Court Says FTC Can Go After Companies Who Get Hacked For Their Weak Security Practices

from the a-bit-of-a-slippery-slope dept

Almost exactly a decade ago (man, time flies...), we first discussed the question of whether or not it should be against the law to get hacked. The FTC had gone after Tower Records (remember them?) for its weak data security practices. That resulted in a series of questions about where the liability should fall. Many people, quite reasonably, say that there should be incentives for companies to better manage data security and (especially) to protect their users. But, it's also true that sooner or later, if you're a target, you're going to get hacked. Ten years later and this is still an issue. The FTC went after Wyndham hotels for its egregiously bad data security (which made it easy for hackers to get hotel guests' information, including credit cards), but Wyndham fought back, saying the FTC had no authority over such matters, especially without having first issued specific rules.

However, a court has shot down that argument and will allow the FTC's case against Wyndham to move forward.

Again, Wyndham's security here was egregiously bad. It didn't encrypt payment data, and also used default logins and passwords for its systems. So there's an argument here that some kind of line can be drawn between purely negligent behavior, such as Wyndham's (lack of) data security, and companies who actually do follow some rather basic security practices, and yet still fall prey to hacks. What makes things tricky is that pretty large gray area in between the two extremes.

Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Ehud Gavron (profile), Apr 9th, 2014 @ 6:32pm

    link bad

    The external link to the court's decision yields a 404.
    There's no download link on the embedded document.

    Thanks!

    E

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Mike Masnick (profile), Apr 10th, 2014 @ 12:07am

      Re: link bad

      There's no download link on the embedded document.

      If you click the expand link on the document (bottom left corner), a download link is provided.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    TKnarr (profile), Apr 9th, 2014 @ 8:34pm

    This ought to come under the heading of "negligence". You don't need specific rules to enforce the general rule that a business is liable for damage due to it's negligence. Not that a business should be liable merely for being hacked, no, but in cases like Tower Records and Wyndham it's not just that they were hacked but that their security measures were so inadequate they were the equivalent of using yellow "do not cross" tape instead of an actual railing to keep people from falling off the balcony of a high-rise building. The business going "But you didn't tell us yellow tape was inadequate!" or "But you didn't issue a rule saying you could ding us for just using yellow tape!" should be responded to with a Gibbs smack.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      James Burkhardt (profile), Apr 9th, 2014 @ 9:25pm

      Re:

      But when does negligence end and that unknown zero day hit me begin? Negligence generally runs off some standard. For the FTC to not set a standard it falls to "Your Neglgent cause the FTC says so". A rule requiring a minimum of existing standards for data security would make negligence obvious.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Berenerd (profile), Apr 10th, 2014 @ 5:04am

        Re: Re:

        Basic computer security 101 states, encrypt sensitive data and don't share passwords. Neither company did either of these. Its like locking the door then taking the wall around it away.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        TKnarr (profile), Apr 10th, 2014 @ 11:15am

        Re: Re:

        There are, believe it or not, standard best practices already out there. Storing hashes of your passwords instead of the cleartext passwords, for instance. Certainly there's a lot of fuzziness about just where the line between being exploited and being negligent lies, but there's also a lot of area where there's no ambiguity at all. It's much like other areas: there may be some ambiguity about whether glancing down to read the incoming call message on the screen of your cel phone is negligent or not, but that doesn't somehow translate to it maybe possibly not being negligent to have both hands off the wheel and your head down digging through a bag on the passenger seat completely oblivious to what's going on as you barrel down the freeway at 95mph.

        I'm really annoyed at the patently false argument that if anything's ambiguous then everything's ambiguous. On maps the idea of a disputed border's simple enough, and the fact that some part of the border's disputed doesn't stop other areas from clearly belonging to one country or another.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Apr 13th, 2014 @ 8:42pm

          Re: Re: Re:

          The best practices come from all over though. There really isn't any single set of standard practices, in the same sense way there is for engineering and health-care.

           

          reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 9th, 2014 @ 9:39pm

    Mandatory password changes and awful password creation advice combined with the widespread availability of sticky notes is dangerous.

