Got Hacked...The FTC Can Now Sue You
For organizations that get hacked like Anthem, Target and recently Ashley Madison, the problems are only starting. Apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well. This is excellent ammo to get more IT security budget.
Yesterday, the third U.S. Federal circuit court ruled that the Federal Trade Commission (FTC) has the power to take action against organizations that employ poor IT security practices. The ruling was part of a lawsuit between the FTC and hotel chain Wyndham. This court decision affirms the FTC’s role as a digital watchdog with real-life teeth.
This Is A Big Deal
In 2008 and 2009, Wyndham was hacked three times, losing credit card data for more than 619,000 customers and causing 10.6 million dollars in loss due to fraud. Originally, the FTC sued them in 2012 over the lack of security that led to its massive hack. The hotel chain appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. Wrong move. Yesterday's decision states that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop. This means Wyndham now needs to go back and confront the FTC’s lawsuit in a lower court.
The circuit court also stated that the FTC does not have to detail any specific best practices that Wyndham did not apply. The FTC did however, and it's not a pretty picture. Here are some of the highlights: Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network.
