Court Upholds FTC's Power to Sue Hacked Companies

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nationaljournal.com/tech/court-upholds-ftc-s-power-to-sue-hacked-companies-20140407

The Federal Trade Commission has the power to sue companies that fail to
protect their customers' data, a federal court said Monday.

The ruling shoots down a challenge from Wyndham Hotels, which claimed that
the FTC overstepped its authority with a 2012 lawsuit against the global
hotel chain.

The decision by Esther Salas, a federal judge in New Jersey, is a major win
for the agency. If the court had sided with Wyndham, it would have stripped
the federal government of oversight of data security practices just as
hackers begin to pull off more and more high-profile attacks.

Salas said her decision "does not give the FTC a blank check to sustain a
lawsuit against every business that has been hacked," but that she must
follow the "binding and persuasive precedent" to uphold the agency's
authority.

The FTC is currently investigating Target over the massive hack last year
that exposed information on 40 million credit cards. Target could have
prevented the attack with better security practices, according to a recent
report from the Senate Commerce Committee.

The FTC has sued dozens of companies in recent years for failing to take
basic steps to protect customer data. The agency claims it has the
authority to police data security practices because Congress gave it power
over "unfair" business practices.

The FTC sued Wyndham in 2012, claiming that the hotel chain didn't use
basic security measures such as firewalls, complex passwords, or separating
networks in different locations. As a result, hackers were able to
penetrate a computer network in a Wyndham hotel in Phoenix, Ariz., and
ultimately make off with information on 500,000 credit cards, the FTC
charged.

But Wyndham asked the federal court to throw out the suit, arguing that
inadequate data security practices aren't "unfair" under the legal
definition.

Although the court dismissed Wyndham's attempt to block the suit, the FTC
will still have to prove the charges.

FTC Chairwoman Edith Ramirez said she's "pleased" with the decision and
looks forward to trying the case against Wyndham.

"Companies should take reasonable steps to secure sensitive consumer
information," she said. "When they do not, it is not only appropriate, but
critical, that the FTC take action on behalf of consumers."

Wyndham did not respond to a request to comment.

Although the FTC can order companies to change their business practices,
the agency has no fining authority. Democrats are pushing several bills in
Congress that would expand the FTC's authority over data security,
including give the agency the power to fine companies for non-compliance.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!