BreachExchange mailing list archives
Court Upholds FTC's Power to Sue Hacked Companies
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 7 Apr 2014 18:41:31 -0600
http://www.nationaljournal.com/tech/court-upholds-ftc-s-power-to-sue-hacked-companies-20140407 The Federal Trade Commission has the power to sue companies that fail to protect their customers' data, a federal court said Monday. The ruling shoots down a challenge from Wyndham Hotels, which claimed that the FTC overstepped its authority with a 2012 lawsuit against the global hotel chain. The decision by Esther Salas, a federal judge in New Jersey, is a major win for the agency. If the court had sided with Wyndham, it would have stripped the federal government of oversight of data security practices just as hackers begin to pull off more and more high-profile attacks. Salas said her decision "does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked," but that she must follow the "binding and persuasive precedent" to uphold the agency's authority. The FTC is currently investigating Target over the massive hack last year that exposed information on 40 million credit cards. Target could have prevented the attack with better security practices, according to a recent report from the Senate Commerce Committee. The FTC has sued dozens of companies in recent years for failing to take basic steps to protect customer data. The agency claims it has the authority to police data security practices because Congress gave it power over "unfair" business practices. The FTC sued Wyndham in 2012, claiming that the hotel chain didn't use basic security measures such as firewalls, complex passwords, or separating networks in different locations. As a result, hackers were able to penetrate a computer network in a Wyndham hotel in Phoenix, Ariz., and ultimately make off with information on 500,000 credit cards, the FTC charged. But Wyndham asked the federal court to throw out the suit, arguing that inadequate data security practices aren't "unfair" under the legal definition. Although the court dismissed Wyndham's attempt to block the suit, the FTC will still have to prove the charges. FTC Chairwoman Edith Ramirez said she's "pleased" with the decision and looks forward to trying the case against Wyndham. "Companies should take reasonable steps to secure sensitive consumer information," she said. "When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." Wyndham did not respond to a request to comment. Although the FTC can order companies to change their business practices, the agency has no fining authority. Democrats are pushing several bills in Congress that would expand the FTC's authority over data security, including give the agency the power to fine companies for non-compliance.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Court Upholds FTC's Power to Sue Hacked Companies Audrey McNeil (Apr 14)