Cybersecurity

Can the Feds Hold Companies Legally Responsible for Being Hacked?

Does the Federal Trade Commission have this kind of authority?

|

Look, it's Sherlock Holmes and Maleficent!
"Hackers," United Artists

A judge today has ruled that the Federal Trade Commission (FTC) can push forward with its lawsuit against hotel company Wyndam Worldwide Corp. Wyndam's crime? Being hacked.

The FTC announced the lawsuit in 2012, arguing that it was Wyndam's lax security that allowed for hacking that resulted in the theft of credit card information of more than 600,000 customers and more than $10 million in federal charges. The Washington Post took note of the case in 2012:

The FTC lawsuit, filed in U.S. District Court in Arizona, alleges numerous shortcomings in security practices by Wyndham and its subsidiaries, including the failure to erect firewalls, use appropriate passwords or configure software to keep credit card information secure.

The Wyndham systems were so vulnerable that hackers were able to use a primitive "brute force" attack in which they essentially guessed the password to an administrator's account and used the resulting access to scour the system for personal data for months, the suit said. Much of the data ended up on an Internet domain registered in Russia, which experts say is a major hub of cybercrime.

Wyndham tried to get the case dismissed on the grounds that the FTC does not have authority to regulate data security. Judge Esther Salas of the U.S. District Court of the District of New Jersey refused, though. She wrote that it could be "reasonably inferred" that Wyndham's poor security practices caused the data breach. The FTC is accusing Wyndham of essentially false advertising, saying its promise to protect users' data was "unfair and deceptive," The Hill notes.

This isn't a ruling that the FTC is correct that Wyndham should be held liable. She is ruling that the case may continue to move forward. She did warn in her ruling that her decision should not be taken as a "blank check" by the FTC to "sustain a lawsuit against every business that has been hacked." Just, apparently, the ones that don't meet the government's standards for data security, whatever those may be. The FTC has recommendations and guidance but not actual regulations. Yes, that's right—something the government doesn't have regulations for.

Advertisement

NEXT: Ira Stoll on the GOP's Dueling Plans for Tax Reform

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Shouldn’t we just leave this up to the tort system? If Wyndam didn’t follow industry standards and that resulted in the loss of people’s personal information, I think those people have a legitimate cause of action here.

    I guess that would prevent the feds from ruling an destroying another industry. So what is the fun in that?

  2. I assume the feds can be sued if your data is stolen because they were hacked?

    1. Of course they can’t. Any admission that their multi-billion dollar IT systems are outdated or inadequate would require them to admit how utterly useless their existence is. At least three times in my one tour between ’03-’08, some jackass in Quantico would lose a fucking laptop with several hundred thousand SSN’s on it. The only thing I got out of it was a free coupon for a credit check or something, IIRC.

      These people can’t even figure out how to secure thumb drives. What makes you think they’re remotely capable of fending off entire countries?

  3. She did warn in her ruling that her decision should not be taken as a “blank check” by the FTC to “sustain a lawsuit against every business that has been hacked.”

    FTC: Run with this and sue every hacked business, got it.

  4. CEREAL KILLER…HACK THE PLANET

    God damn that movie is ridiculous. That must be why I enjoy it so much. Well, that and young Angelina Jolie.

    1. Quelle movie was that?

      1. The picture is from Hackers. It’s really dumb (especially if you know anything about computers), but really fun.

  5. “She wrote that it could be “reasonably inferred” that Wyndham’s poor security practices caused the data breach.”

    I am not sure she knows what the word ’caused’ means.

    I am not sure I understand the difference between criminal and civil actions with regards to Federal Agencies suing like this. What are the standards? I assume if they could show mens rea then there would be criminal charges filed? They can’t, so they are going civil? It seems a grey area to me.

  6. Can the Feds Hold Companies Legally Responsible for Being Hacked?

    The feds can do pretty much what they want. See below:

    Judge Esther Salas of the U.S. District Court of the District of New Jersey refused, though. She wrote that it could be “reasonably inferred” that Wyndham’s poor security practices caused the data breach.

    See? Told ya.

    It can be “reasonably inferred” that the woman’s skimpy outfit caused the rape.

    1. And that fine ‘can be read as a tax’.

      1. Ahhhh Ha ha!

  7. Here’s what struck me. This:

    She wrote that it could be “reasonably inferred” that Wyndham’s poor security practices caused the data breach.

    Is not an answer to this:

    Wyndham tried to get the case dismissed on the grounds that the FTC does not have authority to regulate data security. Judge Esther Salas of the U.S. District Court of the District of New Jersey refused, though.

