Wynn and Others Can Learn From Wyndham : Effects Of FTC v.. Wyndham Worldwide Corp. On Casino Operators' Cybersecurity Policies and Loyalty Programs

Abstract

“We are in the era of big data.”¹ Few, if any, industries have embraced big data as much as the commercial casino industry. Through the implementation of casino loyalty programs (CLPs), casino operators gather vast amounts of personal data about their customers. Customer data, known by some in the commercial casino industry as personal player information (PPI), is used to gain insight into the preferences and spending habits of customers.² CLPs allow operators to use PPI to understand customers better than their competitors with the hope of enticing repeat visits and ultimately establishing customer loyalty.³ Operators use PPI to better understand customer behavior, creating unique offers, promotions, and comps for individual customers.⁴ The most popular CLPs have enrollment in the tens of millions.⁵

With so many players enrolled, CLPs create a centralization of large amounts of PPI that attract cyber criminals. This aggregation of PPI in a centralized database requires casino operators to be on the cutting edge of data security. As seen in the last five years, some of the world's largest companies in the retail, entertainment, and financial industries are susceptible to data breaches.⁶ The gaming industry is not immune from similar attacks. If casino operators were unaware of a data breach exposure in prior years, they were put on notice when PPI from the world's largest gaming company, the Las Vegas Sands Corporation, was compromised by Iranian hackers in 2015.⁷

Commercial casino operators are aware of the traditional costs and liabilities associated with data security.⁸ Traditional torts filed by victims of identity theft claiming a company's misuse or improper security of customer data are mostly unsuccessful. This is usually due to courts finding victims' claims either lack standing or lack actual damages. However, a new potential liability exists for casino operators with CLPs surrounding the collection, use, and storage of PPI—an unfairness claim brought by the Federal Trade Commission (FTC).⁹

In August 2015, the United States Court of Appeals for the Third Circuit recognized the FTC's authority under 15 U.S.C. § 45(a) to regulate unfair or deceptive data security practices.¹⁰ This article sheds light on FTC v. Wyndham and how the ruling and subsequent actions by the FTC may impact the commercial casino industry.

Section I provides a brief overview of CLPs, including the collection, use, and storage of PPI. Section II discusses the Federal Trade Commission Act of 1914 (FTC Act), specifically its prohibition of “unfair methods of competition in commerce.” Section III discusses the Third Circuit's holding in Wyndham, recognizing the FTC's authority to assert an unfairness claim against a commercial entity for misuse of private consumer data. Section IV provides guidance for commercial casino operators collecting and using PPI in the post‐Wyndham business environment.

I. Casino Loyalty Programs: Collection, Use, and Storage of Personal Player Information

CLPs allow casino operators to receive substantial benefit from the collection and strategic use of personal player information. PPI includes sensitive information including but not limited to the name, physical address, phone number, email address, date of birth, and driver's license number of players. The specific types of information gathered are outlined in privacy policies issued by the casinos.¹¹

In 1998, Harvard Business School professor Gary Loveman was hired as Harrah's Entertainment, Inc.'s chief operating officer after working several years as a consultant for the gaming company.¹² Loveman wanted to change the way casinos made decisions.¹³ Replacing the “gut instincts” of executives with the statistics of data analytics, Loveman adopted the mantra: “Tell me what you know, not what you think.”¹⁴ The analysis of PPI allowed Loveman and other casino executives insight into the highly coveted patterns and proclivities of casino customers.¹⁵

Following the lead of the airline industry, which established frequent flyer programs in the early 1980s, Harrah's Entertainment created a similar loyalty program that assigned players individual numbers and allowed the casino company to track their activities at their locations.¹⁶ Caesars' Total Rewards Program, initially launched in 1997 as Harrah's WINet (Winners Information Network), quickly became a success. This program attracted millions to voluntarily enroll and provided Caesars its much coveted PPI. By the end of 2013, there were over 45 million people enrolled in Caesars' Total Rewards Program.¹⁷ Caesars' bet on personal data hit, and competing casinos quickly adopted similar CLPs.¹⁸ Today, most casinos have CLPs that collect PPI.

