Court Says FTC Can Go After Companies Who Get Hacked For Their Weak Security Practices

from the a-bit-of-a-slippery-slope dept

Almost exactly a decade ago (man, time flies…), we first discussed the question of whether or not it should be against the law to get hacked. The FTC had gone after Tower Records (remember them?) for its weak data security practices. That resulted in a series of questions about where the liability should fall. Many people, quite reasonably, say that there should be incentives for companies to better manage data security and (especially) to protect their users. But, it’s also true that sooner or later, if you’re a target, you’re going to get hacked. Ten years later and this is still an issue. The FTC went after Wyndham hotels for its egregiously bad data security (which made it easy for hackers to get hotel guests’ information, including credit cards), but Wyndham fought back, saying the FTC had no authority over such matters, especially without having first issued specific rules.

However, a court has shot down that argument and will allow the FTC’s case against Wyndham to move forward.

Again, Wyndham’s security here was egregiously bad. It didn’t encrypt payment data, and also used default logins and passwords for its systems. So there’s an argument here that some kind of line can be drawn between purely negligent behavior, such as Wyndham’s (lack of) data security, and companies who actually do follow some rather basic security practices, and yet still fall prey to hacks. What makes things tricky is that pretty large gray area in between the two extremes.

Filed Under: , , , ,
Companies: wyndham

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Court Says FTC Can Go After Companies Who Get Hacked For Their Weak Security Practices”

Subscribe: RSS Leave a comment
TKnarr (profile) says:

This ought to come under the heading of “negligence”. You don’t need specific rules to enforce the general rule that a business is liable for damage due to it’s negligence. Not that a business should be liable merely for being hacked, no, but in cases like Tower Records and Wyndham it’s not just that they were hacked but that their security measures were so inadequate they were the equivalent of using yellow “do not cross” tape instead of an actual railing to keep people from falling off the balcony of a high-rise building. The business going “But you didn’t tell us yellow tape was inadequate!” or “But you didn’t issue a rule saying you could ding us for just using yellow tape!” should be responded to with a Gibbs smack.

TKnarr (profile) says:

Re: Re: Re:

There are, believe it or not, standard best practices already out there. Storing hashes of your passwords instead of the cleartext passwords, for instance. Certainly there’s a lot of fuzziness about just where the line between being exploited and being negligent lies, but there’s also a lot of area where there’s no ambiguity at all. It’s much like other areas: there may be some ambiguity about whether glancing down to read the incoming call message on the screen of your cel phone is negligent or not, but that doesn’t somehow translate to it maybe possibly not being negligent to have both hands off the wheel and your head down digging through a bag on the passenger seat completely oblivious to what’s going on as you barrel down the freeway at 95mph.

I’m really annoyed at the patently false argument that if anything’s ambiguous then everything’s ambiguous. On maps the idea of a disputed border’s simple enough, and the fact that some part of the border’s disputed doesn’t stop other areas from clearly belonging to one country or another.

Anonymous Coward says:

Re: Re:

Actually I think Adobe is ahead rather than behind. Microsoft for a long time was the most vulnerable to hacker attack. With the release of Vista they started making some changes that helped. It became much easier to get into Windows through third party apps, which is where Adobe comes in.

Voted at least two years in a row the most hackable software says a lot about security issues. I have little faith in any product with Adobe’s name on it, short of knowing it is very much akin to a dataminer, wanting to call home so often to “check on updates” that don’t come anywhere near that often.

I don’t have much use for Adobe products. I’ll either hunt a satisfactory substitute or do without. Forget flash as another dataminer that has no place on my computer.

Anonymous Coward says:

Re: Re: Wrong plaintiff

I wasn’t talking about the bank’s network. I was talking about the hotel, retailer, etc. In that case, the bank has probably taken the hit for the fraud on behalf of its customers, and hence has standing to sue. The customers could also sue as part of a class action for violating their privacy.

