Can the Feds Hold Companies Legally Responsible for Being Hacked?

Look, it's Sherlock Holmes and Maleficent!A judge today has ruled that
the Federal Trade Commission (FTC) can push forward with its
lawsuit against hotel company Wyndam Worldwide Corp. Wyndam’s
crime? Being hacked.

The FTC announced the lawsuit in 2012, arguing that it was
Wyndam’s lax security that allowed for hacking that resulted in the
theft of credit card information of more than 600,000 customers and
more than $10 million in federal charges. The Washington
Post
took note of the case in 2012:

The FTC lawsuit, filed in U.S. District Court in Arizona,
alleges numerous shortcomings in security practices by Wyndham and
its subsidiaries, including the failure to erect firewalls, use
appropriate passwords or configure software to keep credit card
information secure.

The Wyndham systems were so vulnerable that hackers were able to
use a primitive “brute force” attack in which they essentially
guessed the password to an administrator’s account and used the
resulting access to scour the system for personal data for months,
the suit said. Much of the data ended up on an Internet domain
registered in Russia, which experts say is a major hub of
cybercrime.

Wyndham tried to get the case dismissed on the grounds that the
FTC does not have authority to regulate data security. Judge Esther
Salas of the U.S. District Court of the District of New Jersey
refused, though. She wrote that it could be “reasonably inferred”
that Wyndham’s poor security practices caused the data breach. The
FTC is accusing Wyndham of essentially false advertising, saying
its promise to protect users’ data was “unfair and deceptive,”

The Hill notes.

This isn’t a ruling that the FTC is correct that Wyndham should
be held liable. She is ruling that the case may continue to move
forward. She
did warn in her ruling that her decision should not be taken as
a “blank check” by the FTC to “sustain a lawsuit against every
business that has been hacked.” Just, apparently, the ones that
don’t meet the government’s standards for data security, whatever
those may be. The FTC has recommendations
and guidance but not actual regulations. Yes, that’s
right—something the government doesn’t have regulations
for.

from Hit & Run http://ift.tt/1imqphw
via IFTTT

Leave a Reply

Your email address will not be published. Required fields are marked *