CLPs provide casino operators a conduit to collect PPI. The primary benefits casinos receive from CLPs are the ability to (1) accurately calculate and update the future value of individual customers, and (2) entice future visits from profitable customers through personalized incentives based on observed personal preferences and playing habits.

From the first hand dealt or the first dice rolled, casino operators studied the habits of their customers. For decades, even before the advent of computer technology and data analytics, operators knew studying customers' play made it “possible to predict how valuable a gambler may be in the future.”¹⁹ In the old days, management based a player's future value on three factors:²⁰

1. the player's typical bet amount per play;

2. the number of consecutive bets placed;

3. the player's level of skill at particular games.

Over the years, the industry's growing reliance on data collection precipitated the evolution of that crude test into a more sophisticated formula:²¹ \documentclass{aastex}\usepackage{amsbsy}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{bm}\usepackage{mathrsfs}\usepackage{pifont}\usepackage{stmaryrd}\usepackage{textcomp}\usepackage{portland, xspace}\usepackage{amsmath, amsxtra}\usepackage{upgreek}\pagestyle{empty}\DeclareMathSizes{10}{9}{7}{6}\begin{document} \begin{align*} & ( { \rm avg}. \ { \rm bet} ) \times ( { \rm bets} / { \rm hour} ) \times ( { \rm total \ time \ gambling} ) \\ & \quad \times ( { \rm house}{ \rm \ mathematical \ adv}. \ { \rm in \ gambler}'{ \rm s} \\ & \quad{\rm\ preferred \ game} ) = { \rm gambler}'{ \rm s \ future \ value} \end{align*} \end{document}

The individual player data received from CLPs allowed casinos to input more accurate data into their player profitability models.

The second benefit casino operators derive from CLPs is the ability to leverage PPI to entice future visits from profitable customers through personalized incentives based on observed personal preferences and playing habits. Obtaining repeat visitors is crucial to profitable casino operations. Casinos analyze PPI and observe player habits to create personalized offers for CLP members. These offers are sent directly to members by mail and e‐mail. In the United States, members of CLPs receive over a billion offers annually from casinos.²² Loveman summed it up best when he stated, “We want to treat every single person differently, based on what we know they care about and what we can afford to give them.”²³

II. The FTC Act's Prohibition of “Unfair Methods of Competition in Commerce”

Passed by Congress in 1914, the Federal Trade Commission Act created a federal agency, the FTC, and prohibited commercial entities from participating in “unfair methods of competition in commerce.”²⁴ The Act was initially designed to complement and reinforce the Sherman and Clayton Acts²⁵ by creating the FTC to “stop in their incipiency acts and practices which, when full‐blown, would violate those statutes.”²⁶

For many decades, what qualified as an “unfair method of competition” was not expressly defined in the statute.²⁷ Instead, the Supreme Court determined that Congress intended the term to be a “flexible concept with evolving content,” and “intentionally left [its] development to the Commission.”²⁸ Throughout the twentieth century, the FTC, Congress, and the judiciary clarified what practices or acts qualified as an unfair method of competition.

An important shift in focus by the FTC occurred in 1980, when, at the urging of Congress, the agency issued a policy statement announcing that “unjustified consumer injury is the primary focus of the FTC Act.”²⁹ The FTC provided a three‐part test for the agency to justify a finding of unfairness.³⁰ These factors were codified by Congress in 1994 in 15 U.S.C. § 45(n).³¹ The new section of the FTC Act stated that an act or practice is unfair if it:

1. causes or is likely to cause substantial injury to consumers;

2. is not reasonably avoidable by consumers; and

3. is not outweighed by countervailing benefits to consumers or competition.³²

This is the standard used today by the FTC to determine if an unfairness claim may be brought against a business. Additionally, the FTC “may consider established public policies as evidence to be considered.”³³ However, such policy considerations “may not serve as a primary basis” in determining unfairness.³⁴

The FTC may enforce 15 U.S.C. § 45 by either: (1) following the administrative process and issuing a cease‐and‐desist order, which commonly results in a consent agreement and order; or (2) filing a complaint in court seeking an injunction and consumer redress against defendants.³⁵