    As far as I can tell, anyway. Jurisdiction gets to the scope of the agency’s authority. Pointing that X may have been caused by Y does not give anyone jurisdiction over it, unless they have authority over Y. So, does the FTC have the authority to regulate data security, or not?

    I don’t know, and I suspect this judge doesn’t either.

    1. She does actually address it in the full ruling. Maybe I should have linked to that. “The Hill” does quote from it.

      1. “She does actually address it in the full ruling.”

        Respectfully, no she doesn’t. She seems to think she does, and maybe you read it that way, but no, she doesn’t.

        “The case, Salas admitted in her ruling, is in “unchartered territory.”

        Wyndham Worldwide has compared its case to a Supreme Court decision that prevented the Food and Drug Administration (FDA) from regulating tobacco, because the law did not specifically authorize its authority in the area.

        Unlike that case, however, Salas said it was not clear that Congress specifically meant to exclude data security from the FTC’s purview. The case was also different because no other “regulatory scheme” had been written for data privacy like tobacco, she said.

        Wyndham, she wrote, “fails to explain how the FTC’s unfairness authority over data security would lead to a result that is incompatible with more recent legislation and thus would ‘plainly contradict congressional policy.’ ”

        Instead, any laws that include data security provisions seem “to complement?not preclude?the FTC’s authority. … Thus, unlike the FDA’s regulation over tobacco, the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.”

        LOL “unchartered territory”

        1. The question is why she has authority over this case. She doesn’t answer it, so much as point to reasons why it might be.

        2. “She does actually address it in the full ruling.”

          Respectfully, no she doesn’t. She seems to think she does, and maybe you read it that way, but no, she doesn’t.

          Anyone can “address” a topic. “Being right” about it is quite a bit harder, and something she failed to achieve.

          1. Fair enough, I suppose under that standard she did address it, by essentially ignoring it after mentioning it.

            1. If she had bothered to read the Ninth and Tenth Amendment or Article 1 Section 8, she might have inferred that the FTC has zero constitutional basis to exist at all, much less sue companies for not having computer security up to some bureaucrat’s notion of what is adequate.

        3. This is the core of the jurisdictional argument?

          Salas said it was not clear that Congress specifically meant to exclude data security from the FTC’s purview.

          Any agency can regulate anything unless specifically prohibited by Congress?

          I stand by my earlier comment that she did not answer the defendant’s argument.

    2. I don’t know, and I suspect none of this would be happening if Esther Salas was in the kitchen making us some sandwiches.

      Just sayin’

  8. While tossing one’s credit card information out onto the Net isn’t the safest thing in the world to do, not doing so certainly doesn’t guarantee one’s account will not be compromised.

  9. If the government can and will sue a company for failure to comply with their “recommendations and guidance”, those are de facto regulations, and a particulary pernicious set of them at that.

  10. Wyndham has also claimed that the FTC needs to issue rules and regulations outlining when a company is open to action for lax data security.

    Salas retorted that she is “unpersuaded that regulations are the only means of providing sufficient fair notice.”

    Shorter: “I can just make shit up, and pretend I have the statuatory power to do so.”

    Even shorter: “FYTW.”

    1. regulations are the only means of providing sufficient fair notice

      So the Administrative Procedure Act, dictating what an agency must do in order to issue legally binding regulations, has now been amended by a judge so its purely advisory?

      1. The APA allows an agency to act under adjudication or rulemaking. So, no.

  11. The FTC has recommendations and guidance but not actual regulations. Yes, that’s right?something the government doesn’t have regulations for.

    Well, duh. If the government *had* regulations for this, those regulations would have, by definition, been comprehensive enough to stop hacking in its tracks.

    Just like every law everywhere.

  12. Will the FTC be in touch with the Pentagon or the NSA anytime soon?

    Those systems allow their lowest employees and/or external contractors to access everything.

  13. Wow man why didnt I think of that?

    http://www.GotzAnon.tk

  14. Wyndham was wearing revealing cloths – so she was just asking to be raped… right?

  15. I am a long time Reason reader, small ‘l’ libertarian, and huge skeptic of state action. I also happen to do administrative and consumer protection law and know the Wyndham case well. So the fact that some of my favorite Reason commenters are expressing very strong and equally misinformed opinions about this case is distressing to me.
    In defense of the decision I’ll just say this: in a rapidly changing area of technology like data security, you don’t want regulation – the gov wont get it right in the first place and it will be out of date before it even takes effect. What the FTC is doing is enforcing against fraud, essentially. If a company says they use industry standard security and will protect your data, they better actually do that. Prevention of force and fraud is a pretty core government role unless you’re an anarchist.

Please to post comments

Comments are closed.