USTR Warns That EU-Only Cloud To Avoid NSA Surveillance May Violate Trade Agreements

Court Says FTC Can Go After Companies Who Get Hacked For Their Weak Security Practices

from the a-bit-of-a-slippery-slope dept

Wed, Apr 9th 2014 8:06pm — Mike Masnick

Almost exactly a decade ago (man, time flies...), we first discussed the question of whether or not it should be against the law to get hacked. The FTC had gone after Tower Records (remember them?) for its weak data security practices. That resulted in a series of questions about where the liability should fall. Many people, quite reasonably, say that there should be incentives for companies to better manage data security and (especially) to protect their users. But, it's also true that sooner or later, if you're a target, you're going to get hacked. Ten years later and this is still an issue. The FTC went after Wyndham hotels for its egregiously bad data security (which made it easy for hackers to get hotel guests' information, including credit cards), but Wyndham fought back, saying the FTC had no authority over such matters, especially without having first issued specific rules.

However, a court has shot down that argument and will allow the FTC's case against Wyndham to move forward.

Again, Wyndham's security here was egregiously bad. It didn't encrypt payment data, and also used default logins and passwords for its systems. So there's an argument here that some kind of line can be drawn between purely negligent behavior, such as Wyndham's (lack of) data security, and companies who actually do follow some rather basic security practices, and yet still fall prey to hacks. What makes things tricky is that pretty large gray area in between the two extremes.

Ftc v Wyndham Opinion (PDF)Ftc v Wyndham Opinion (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, ftc, liability, privacy, security
Companies: wyndham

34 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ehud Gavron (profile), 9 Apr 2014 @ 6:32pm

link bad
The external link to the court's decision yields a 404.
There's no download link on the embedded document.

Thanks!

E
[ link to this | view in chronology ]
- Mike Masnick (profile), 10 Apr 2014 @ 12:07am
  
  Re: link bad
  There's no download link on the embedded document.
  
  If you click the expand link on the document (bottom left corner), a download link is provided.
  [ link to this | view in chronology ]
TKnarr (profile), 9 Apr 2014 @ 8:34pm

This ought to come under the heading of "negligence". You don't need specific rules to enforce the general rule that a business is liable for damage due to it's negligence. Not that a business should be liable merely for being hacked, no, but in cases like Tower Records and Wyndham it's not just that they were hacked but that their security measures were so inadequate they were the equivalent of using yellow "do not cross" tape instead of an actual railing to keep people from falling off the balcony of a high-rise building. The business going "But you didn't tell us yellow tape was inadequate!" or "But you didn't issue a rule saying you could ding us for just using yellow tape!" should be responded to with a Gibbs smack.
[ link to this | view in chronology ]
- James Burkhardt (profile), 9 Apr 2014 @ 9:25pm
  
  Re:
  But when does negligence end and that unknown zero day hit me begin? Negligence generally runs off some standard. For the FTC to not set a standard it falls to "Your Neglgent cause the FTC says so". A rule requiring a minimum of existing standards for data security would make negligence obvious.
  [ link to this | view in chronology ]
  - Berenerd (profile), 10 Apr 2014 @ 5:04am
    
    Re: Re:
    Basic computer security 101 states, encrypt sensitive data and don't share passwords. Neither company did either of these. Its like locking the door then taking the wall around it away.
    [ link to this | view in chronology ]
  - TKnarr (profile), 10 Apr 2014 @ 11:15am
    
    Re: Re:
    There are, believe it or not, standard best practices already out there. Storing hashes of your passwords instead of the cleartext passwords, for instance. Certainly there's a lot of fuzziness about just where the line between being exploited and being negligent lies, but there's also a lot of area where there's no ambiguity at all. It's much like other areas: there may be some ambiguity about whether glancing down to read the incoming call message on the screen of your cel phone is negligent or not, but that doesn't somehow translate to it maybe possibly not being negligent to have both hands off the wheel and your head down digging through a bag on the passenger seat completely oblivious to what's going on as you barrel down the freeway at 95mph.
    
    I'm really annoyed at the patently false argument that if anything's ambiguous then everything's ambiguous. On maps the idea of a disputed border's simple enough, and the fact that some part of the border's disputed doesn't stop other areas from clearly belonging to one country or another.
    [ link to this | view in chronology ]
    - Anonymous Coward, 13 Apr 2014 @ 8:42pm
      
      Re: Re: Re:
      The best practices come from all over though. There really isn't any single set of standard practices, in the same sense way there is for engineering and health-care.
      [ link to this | view in chronology ]
Anonymous Coward, 9 Apr 2014 @ 9:39pm

Mandatory password changes and awful password creation advice combined with the widespread availability of sticky notes is dangerous.

