HomeBlogBack To School Basics

Back To School Basics

As we are getting ready for “back to school” it is a reminder of the need to get back to the basics and the importance of consumer centric security and privacy enhancing best practices.  The recent Wyndham dispute with the Federal Trade Commission and Spotify’s privacy policy snafu serve as stark reminders of these concerns.

The Wyndham case has been top of mind for many in the privacy, security and legal communities.  In full disclosure OTA has publically supported the FTC’s position of having regulatory oversight on data security. That said it is important to understand there is no perfect security and we need to be careful to not “victimize the victim”.  We appreciate Wyndham’s position on this point, BUT only in the case that a company can demonstrate they HAVE adopted REASONABLE security and privacy enhancing best practices. The crux of the case was Wyndham claimed that the FTC failed to provide businesses with “fair notice” concerning which data security practices it regards as “unfair” under Section 5 of the FTC Act.

The court provided details on the allegations against Wyndham including: allowing hotels to store credit card data in plaintext, using easy-to-guess passwords, failing to implement firewalls and other rudimentary data security tools, allowing third parties to connect to the network without authentication, failing to deploy reasonable measures to detect and respond to cyber-attacks.  The Wyndham case is important in the FTC’s emergence as the United States top privacy and data security regulator. Affirming the FTC’s authority, the court’s decision could usher in a period of heightened enforcement activity, but most importantly send a strong message that every business MUST take steps to HELP protect the data they collect and hold. 

Spotify’s privacy policy debacle is another reminder that we need to put consumer first.  Their recent updated privacy policy asked users for permission to collect their contacts, location data and photos resulted in harsh criticism.  The response from their CEO on Twitter further sparked an outcry from users who had been assured of an ad free experience in exchange for a monthly fee.  Spotify’s CEO’s response “as being open and transparent as possible”, only created confusion, anxiety, distrust and in some cases cancelation of subscriptions.

As OTA audits nearly 1,000 sites annually we continually are amazed about the language and length of privacy policies.  Perhaps even more troubling is that executives, privacy professionals (and political candidates) are out of touch and often unaware of the context or connotations, focusing on the needs of the company rather than the customer that pays their salaries.

As we look to the promise of IoT devices and solutions and the escalating threats of malvertising, we need to learn from these missteps and make security and privacy part of our brand promise.  Wyndham and Spotify should serve as “teachable moments” for us all to help achieve and enhance online trust.