Court Ruling: FTC Can Sue Companies for Cyber Security Failures


The Third U.S. Circuit Court of Appeals in Philadelphia this week ruled that the U.S. Federal Trade Commission (FTC) has the authority to sue companies for failing to maintain adequate cyber security.

The decision came in response to the FTC's lawsuit against Wyndham Worldwide Corporation for cyber security failures that led to a series of data breaches in 2008 and 2009. Those failures included storing payment card information in clear text, using easily guessed passwords to protect property management systems, failing to use basic security measures like firewalls, and more.

According to the FTC, hackers were able to steal payment card information from more than 619,000 Wyndham customers, resulting in total fraud losses of at least $10.6 million.

The court's decision is based on the fact that the FTC has the right to police "unfair or deceptive acts or practices in or affecting commerce," which the court found applies to failures of cyber security.

"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," FTC chairwoman Edith Ramirez told Reuters.

HyTrust president and co-founder Eric Chiu told eSecurity Planet by email that as breaches become both larger and more frequent, it's becoming clear that companies aren't doing enough to protect their customers' data. "This is forcing government intervention and the recent ruling for the FTC is a first step," he said. "Security needs to be a top priority for every organization and the affirmation of the FTC ruling allowing enforcement action -- for companies who fail to take steps -- should help drive better cyber security practices."

"Safeguards such as controls to secure access to sensitive data as well as data encryption that can render stolen data useless need to be mandatory for companies that store customer data," Chiu added. "Consumers have been paying the price for security breaches for too long -- hopefully, the FTC can help put greater pressure on companies to do the right thing."

Adam Kujawa, head of intelligence at Malwarebytes Labs, said consumer data is generally more valuable and potentially damaging than anything else a company might possess. "If you think about it, if someone were to store money in a bank, and that bank got robbed, the criminals might make off with the consumer’s money, but they can’t use it to get any more money from the consumers," he said. "Alternatively, if criminals make off with stolen user data such as Social Security numbers, phone numbers, email addresses or passwords, it’s likely that the information will be used to directly attack consumers in the future."

In that sense, Kujawa said, businesses aren't just dealing with money or contracts, but with consumers' entire online identities -- which have to be protected. "However, since there are no set federal rules for protecting user data, fining a company for not following rules that don’t exist doesn’t make any sense," he said. "It’s up to the government now to work with security experts and companies and identify a good solid baseline for the security of customer data. Only then will all companies step up their protections and secure the valuable data."

Recent eSecurity Planet articles have examined data security best practices and offered advice on improving database security.