Liability may just result in more of that. Which is worse?
[ link to this | view in chronology ]
Bill Fence, 9 Apr 2014 @ 9:40pm

Microsoft, the root of most hacker activity, may have to file for bankruptcy. These guys just can't get security right on any level. Adobe is not far behind.
[ link to this | view in chronology ]
- Anonymous Coward, 9 Apr 2014 @ 11:07pm
  
  Re:
  Actually I think Adobe is ahead rather than behind. Microsoft for a long time was the most vulnerable to hacker attack. With the release of Vista they started making some changes that helped. It became much easier to get into Windows through third party apps, which is where Adobe comes in.
  
  Voted at least two years in a row the most hackable software says a lot about security issues. I have little faith in any product with Adobe's name on it, short of knowing it is very much akin to a dataminer, wanting to call home so often to "check on updates" that don't come anywhere near that often.
  
  I don't have much use for Adobe products. I'll either hunt a satisfactory substitute or do without. Forget flash as another dataminer that has no place on my computer.
  [ link to this | view in chronology ]
Anonymous Coward, 9 Apr 2014 @ 9:42pm

Wrong plaintiff
Yes, organizations should be held accountable for their negligence. But it should be the victims -- banks usually -- suing.
[ link to this | view in chronology ]
- Anonymous Coward, 9 Apr 2014 @ 11:51pm
  
  Re: Wrong plaintiff
  Why? IF their network isn't secure due to negligence, then both the bank and the webhost should be held liable. Because caring insuffficiently about your customer';s personal information to prevent basic attacks from occurring is negligence, in ym opinion.
  [ link to this | view in chronology ]
  - Anonymous Coward, 10 Apr 2014 @ 4:13am
    
    Re: Re: Wrong plaintiff
    I wasn't talking about the bank's network. I was talking about the hotel, retailer, etc. In that case, the bank has probably taken the hit for the fraud on behalf of its customers, and hence has standing to sue. The customers could also sue as part of a class action for violating their privacy.
    [ link to this | view in chronology ]
Anonymous Coward, 9 Apr 2014 @ 11:12pm

Authority
The FTC has no statutory authority to regulate adherence to computer security standards. They claim they don't have to "formally issue regulations" (which is rather worrisome in and of itself), but surely there would first need to be some kind of statutory basis upon which the FTC may regulate matters of computer security, wouldn't there? The FTC can't just say "this falls under my jurisdiction" and have it be so. If anything, it seems to me the FTC has even less authority to regulate computer networks than the FCC has to regulate net neutrality, and we all know how that has ended.

The last thing we need is for government to impose a particular set of so-called "best practices", be it through the adoption of statutory language to that effect, or through court opinions of whatever constitutes current "best practices" (which are often nonsensical and/or expensive to implement).
[ link to this | view in chronology ]
Anonymous Coward, 9 Apr 2014 @ 11:26pm

responsibility
The companies for some strange reason want to hang on to customer financial information way longer than is required for a business reason, why do they really need credit card numbers months or years after the bill was paid, they are tying a please rob us theives' sign on themselves. If they don't destroy their copy of a credit card number after a transaction they should and must suffer the consequence of the leaking of customer financial Info to crooks.
[ link to this | view in chronology ]
Mike Masnick (profile), 10 Apr 2014 @ 12:05am

broken tag
Not sure if anyone will notice, but the final paragraph of this post was missing for a while thanks to a broken bit of HTML that didn't exactly fail gracefully... it's now been fixed...
[ link to this | view in chronology ]
eaving (profile), 10 Apr 2014 @ 2:53am

Counter suit
Can said companies then sue the U.S. government for inserting exploitable security holes into crypto code?
[ link to this | view in chronology ]
- Anonymous Coward, 10 Apr 2014 @ 2:58am
  
  Re: Counter suit
  I'm not sure they can, but I'd like to think that they should. Not out of financial reasons, but for 'public interest' reasons.
  [ link to this | view in chronology ]
- mcinsand, 10 Apr 2014 @ 5:06am
  
  WTO?
  Would this rise to the level of a WTO suit? The Internet is global, and inserting vulnerabilities into software, particuarly for international surveillance, is a global trade concern.
  [ link to this | view in chronology ]
- Anonymous Coward, 10 Apr 2014 @ 10:19am
  
  Re: Counter suit
  Even better would be the defense NSA made me, and I have the letter.
  [ link to this | view in chronology ]
Anonymous Coward, 10 Apr 2014 @ 3:59am

Yes, spend your money on reactive lawsuits instead of preemptive security. What a genius move.
[ link to this | view in chronology ]
- PRMan, 10 Apr 2014 @ 9:08am
  
  Re:
  And yet, I have worked at numerous companies where not only were the passwords stored in plain text (and there were ridiculously bad passwords in the database), but they resisted all my attempts to change things because it didn't "drive business".
  [ link to this | view in chronology ]
  - John Fenderson (profile), 10 Apr 2014 @ 9:27am
    
    Re: Re:
    This.
    
