Court Says FTC Can Go After Companies Who Get Hacked For Their Weak Security Practices
from the a-bit-of-a-slippery-slope dept
Almost exactly a decade ago (man, time flies…), we first discussed the question of whether or not it should be against the law to get hacked. The FTC had gone after Tower Records (remember them?) for its weak data security practices. That resulted in a series of questions about where the liability should fall. Many people, quite reasonably, say that there should be incentives for companies to better manage data security and (especially) to protect their users. But, it’s also true that sooner or later, if you’re a target, you’re going to get hacked. Ten years later and this is still an issue. The FTC went after Wyndham hotels for its egregiously bad data security (which made it easy for hackers to get hotel guests’ information, including credit cards), but Wyndham fought back, saying the FTC had no authority over such matters, especially without having first issued specific rules.
However, a court has shot down that argument and will allow the FTC’s case against Wyndham to move forward.
Again, Wyndham’s security here was egregiously bad. It didn’t encrypt payment data, and also used default logins and passwords for its systems. So there’s an argument here that some kind of line can be drawn between purely negligent behavior, such as Wyndham’s (lack of) data security, and companies who actually do follow some rather basic security practices, and yet still fall prey to hacks. What makes things tricky is that pretty large gray area in between the two extremes.
Filed Under: breach, ftc, liability, privacy, security
Companies: wyndham
Comments on “Court Says FTC Can Go After Companies Who Get Hacked For Their Weak Security Practices”
link bad
The external link to the court’s decision yields a 404.
There’s no download link on the embedded document.
Thanks!
E
Re: link bad
There’s no download link on the embedded document.
If you click the expand link on the document (bottom left corner), a download link is provided.
This ought to come under the heading of “negligence”. You don’t need specific rules to enforce the general rule that a business is liable for damage due to it’s negligence. Not that a business should be liable merely for being hacked, no, but in cases like Tower Records and Wyndham it’s not just that they were hacked but that their security measures were so inadequate they were the equivalent of using yellow “do not cross” tape instead of an actual railing to keep people from falling off the balcony of a high-rise building. The business going “But you didn’t tell us yellow tape was inadequate!” or “But you didn’t issue a rule saying you could ding us for just using yellow tape!” should be responded to with a Gibbs smack.
Re: Re:
But when does negligence end and that unknown zero day hit me begin? Negligence generally runs off some standard. For the FTC to not set a standard it falls to “Your Neglgent cause the FTC says so”. A rule requiring a minimum of existing standards for data security would make negligence obvious.
Re: Re: Re:
Basic computer security 101 states, encrypt sensitive data and don’t share passwords. Neither company did either of these. Its like locking the door then taking the wall around it away.
Re: Re: Re:
There are, believe it or not, standard best practices already out there. Storing hashes of your passwords instead of the cleartext passwords, for instance. Certainly there’s a lot of fuzziness about just where the line between being exploited and being negligent lies, but there’s also a lot of area where there’s no ambiguity at all. It’s much like other areas: there may be some ambiguity about whether glancing down to read the incoming call message on the screen of your cel phone is negligent or not, but that doesn’t somehow translate to it maybe possibly not being negligent to have both hands off the wheel and your head down digging through a bag on the passenger seat completely oblivious to what’s going on as you barrel down the freeway at 95mph.
I’m really annoyed at the patently false argument that if anything’s ambiguous then everything’s ambiguous. On maps the idea of a disputed border’s simple enough, and the fact that some part of the border’s disputed doesn’t stop other areas from clearly belonging to one country or another.
Re: Re: Re: Re:
The best practices come from all over though. There really isn’t any single set of standard practices, in the same sense way there is for engineering and health-care.
Mandatory password changes and awful password creation advice combined with the widespread availability of sticky notes is dangerous.
Liability may just result in more of that. Which is worse?
Microsoft, the root of most hacker activity, may have to file for bankruptcy. These guys just can’t get security right on any level. Adobe is not far behind.
Re: Re:
Actually I think Adobe is ahead rather than behind. Microsoft for a long time was the most vulnerable to hacker attack. With the release of Vista they started making some changes that helped. It became much easier to get into Windows through third party apps, which is where Adobe comes in.
Voted at least two years in a row the most hackable software says a lot about security issues. I have little faith in any product with Adobe’s name on it, short of knowing it is very much akin to a dataminer, wanting to call home so often to “check on updates” that don’t come anywhere near that often.
I don’t have much use for Adobe products. I’ll either hunt a satisfactory substitute or do without. Forget flash as another dataminer that has no place on my computer.
Wrong plaintiff
Yes, organizations should be held accountable for their negligence. But it should be the victims — banks usually — suing.
Re: Wrong plaintiff
Why? IF their network isn’t secure due to negligence, then both the bank and the webhost should be held liable. Because caring insuffficiently about your customer’;s personal information to prevent basic attacks from occurring is negligence, in ym opinion.
Re: Re: Wrong plaintiff
I wasn’t talking about the bank’s network. I was talking about the hotel, retailer, etc. In that case, the bank has probably taken the hit for the fraud on behalf of its customers, and hence has standing to sue. The customers could also sue as part of a class action for violating their privacy.
