often for up to 20 years. Companies must report to the FTC, and there are third-party audit requirements. In some cases, civil penalties also apply. Again, Jessica Rich.
RICH: And that's a very powerful tool to make sure that the company implements data security in the future.
RATH: For their part, Wyndham Worldwide says they did have substantial security measures in place. Their statement to NPR goes on to say, quote, "To our knowledge, the cybercriminals responsible for the attacks have never been apprehended by law enforcement officials."
Woodrow Hartzog is a professor focusing on privacy issues at the Samford University Law School.
HARTZOG: A popular argument is that the FTC is punishing the victim here. They are punishing the person who was victimized by a burglar in their own house.
RATH: Hartzog doesn't buy that argument.
HARTZOG: I think the much better analogy is that the FTC is punishing companies like Wyndham for leaving their door unlocked, but it was someone else's stuff that was inside the house.
RATH: Jessica Rich says the FTC does acknowledge the wrongdoing of the hackers.
RICH: But any company that collects sensitive information from consumers and fails to protect it is also at fault. And so to stop these types of breeches, we believe it's also appropriate to hold the company accountable.
RATH: But who should hold the companies accountable is not clear. Congress has never officially passed a broad data security policy. Without the FTC in a de facto role, it starts to look a little like there's no sheriff in town. Again, Professor Hartzog.
HARTZOG: If you have health information and if you have financial information, then you have to provide a certain amount of data security. But for the most part, this is largely an unregulated area. We've made the decision years ago to try to approach privacy in a fragmented kind of way. Inevitably, what that means is that things fall through the cracks.
RATH: When the Internet was first adopted, people realized that personal information would be out there, but there was no clear way to regulate it. So companies started coming up with those wonderful disclaimers you have to click on. Here's a dramatic reading.
UNIDENTIFIED WOMAN #1: Our privacy commitments are fundamental to the way we do business every day.
UNIDENTIFIED MAN #1: When you register an account, we collect some personal information such as your name...
UNIDENTIFIED WOMAN #2: This information collected from cookies and other technologies, like pixel tags, to improve your user...
UNIDENTIFIED MAN #2: This may include network and communication information such as your IP address or mobile phone...
RATH: Be honest, do you read those all the way through? Neither do I.
Ilana Westerman is a CEO of Create with Context. They conduct research on privacy issues from the user perspective. In a study last year, participants downloaded an app that required them to agree to privacy terms before using it.
ILANA WESTERMAN: And then we asked them what it said, and 98 percent of people hadn't read it. And the reason was, was because they weren't ready to read it. The timing wasn't right.
RATH: Most people just wanted to explore the app, not read an essay.
WESTERMAN: As humans, we're just kind of going along, doing what we're doing with our digital devices, and we're not sitting there analyzing what is being collected. We're not going out and investigating it.
RATH: But if you skip or skim these agreements, you might be giving up personal information without realizing it.
(SOUNDBITE OF MUSIC)
RATH: One notorious example that got a lot of attention in the press: when Jay-Z's new album was released in July, Samsung Galaxy phone users had the option to get it for free. What some didn't realize - most likely because they didn't read the agreement - is that the app requested information, including physical location and phone activity data. Ilana Westerman says it's a new world for everyone.
WESTERMAN: For designers, for developers, for companies, for consumers. And so, I think as people who are creating these types of products and services for consumers, it's just our job to, as much as possible, try to create that transparency for them.
RATH: But as to whose job it is to police that transparency, until the Wyndham case, the FTC had been doing that unchallenged. All cases before this one have ended in settlements. It's usually less expensive to just settle and follow the FTC guidelines. So I asked Professor Hartzog: For all of us out there going through the motions and ignoring privacy policies, are we being dumb?
HARTZOG: No. One thing that almost everybody knows about privacy policies is that nobody reads them. In fact, these things are very rarely enforced as contracts. So I think the FTC has come to recognize that it's relatively insane to ask consumers to read and understand all of these agreements, and so they're going to act accordingly.
RATH: Meanwhile, Wyndham Hotel's case against the Federal Trade Commission drags on in a New Jersey federal court. Oral arguments concluded in early November. In recent years, several data security bills have been proposed in Congress, but all have languished thus far. If the Federal Trade Commission loses to Wyndham, the question of who protects the Internet consumer will be getting a lot more attention.
(SOUNDBITE OF MUSIC)