    Liability may just result in more of that. Which is worse?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Bill Fence, Apr 9th, 2014 @ 9:40pm

    Microsoft, the root of most hacker activity, may have to file for bankruptcy. These guys just can't get security right on any level. Adobe is not far behind.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Apr 9th, 2014 @ 11:07pm

      Re:

      Actually I think Adobe is ahead rather than behind. Microsoft for a long time was the most vulnerable to hacker attack. With the release of Vista they started making some changes that helped. It became much easier to get into Windows through third party apps, which is where Adobe comes in.

      Voted at least two years in a row the most hackable software says a lot about security issues. I have little faith in any product with Adobe's name on it, short of knowing it is very much akin to a dataminer, wanting to call home so often to "check on updates" that don't come anywhere near that often.

      I don't have much use for Adobe products. I'll either hunt a satisfactory substitute or do without. Forget flash as another dataminer that has no place on my computer.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 9th, 2014 @ 9:42pm

    Wrong plaintiff

    Yes, organizations should be held accountable for their negligence. But it should be the victims -- banks usually -- suing.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Apr 9th, 2014 @ 11:51pm

      Re: Wrong plaintiff

      Why? IF their network isn't secure due to negligence, then both the bank and the webhost should be held liable. Because caring insuffficiently about your customer';s personal information to prevent basic attacks from occurring is negligence, in ym opinion.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Apr 10th, 2014 @ 4:13am

        Re: Re: Wrong plaintiff

        I wasn't talking about the bank's network. I was talking about the hotel, retailer, etc. In that case, the bank has probably taken the hit for the fraud on behalf of its customers, and hence has standing to sue. The customers could also sue as part of a class action for violating their privacy.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 9th, 2014 @ 11:12pm

    Authority

    The FTC has no statutory authority to regulate adherence to computer security standards. They claim they don't have to "formally issue regulations" (which is rather worrisome in and of itself), but surely there would first need to be some kind of statutory basis upon which the FTC may regulate matters of computer security, wouldn't there? The FTC can't just say "this falls under my jurisdiction" and have it be so. If anything, it seems to me the FTC has even less authority to regulate computer networks than the FCC has to regulate net neutrality, and we all know how that has ended.

    The last thing we need is for government to impose a particular set of so-called "best practices", be it through the adoption of statutory language to that effect, or through court opinions of whatever constitutes current "best practices" (which are often nonsensical and/or expensive to implement).

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 9th, 2014 @ 11:26pm

    responsibility

    The companies for some strange reason want to hang on to customer financial information way longer than is required for a business reason, why do they really need credit card numbers months or years after the bill was paid, they are tying a please rob us theives' sign on themselves. If they don't destroy their copy of a credit card number after a transaction they should and must suffer the consequence of the leaking of customer financial Info to crooks.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Mike Masnick (profile), Apr 10th, 2014 @ 12:05am

    broken tag

    Not sure if anyone will notice, but the final paragraph of this post was missing for a while thanks to a broken bit of HTML that didn't exactly fail gracefully... it's now been fixed...

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    eaving (profile), Apr 10th, 2014 @ 2:53am

    Counter suit

    Can said companies then sue the U.S. government for inserting exploitable security holes into crypto code?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Apr 10th, 2014 @ 2:58am

      Re: Counter suit

      I'm not sure they can, but I'd like to think that they should. Not out of financial reasons, but for 'public interest' reasons.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      mcinsand, Apr 10th, 2014 @ 5:06am

      WTO?

      Would this rise to the level of a WTO suit? The Internet is global, and inserting vulnerabilities into software, particuarly for international surveillance, is a global trade concern.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Apr 10th, 2014 @ 10:19am

      Re: Counter suit

      Even better would be the defense NSA made me, and I have the letter.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 10th, 2014 @ 3:59am

    Yes, spend your money on reactive lawsuits instead of preemptive security. What a genius move.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      PRMan, Apr 10th, 2014 @ 9:08am

      Re:

      And yet, I have worked at numerous companies where not only were the passwords stored in plain text (and there were ridiculously bad passwords in the database), but they resisted all my attempts to change things because it didn't "drive business".