Consent orders require a business to comply with certain practices to ensure it is no longer committing the unfair act or practice originally in question. Importantly, consent orders place a burden on businesses to comply with specific recommended practices for multiple years. Failure to adhere to practices stated in the consent order subjects a business to civil penalties of up to $40,654 per violation.³⁶ A business may incur a separate penalty for each violation or offense of a consent order, and daily fines for failure to obey a term of the consent order may accrue.³⁷ The structure of the penalties is such that businesses may rapidly accumulate penalties for violating a consent order.³⁸ Alternatively, in the absence of an agreed resolution, the FTC may pursue civil penalties and injunctive relief through suit in federal court.³⁹

Having established the authority of the FTC to regulate unfair business practices, this article transitions to the FTC's authority to bring action against businesses that misuse private consumer data. In 2015, the first case was brought before the U.S. Court of Appeals that challenged the FTC's authority to bring action against businesses that misuse private consumer data. The next section discusses the U.S. Court of Appeals for the Third Circuit's ruling on that case, FTC v. Wyndham, in detail.

III. FTC v. Wyndham: FTC's Authority Over Unfair Use of Private Consumer Data

In 2015, the U.S. Court of Appeals for the Third Circuit heard a FTC unfairness claim against Wyndham Worldwide Corporation (Wyndham).⁴⁰ Wyndham, an owner, franchiser, and manager of hotels,⁴¹ used a property management system to process private consumer data that included “names, home addresses, e‐mail addresses, telephone numbers, payment card account numbers, expiration dates, and security codes.”⁴² Each of Wyndham's approximately 90 independently owned hotels was required to use and maintain the property management system.⁴³ Wyndham also operated a data center in Phoenix, Arizona, that was connected to the property management systems of each Wyndham hotel.⁴⁴

On three separate occurrences between April 2008 and December 2009, hackers successfully accessed Wyndham's data center and property management systems.⁴⁵ In total, the three security breaches were alleged to have resulted in compromised payment card information of over 619,000 patrons and at least $10,600,000 in identity fraud losses.⁴⁶ In 2012, the FTC filed suit against Wyndham, claiming “the hotel's privacy policy misrepresented the security of customer information and that its failure to safeguard personal information caused substantial consumer injury.”⁴⁷ The FTC alleged “wrongly configured software, weak passwords, and insecure computer servers were examples of Wyndham's inadequate data security procedures,” which led to the three data breaches.⁴⁸ The district court found in favor of the FTC. Wyndham appealed the court's ruling.

The Court of Appeals for the Third Circuit affirmed the district court's ruling against Wyndham, holding that Wyndam's inadequate data security practices and misuse of private consumer data constituted an unfair practice under 15 U.S.C. § 45(n). Wyndham's practices of using and securing private consumer data (1) caused substantial injury to consumers; (2) were not reasonably avoidable by consumers; and (3) were not outweighed by countervailing benefits to consumers or competition.

The FTC's consent order required Wyndham to adhere to the following terms for a 20‐year period;⁴⁹

1. Establish, implement, and maintain a comprehensive information security (IS) program designed to protect the payment card data of customers.

2. Annually obtain an independent, third‐party written assessment of the IS program that demonstrates compliance with the Payment Card Industry (PCI) Data Security Standards (DSS), or a comparable FTC‐approved standard.

3. In any future data breach that affects more than 10,000 payment card numbers, obtain an independently produced PCI Forensic Investigator Final Incident Report, or a comparable FTC‐approved report, within 180 days of the breach's discovery.

4. Provide the FTC with copies of all such assessments and reports within 10 days of receiving them from its independent assessors or investigators.

Although the FTC previously brought unfairness claims against other companies,⁵⁰ this was the first time the FTC's authority was challenged in the U.S. Court of Appeals. The Third Circuit recognized and solidified the FTC's authority to bring an unfairness claim against a business for misuse of private consumer data.⁵¹ According to then‐FTC Chairwoman Edith Ramirez, FTC v. Wyndham was “a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security … [T]he court rulings in the case have affirmed the vital role the FTC plays in this important area.”⁵²

IV. How Wyndham Affects Casino Loyalty Programs

A review of the court's holding in Wyndham results in four practical findings for commercial casino operators that collect PPI through CLPs. This section presents an analysis of each.