Anonymous Coward says:


The FTC has no statutory authority to regulate adherence to computer security standards. They claim they don’t have to “formally issue regulations” (which is rather worrisome in and of itself), but surely there would first need to be some kind of statutory basis upon which the FTC may regulate matters of computer security, wouldn’t there? The FTC can’t just say “this falls under my jurisdiction” and have it be so. If anything, it seems to me the FTC has even less authority to regulate computer networks than the FCC has to regulate net neutrality, and we all know how that has ended.

The last thing we need is for government to impose a particular set of so-called “best practices”, be it through the adoption of statutory language to that effect, or through court opinions of whatever constitutes current “best practices” (which are often nonsensical and/or expensive to implement).

Anonymous Coward says:


The companies for some strange reason want to hang on to customer financial information way longer than is required for a business reason, why do they really need credit card numbers months or years after the bill was paid, they are tying a please rob us theives’ sign on themselves. If they don’t destroy their copy of a credit card number after a transaction they should and must suffer the consequence of the leaking of customer financial Info to crooks.

Anonymous Coward says:

You should be able to sue companies for not guaranteeing the security of the data they THEY decide to keep.

Protip: if you can’t secure our data, then don’t hold it.

So many companies these days are trying to gather as much data as possible about us with minimal work to secure that data. So if they get hacked or give away our data to 3rd parties or governments in a non-legal way, they should be sued for all of their worth.

Michael (profile) says:

In a competitive market, these data security problems are going to eventually be self-solving.

If a company is known to have poor security practices, people will stop giving them information (or using their services). You would eventually start seeing companies advertising that they don’t keep your credit card information and take your data security seriously and if people flocked to those companies, you would find others following suit.

Anonymous Coward says:

Re: Re:

If a company is known to have poor security practices, people will stop giving them information (or using their services).

Most markets don’t have a critical mass of customers that understand security. Even those that do aren’t likely to have knowledge of the service’s practices. As such, the knowledge necessary to make a market-based solution work only comes after a major breech. We need a system that can enforce security before the damage occurs.

Pragmatic says:

Re: Re: Re:

Oh, not this again. The Magical Omnipotent Market will Sort It Out.

No, it won’t, because most people don’t understand who’s good at security or not until something goes wrong. Then what? They go to another company, which may or may not be any good at security. Even careful checking may only reveal that no complaint has been made, i.e. they haven’t been caught yet. So that one goes down…

For the love of God, please get this into your head: the point of Capitalism is to make money, not to render service.

Service is a means to an end: profit. The naive belief that service comes as a result of profit is responsible for the failures that keep cropping up until somebody (gasp!) passes a law to get it sorted out once and for all.

As innumerable people have pointed out, bad actors don’t obey the law. That, however, is not the point of the law; it’s to provide for a way for the bad actors to be held to account and punished for breaking it.

ike says:


What makes things tricky is that pretty large gray area in between the two extremes.

Over time, insurance companies will take on that risk, and they’ll form standards to which companies must abide to lower their premiums to mitigate that risk. In turn, the IT security industry will step up to help companies meet those standards. In the long run, this could be a good thing.

aldestrawk says:

Whenever there is a credit card or debit card payment involved, a retailer or any other sort of business has a contract with the credit card companies and the banks that issue such cards. That contract obligates the retail business to comply with the PCI-DSS (Payment Card Industry Digital Security Standard). When there is a security breach there will be an investigation which will determine whether the retailer was in full compliance with PCI-DSS. If not, they will be liable, rather than the banks, for losses due to resulting fraud. Also, additional fines can be levied against the retailer. Given this, it is a bit odd that the FTC is trying apply civil penalties via a lawsuit outside of this existing mechanism.
There is a lot of argument about whether compliance with PCI-DSS is enough to prevent most attacks. Compliance is expensive, time consuming, and the bureaucratic line item approach misses out on some intuitively obvious ways to better ensure security. Yet, it is at least a fairly comprehensive standard which the FTC is lacking.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...