FTC Can Sue for Bad Cyber Security

Tuesday, August 25, 2015 @ 05:08 PM gHale

Companies that fail to protect user data can now feel the wrath of the Federal Trades Commission (FTC).

A panel of judges for the Third U.S. Circuit Court of Appeals unanimously ruled the FTC has the legal right to sue companies that fail to protect their customers’ data with proper cyber security measures.

Complexity Halts Security: Report
Cyber Insurance Debate Heating Up
Breach: Subsea Cable Operator’s IT Network
Oil Industry Under Attack

The ruling came after the FTC filed a legal complaint and followed with a lawsuit against Wyndham Hotels for failing to protect customer details.

The FTC, traditionally viewed as the government body responsible for consumer protection, has started to take action against companies that blatantly ignore cyber security measures.

The agency has filed complaints against multiple companies, regularly ending in various forms of settlements.

Wyndham Hotels is the first one that refused to acknowledge the FTC’s power over this issue and responded with a lawsuit, which came to a close through the Appeals Court’s ruling.

This decision is a legal confirmation of the FTC’s power over cyber security issues, and not “government overreach” as Wyndham claimed.

Wyndham holdings suffered hacks three times in two years and the company failed to put security measures in place after each incident.

The first incident took place in April 2008, when hackers gained access to the internal network of Wyndham Hotels through one of its Phoenix, Arizona branches.

This resulted in “the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia.”

That ended up followed by a second security incident in March 2009, which consisted of a similar kind of attack and allowed hackers to access details “for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges using consumers’ accounts.”

The third data breach took place later in 2009, using the same method of deploying memory-scraping malware used in the first two attacks. This one allowed attackers to gain access to 69,000 consumer payment card accounts, and yet again make fraudulent purchases with these details, stored in clear text, as in the previous two cases.

Click here for details on the FTC’s case against Wyndham.