Commercial casinos that collect PPI through CLPs have constructive notice of the FTC's authority to regulate unfair data practices and recommended cybersecurity practices.

Based on Wyndham, lack of notice will rarely be a viable defense for casinos with CLPs. “Wyndham argued it lacked notice of what specific cybersecurity practices are necessary to avoid liability” under 15 U.S.C. § 45.⁵³ The court stated that “fair notice is satisfied … as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”⁵⁴

The Third Circuit states reasonableness is determined by a “cost‐benefit analysis.”⁵⁵ Factors in the analysis include:

1. Sensitivity and volume of consumer information the business holds.⁵⁶

2. Size and complexity of the business' data operations.⁵⁷

3. Cost of available tools to improve security and reduce vulnerabilities.⁵⁸

Using the factors above, the FTC may challenge practices that are “unreasonable in light of the full range of circumstances.”⁵⁹

Importantly, the FTC will not impose strict liability on commercial casino operators for a data breach.⁶⁰ The agency recognizes that “reasonable security is a continuous process of assessing and addressing risks; that there is no one‐size‐fits‐all data security program; and that the mere fact that a breach occurred does not mean that a company has violated the law.”⁶¹

However, applying those factors to commercial casinos, it seems likely the FTC would assert that any commercial casino with a CLP has fair notice of the FTC's recommended cybersecurity practices due to:

1. The large volumes of sensitive consumer information (i.e., PPI) collected;

2. The expansive scope and highly sophisticated nature of CLP data operation; and

3. The relative low costs and availability of cybersecurity applications and procedures available to casinos to protect PPI and reduce system vulnerabilities.

Additionally, the court in Wyndham pointed to several other considerations that reinforced its decision that Wyndham was on notice, mainly referencing a 2007 FTC‐issued guidebook, Protecting Personal Information: A Guide for Business, “which describes a ‘checklist’ of practices that form a sound data security plan.”⁶² Commercial casino operators should reference this guidebook as well as more recent resources produced by the FTC for further guidance on what is considered “reasonable” data security practices.⁶³ Separately, operators should consult local and state authorities for guidance on “reasonable” data security practices.

Commercial casinos cannot hide behind privacy policies; the FTC requires adequate investments in securing PPI.

Most, if not all, commercial casinos with CLPs publish privacy policies that are made available to consumers. A privacy policy usually includes information for consumers about the way PPI is collected, used, and secured by the casino. The court in Wyndham commented that a company acts unfairly when it “publishes a privacy policy” that promises to invest adequate resources in cybersecurity and “fails to make good on that promise” thereby exposing “its unsuspecting customers to substantial financial injury, and retains the profits of their business.”⁶⁴

Adequate investment in cybersecurity resources is based on a similar cost‐benefit‐analysis used to establish fair notice previously discussed in this section. Under this standard, the complex data operations associated with CLPs require a high bar for commercial casinos to meet, requiring evidence of substantial capital investment in securing PPI. Commercial casinos with privacy policies mentioning their efforts to secure PPI may be subject to a FTC unfairness claim if found to be making inadequate investments in cybersecurity.

An FTC unfair data practices claim does not require actual injury by a customer.