    Real security is expensive, and making your systems secure is not something that increases revenue. The majority of companies resist this expense strenuously.
    [ link to this | view in chronology ]
Anonymous Coward, 10 Apr 2014 @ 4:14am

Sooner or later, if you're Target you're going to get hacked.
[ link to this | view in chronology ]
- John Fenderson (profile), 10 Apr 2014 @ 9:28am
  
  Re:
  Sooner or later, you will be a target no matter who you are.
  [ link to this | view in chronology ]
Anonymous Coward, 10 Apr 2014 @ 4:46am

There should be a minimum standard for security that progresses with hackers abilities. If you aren't doing due diligence to meet these standards then it can be deemed negligence.
[ link to this | view in chronology ]
Anonymous Coward, 10 Apr 2014 @ 7:12am

You should be able to sue companies for not guaranteeing the security of the data they THEY decide to keep.

Protip: if you can't secure our data, then don't hold it.

So many companies these days are trying to gather as much data as possible about us with minimal work to secure that data. So if they get hacked or give away our data to 3rd parties or governments in a non-legal way, they should be sued for all of their worth.
[ link to this | view in chronology ]
Michael, 10 Apr 2014 @ 7:34am

In a competitive market, these data security problems are going to eventually be self-solving.

If a company is known to have poor security practices, people will stop giving them information (or using their services). You would eventually start seeing companies advertising that they don't keep your credit card information and take your data security seriously and if people flocked to those companies, you would find others following suit.
[ link to this | view in chronology ]
- Anonymous Coward, 10 Apr 2014 @ 8:45am
  
  Re:
  If a company is known to have poor security practices, people will stop giving them information (or using their services).
  
  Most markets don't have a critical mass of customers that understand security. Even those that do aren't likely to have knowledge of the service's practices. As such, the knowledge necessary to make a market-based solution work only comes after a major breech. We need a system that can enforce security before the damage occurs.
  [ link to this | view in chronology ]
- John Fenderson (profile), 10 Apr 2014 @ 9:30am
  
  Re:
  "In a competitive market, these data security problems are going to eventually be self-solving."
  
  That would be nice, but I don't believe it's actually true. Most people don't understand security or who is or isn't good at it except in retrospect. Market pressures don't really have much effect in this regard.
  [ link to this | view in chronology ]
- Jake, 10 Apr 2014 @ 2:52pm
  
  Re:
  And how much identity theft and embezzlement do you regard as acceptable collateral damage while we wait for the invisible hand to sort it all out?
  [ link to this | view in chronology ]
  - Pragmatic, 14 Apr 2014 @ 4:29am
    
    Re: Re:
    Oh, not this again. The Magical Omnipotent Market will Sort It Out.
    
    No, it won't, because most people don't understand who's good at security or not until something goes wrong. Then what? They go to another company, which may or may not be any good at security. Even careful checking may only reveal that no complaint has been made, i.e. they haven't been caught yet. So that one goes down...
    
    For the love of God, please get this into your head: the point of Capitalism is to make money, not to render service.
    
    Service is a means to an end: profit. The naive belief that service comes as a result of profit is responsible for the failures that keep cropping up until somebody (gasp!) passes a law to get it sorted out once and for all.
    
    As innumerable people have pointed out, bad actors don't obey the law. That, however, is not the point of the law; it's to provide for a way for the bad actors to be held to account and punished for breaking it.
    [ link to this | view in chronology ]
ike, 10 Apr 2014 @ 9:40am

Insurance

What makes things tricky is that pretty large gray area in between the two extremes.

Over time, insurance companies will take on that risk, and they'll form standards to which companies must abide to lower their premiums to mitigate that risk. In turn, the IT security industry will step up to help companies meet those standards. In the long run, this could be a good thing.
[ link to this | view in chronology ]
aldestrawk (profile), 10 Apr 2014 @ 1:22pm

Whenever there is a credit card or debit card payment involved, a retailer or any other sort of business has a contract with the credit card companies and the banks that issue such cards. That contract obligates the retail business to comply with the PCI-DSS (Payment Card Industry Digital Security Standard). When there is a security breach there will be an investigation which will determine whether the retailer was in full compliance with PCI-DSS. If not, they will be liable, rather than the banks, for losses due to resulting fraud. Also, additional fines can be levied against the retailer. Given this, it is a bit odd that the FTC is trying apply civil penalties via a lawsuit outside of this existing mechanism.
There is a lot of argument about whether compliance with PCI-DSS is enough to prevent most attacks. Compliance is expensive, time consuming, and the bureaucratic line item approach misses out on some intuitively obvious ways to better ensure security. Yet, it is at least a fairly comprehensive standard which the FTC is lacking.
[ link to this | view in chronology ]