Authority
The FTC has no statutory authority to regulate adherence to computer security standards. They claim they don’t have to “formally issue regulations” (which is rather worrisome in and of itself), but surely there would first need to be some kind of statutory basis upon which the FTC may regulate matters of computer security, wouldn’t there? The FTC can’t just say “this falls under my jurisdiction” and have it be so. If anything, it seems to me the FTC has even less authority to regulate computer networks than the FCC has to regulate net neutrality, and we all know how that has ended.
The last thing we need is for government to impose a particular set of so-called “best practices”, be it through the adoption of statutory language to that effect, or through court opinions of whatever constitutes current “best practices” (which are often nonsensical and/or expensive to implement).
responsibility
The companies for some strange reason want to hang on to customer financial information way longer than is required for a business reason, why do they really need credit card numbers months or years after the bill was paid, they are tying a please rob us theives’ sign on themselves. If they don’t destroy their copy of a credit card number after a transaction they should and must suffer the consequence of the leaking of customer financial Info to crooks.
broken tag
Not sure if anyone will notice, but the final paragraph of this post was missing for a while thanks to a broken bit of HTML that didn’t exactly fail gracefully… it’s now been fixed…
Counter suit
Can said companies then sue the U.S. government for inserting exploitable security holes into crypto code?
Re: Counter suit
I’m not sure they can, but I’d like to think that they should. Not out of financial reasons, but for ‘public interest’ reasons.
Re: WTO?
Would this rise to the level of a WTO suit? The Internet is global, and inserting vulnerabilities into software, particuarly for international surveillance, is a global trade concern.
Re: Counter suit
Even better would be the defense NSA made me, and I have the letter.
Yes, spend your money on reactive lawsuits instead of preemptive security. What a genius move.
Re: Re:
And yet, I have worked at numerous companies where not only were the passwords stored in plain text (and there were ridiculously bad passwords in the database), but they resisted all my attempts to change things because it didn’t “drive business”.
Re: Re: Re:
This.
Real security is expensive, and making your systems secure is not something that increases revenue. The majority of companies resist this expense strenuously.
Sooner or later, if you’re Target you’re going to get hacked.
Re: Re:
Sooner or later, you will be a target no matter who you are.
There should be a minimum standard for security that progresses with hackers abilities. If you aren’t doing due diligence to meet these standards then it can be deemed negligence.
You should be able to sue companies for not guaranteeing the security of the data they THEY decide to keep.
Protip: if you can’t secure our data, then don’t hold it.
So many companies these days are trying to gather as much data as possible about us with minimal work to secure that data. So if they get hacked or give away our data to 3rd parties or governments in a non-legal way, they should be sued for all of their worth.
In a competitive market, these data security problems are going to eventually be self-solving.
If a company is known to have poor security practices, people will stop giving them information (or using their services). You would eventually start seeing companies advertising that they don’t keep your credit card information and take your data security seriously and if people flocked to those companies, you would find others following suit.
Re: Re:
If a company is known to have poor security practices, people will stop giving them information (or using their services).
Most markets don’t have a critical mass of customers that understand security. Even those that do aren’t likely to have knowledge of the service’s practices. As such, the knowledge necessary to make a market-based solution work only comes after a major breech. We need a system that can enforce security before the damage occurs.
Re: Re:
“In a competitive market, these data security problems are going to eventually be self-solving.”
That would be nice, but I don’t believe it’s actually true. Most people don’t understand security or who is or isn’t good at it except in retrospect. Market pressures don’t really have much effect in this regard.
Re: Re:
And how much identity theft and embezzlement do you regard as acceptable collateral damage while we wait for the invisible hand to sort it all out?
Re: Re: Re:
Oh, not this again. The Magical Omnipotent Market will Sort It Out.
No, it won’t, because most people don’t understand who’s good at security or not until something goes wrong. Then what? They go to another company, which may or may not be any good at security. Even careful checking may only reveal that no complaint has been made, i.e. they haven’t been caught yet. So that one goes down…
For the love of God, please get this into your head: the point of Capitalism is to make money, not to render service.
Service is a means to an end: profit. The naive belief that service comes as a result of profit is responsible for the failures that keep cropping up until somebody (gasp!) passes a law to get it sorted out once and for all.
As innumerable people have pointed out, bad actors don’t obey the law. That, however, is not the point of the law; it’s to provide for a way for the bad actors to be held to account and punished for breaking it.
Insurance
Over time, insurance companies will take on that risk, and they’ll form standards to which companies must abide to lower their premiums to mitigate that risk. In turn, the IT security industry will step up to help companies meet those standards. In the long run, this could be a good thing.
Whenever there is a credit card or debit card payment involved, a retailer or any other sort of business has a contract with the credit card companies and the banks that issue such cards. That contract obligates the retail business to comply with the PCI-DSS (Payment Card Industry Digital Security Standard). When there is a security breach there will be an investigation which will determine whether the retailer was in full compliance with PCI-DSS. If not, they will be liable, rather than the banks, for losses due to resulting fraud. Also, additional fines can be levied against the retailer. Given this, it is a bit odd that the FTC is trying apply civil penalties via a lawsuit outside of this existing mechanism.
There is a lot of argument about whether compliance with PCI-DSS is enough to prevent most attacks. Compliance is expensive, time consuming, and the bureaucratic line item approach misses out on some intuitively obvious ways to better ensure security. Yet, it is at least a fairly comprehensive standard which the FTC is lacking.