The FTC may bring an unfairness claim against a casino before any players suffer actual injury resulting from a casino's misuse of PPI. Unlike theories of negligence that require actual injury to a party before filing suit, “the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.”⁶⁵ The court in Wyndham gave further explanation, stating that “although unfairness claims usually involve actual and completed harms, they may also be brought on the basis of likely rather than actual injury.”⁶⁶

Likeliness of injury was a key issue in LabMD v. FTC, the second challenge of the FTC's authority over business' unfair data practices.⁶⁷ In November 2016, the U.S. Court of Appeals for the Eleventh Circuit agreed with the Third Circuit's ruling in Wyndham from the previous year, and also recognized the FTC's authority of unfair data practices.⁶⁸ However, the court disagreed with the FTC's broad statutory interpretation of “likely to cause” in § 45(n).⁶⁹ According to the court, there must be more than a low likelihood of injury in order for the FTC to consider the act or practice unfair.⁷⁰ This interpretation slightly narrows the scope of potential claims the FTC may bring against businesses, stating the threshold to meet “likely to cause” is something that has more than the FTC's position of “a low likelihood” to cause harm but less than LabMD's position of “a high probability of occurring.”⁷¹

A commercial casino's actions need not be the most proximate cause of customer injury for the FTC to bring a claim of unfairness and establish liability of foreseeable harms.

Wyndham argued it should not be subject to the FTC's unfairness claim because its actions were not a proximate cause of customer injury.⁷² The court did not find Wyndham's argument compelling.⁷³ The court, relying on the Restatement (Second) of Torts § 449, stated the fact that Wyndham's conduct was “not the most proximate cause of an injury generally does not immunize liability from foreseeable harms.”⁷⁴ In today's age of big data, cybercrime against commercial casino operators with CLPs is certainly a foreseeable harm. Even the world's largest gaming company, the Las Vegas Sands Corporation, is susceptible to a data breach exposing PPI.⁷⁵ Based on Wyndham, commercial casinos are unlikely to find any superseding and intervening causes excluding them from liability against a FTC unfairness of consumer data claim. Commercial casino operators are ultimately responsible for what happens to PPI.

IV. Conclusion

Wyndham Worldwide Corporation was the first company to challenge the FTC's authority to bring an unfairness claim against a business' use of consumer data. In 2015, the U.S. Court of Appeals for the Third Circuit recognized the FTC's authority in this matter. In 2016, the U.S. Court of Appeals for the Eleventh Circuit agreed with the Third Circuit's holding, finding the FTC has authority. Neither appellant requested a petition for a writ of certiorari to the U.S. Supreme Court, so the highest court in the land has yet to hear a challenge to the FTC's consumer data authority. In coming years, as commercial procurement and use of private consumer data becomes more sophisticated in the modern economy, additional challenges to the FTC's consumer data authority will likely arise. Other federal circuits will likely align with the Third and Eleventh Circuits on future challenges to the FTC's consumer data authority.

CLPs and the collection of PPI are vital to the profitable operations of modern casinos. Through the collection of PPI, commercial casino operators measure the future profitability of customers based on gaming habits, and entice those same customers to return through personalized marketing. This practice ensures profitable customers make repeat visits to the casino's locations and establishes brand loyalty with the casino.

The business practice of strategic data mining in commercial gaming has evolved over the last two decades to an unrivaled level of sophistication, and so too has the malware hackers use to attack these systems. With the continued increase in accumulation of PPI through CLPs, commercial casinos are increasingly likely targets of a data breach. The recent holding in Wyndham provides guidance that data breach exposures may subject commercial casino operators to an unfair data practice claim by the FTC. The realities for commercial casinos with CLPs in the post‐Wyndham environment are clear:

1. Commercial casinos collecting PPI through CLPs have constructive notice of the FTC's authority to regulate unfair data practices and the agency's recommended cybersecurity practices.

2. Commercial casinos cannot hide behind their privacy policies; the FTC requires adequate investments in securing PPI.

3. A FTC unfair data practices claim does not require actual injury by a customer.⁷⁶

4. A commercial casino's actions need not be the most proximate cause of customer injury for the FTC to bring a claim of unfairness and establish liability of foreseeable harms.

The stakes are high for commercial casino operators making strategic business decisions to collect, analyze, and use PPI. While many casinos profit from insights this data provides, they are also subjecting themselves to increased oversight by the FTC. For commercial casino operators already competing in one of the most regulated industries, most are willing to place this bet. But, before operators lay down their chips, it is imperative they know the costs related to a FTC unfair practices claim, the effects of which may require compliance for multiple decades. Only casino operators willing to make significant investments in protecting PPI should roll the dice.