Court Says FTC Can Go After Companies Who Get Hacked For Their Weak Security Practices
from the a-bit-of-a-slippery-slope dept
Almost exactly a decade ago (man, time flies...), we first discussed the question of whether or not it should be against the law to get hacked. The FTC had gone after Tower Records (remember them?) for its weak data security practices. That resulted in a series of questions about where the liability should fall. Many people, quite reasonably, say that there should be incentives for companies to better manage data security and (especially) to protect their users. But, it's also true that sooner or later, if you're a target, you're going to get hacked. Ten years later and this is still an issue. The FTC went after Wyndham hotels for its egregiously bad data security (which made it easy for hackers to get hotel guests' information, including credit cards), but Wyndham fought back, saying the FTC had no authority over such matters, especially without having first issued specific rules.However, a court has shot down that argument and will allow the FTC's case against Wyndham to move forward.
Again, Wyndham's security here was egregiously bad. It didn't encrypt payment data, and also used default logins and passwords for its systems. So there's an argument here that some kind of line can be drawn between purely negligent behavior, such as Wyndham's (lack of) data security, and companies who actually do follow some rather basic security practices, and yet still fall prey to hacks. What makes things tricky is that pretty large gray area in between the two extremes.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach, ftc, liability, privacy, security
Companies: wyndham
Reader Comments
Subscribe: RSS
View by: Time | Thread
link bad
There's no download link on the embedded document.
Thanks!
E
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Liability may just result in more of that. Which is worse?
[ link to this | view in thread ]
[ link to this | view in thread ]
Wrong plaintiff
[ link to this | view in thread ]
Re:
Voted at least two years in a row the most hackable software says a lot about security issues. I have little faith in any product with Adobe's name on it, short of knowing it is very much akin to a dataminer, wanting to call home so often to "check on updates" that don't come anywhere near that often.
I don't have much use for Adobe products. I'll either hunt a satisfactory substitute or do without. Forget flash as another dataminer that has no place on my computer.
[ link to this | view in thread ]
Authority
The last thing we need is for government to impose a particular set of so-called "best practices", be it through the adoption of statutory language to that effect, or through court opinions of whatever constitutes current "best practices" (which are often nonsensical and/or expensive to implement).
[ link to this | view in thread ]
responsibility
[ link to this | view in thread ]
Re: Wrong plaintiff
[ link to this | view in thread ]
broken tag
[ link to this | view in thread ]
Re: link bad
If you click the expand link on the document (bottom left corner), a download link is provided.
[ link to this | view in thread ]
Counter suit
[ link to this | view in thread ]
Re: Counter suit
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Wrong plaintiff
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
WTO?
[ link to this | view in thread ]
Protip: if you can't secure our data, then don't hold it.
So many companies these days are trying to gather as much data as possible about us with minimal work to secure that data. So if they get hacked or give away our data to 3rd parties or governments in a non-legal way, they should be sued for all of their worth.
[ link to this | view in thread ]
If a company is known to have poor security practices, people will stop giving them information (or using their services). You would eventually start seeing companies advertising that they don't keep your credit card information and take your data security seriously and if people flocked to those companies, you would find others following suit.
[ link to this | view in thread ]
Re:
Most markets don't have a critical mass of customers that understand security. Even those that do aren't likely to have knowledge of the service's practices. As such, the knowledge necessary to make a market-based solution work only comes after a major breech. We need a system that can enforce security before the damage occurs.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Real security is expensive, and making your systems secure is not something that increases revenue. The majority of companies resist this expense strenuously.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
That would be nice, but I don't believe it's actually true. Most people don't understand security or who is or isn't good at it except in retrospect. Market pressures don't really have much effect in this regard.
[ link to this | view in thread ]
Insurance
Over time, insurance companies will take on that risk, and they'll form standards to which companies must abide to lower their premiums to mitigate that risk. In turn, the IT security industry will step up to help companies meet those standards. In the long run, this could be a good thing.
[ link to this | view in thread ]
Re: Counter suit
[ link to this | view in thread ]
Re: Re:
I'm really annoyed at the patently false argument that if anything's ambiguous then everything's ambiguous. On maps the idea of a disputed border's simple enough, and the fact that some part of the border's disputed doesn't stop other areas from clearly belonging to one country or another.
[ link to this | view in thread ]
There is a lot of argument about whether compliance with PCI-DSS is enough to prevent most attacks. Compliance is expensive, time consuming, and the bureaucratic line item approach misses out on some intuitively obvious ways to better ensure security. Yet, it is at least a fairly comprehensive standard which the FTC is lacking.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
No, it won't, because most people don't understand who's good at security or not until something goes wrong. Then what? They go to another company, which may or may not be any good at security. Even careful checking may only reveal that no complaint has been made, i.e. they haven't been caught yet. So that one goes down...
For the love of God, please get this into your head: the point of Capitalism is to make money, not to render service.
Service is a means to an end: profit. The naive belief that service comes as a result of profit is responsible for the failures that keep cropping up until somebody (gasp!) passes a law to get it sorted out once and for all.
As innumerable people have pointed out, bad actors don't obey the law. That, however, is not the point of the law; it's to provide for a way for the bad actors to be held to account and punished for breaking it.
[ link to this | view in thread ]