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        John Fenderson (profile), Apr 10th, 2014 @ 9:27am

        Re: Re:

        This.

        Real security is expensive, and making your systems secure is not something that increases revenue. The majority of companies resist this expense strenuously.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 10th, 2014 @ 4:14am

    Sooner or later, if you're Target you're going to get hacked.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 10th, 2014 @ 4:46am

    There should be a minimum standard for security that progresses with hackers abilities. If you aren't doing due diligence to meet these standards then it can be deemed negligence.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 10th, 2014 @ 7:12am

    You should be able to sue companies for not guaranteeing the security of the data they THEY decide to keep.

    Protip: if you can't secure our data, then don't hold it.

    So many companies these days are trying to gather as much data as possible about us with minimal work to secure that data. So if they get hacked or give away our data to 3rd parties or governments in a non-legal way, they should be sued for all of their worth.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Michael, Apr 10th, 2014 @ 7:34am

    In a competitive market, these data security problems are going to eventually be self-solving.

    If a company is known to have poor security practices, people will stop giving them information (or using their services). You would eventually start seeing companies advertising that they don't keep your credit card information and take your data security seriously and if people flocked to those companies, you would find others following suit.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Apr 10th, 2014 @ 8:45am

      Re:

      If a company is known to have poor security practices, people will stop giving them information (or using their services).

      Most markets don't have a critical mass of customers that understand security. Even those that do aren't likely to have knowledge of the service's practices. As such, the knowledge necessary to make a market-based solution work only comes after a major breech. We need a system that can enforce security before the damage occurs.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Apr 10th, 2014 @ 9:30am

      Re:

      "In a competitive market, these data security problems are going to eventually be self-solving."

      That would be nice, but I don't believe it's actually true. Most people don't understand security or who is or isn't good at it except in retrospect. Market pressures don't really have much effect in this regard.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Jake, Apr 10th, 2014 @ 2:52pm

      Re:

      And how much identity theft and embezzlement do you regard as acceptable collateral damage while we wait for the invisible hand to sort it all out?

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Pragmatic, Apr 14th, 2014 @ 4:29am

        Re: Re:

        Oh, not this again. The Magical Omnipotent Market will Sort It Out.

        No, it won't, because most people don't understand who's good at security or not until something goes wrong. Then what? They go to another company, which may or may not be any good at security. Even careful checking may only reveal that no complaint has been made, i.e. they haven't been caught yet. So that one goes down...

        For the love of God, please get this into your head: the point of Capitalism is to make money, not to render service.

        Service is a means to an end: profit. The naive belief that service comes as a result of profit is responsible for the failures that keep cropping up until somebody (gasp!) passes a law to get it sorted out once and for all.

        As innumerable people have pointed out, bad actors don't obey the law. That, however, is not the point of the law; it's to provide for a way for the bad actors to be held to account and punished for breaking it.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    ike, Apr 10th, 2014 @ 9:40am

    Insurance


    What makes things tricky is that pretty large gray area in between the two extremes.

    Over time, insurance companies will take on that risk, and they'll form standards to which companies must abide to lower their premiums to mitigate that risk. In turn, the IT security industry will step up to help companies meet those standards. In the long run, this could be a good thing.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    aldestrawk (profile), Apr 10th, 2014 @ 1:22pm

    Whenever there is a credit card or debit card payment involved, a retailer or any other sort of business has a contract with the credit card companies and the banks that issue such cards. That contract obligates the retail business to comply with the PCI-DSS (Payment Card Industry Digital Security Standard). When there is a security breach there will be an investigation which will determine whether the retailer was in full compliance with PCI-DSS. If not, they will be liable, rather than the banks, for losses due to resulting fraud. Also, additional fines can be levied against the retailer. Given this, it is a bit odd that the FTC is trying apply civil penalties via a lawsuit outside of this existing mechanism.
    There is a lot of argument about whether compliance with PCI-DSS is enough to prevent most attacks. Compliance is expensive, time consuming, and the bureaucratic line item approach misses out on some intuitively obvious ways to better ensure security. Yet, it is at least a fairly comprehensive standard which the FTC is lacking.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.