Can the Feds Hold Companies Legally Responsible for Being Hacked?

Does the Federal Trade Commission have this kind of authority?

Scott Shackford | 4.7.2014 6:05 PM

("Hackers,"United Artists)

Look, it's Sherlock Holmes and Maleficent! — "Hackers," United Artists

A judge today has ruled that the Federal Trade Commission (FTC) can push forward with its lawsuit against hotel company Wyndam Worldwide Corp. Wyndam's crime? Being hacked.

The FTC announced the lawsuit in 2012, arguing that it was Wyndam's lax security that allowed for hacking that resulted in the theft of credit card information of more than 600,000 customers and more than $10 million in federal charges. The Washington Post took note of the case in 2012:

The FTC lawsuit, filed in U.S. District Court in Arizona, alleges numerous shortcomings in security practices by Wyndham and its subsidiaries, including the failure to erect firewalls, use appropriate passwords or configure software to keep credit card information secure.

The Wyndham systems were so vulnerable that hackers were able to use a primitive "brute force" attack in which they essentially guessed the password to an administrator's account and used the resulting access to scour the system for personal data for months, the suit said. Much of the data ended up on an Internet domain registered in Russia, which experts say is a major hub of cybercrime.

Wyndham tried to get the case dismissed on the grounds that the FTC does not have authority to regulate data security. Judge Esther Salas of the U.S. District Court of the District of New Jersey refused, though. She wrote that it could be "reasonably inferred" that Wyndham's poor security practices caused the data breach. The FTC is accusing Wyndham of essentially false advertising, saying its promise to protect users' data was "unfair and deceptive," The Hill notes.

This isn't a ruling that the FTC is correct that Wyndham should be held liable. She is ruling that the case may continue to move forward. She did warn in her ruling that her decision should not be taken as a "blank check" by the FTC to "sustain a lawsuit against every business that has been hacked." Just, apparently, the ones that don't meet the government's standards for data security, whatever those may be. The FTC has recommendations and guidance but not actual regulations. Yes, that's right—something the government doesn't have regulations for.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

NEXT: Ira Stoll on the GOP's Dueling Plans for Tax Reform

Hide Comments (31)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

John 11 years ago

Shouldn't we just leave this up to the tort system? If Wyndam didn't follow industry standards and that resulted in the loss of people's personal information, I think those people have a legitimate cause of action here.

I guess that would prevent the feds from ruling an destroying another industry. So what is the fun in that?
The Last American Hero 11 years ago

I assume the feds can be sued if your data is stolen because they were hacked?
1. Sy 11 years ago
  
  Of course they can't. Any admission that their multi-billion dollar IT systems are outdated or inadequate would require them to admit how utterly useless their existence is. At least three times in my one tour between '03-'08, some jackass in Quantico would lose a fucking laptop with several hundred thousand SSN's on it. The only thing I got out of it was a free coupon for a credit check or something, IIRC.
  
  These people can't even figure out how to secure thumb drives. What makes you think they're remotely capable of fending off entire countries?
Fist of Etiquette 11 years ago

She did warn in her ruling that her decision should not be taken as a "blank check" by the FTC to "sustain a lawsuit against every business that has been hacked."

FTC: Run with this and sue every hacked business, got it.
Episiarch 11 years ago

CEREAL KILLER...HACK THE PLANET

God damn that movie is ridiculous. That must be why I enjoy it so much. Well, that and young Angelina Jolie.
1. prolefeed 11 years ago
  
  Quelle movie was that?
  1. Episiarch 11 years ago
    
    The picture is from Hackers. It's really dumb (especially if you know anything about computers), but really fun.
Suthenboy 11 years ago

"She wrote that it could be "reasonably inferred" that Wyndham's poor security practices caused the data breach."

I am not sure she knows what the word 'caused' means.

I am not sure I understand the difference between criminal and civil actions with regards to Federal Agencies suing like this. What are the standards? I assume if they could show mens rea then there would be criminal charges filed? They can't, so they are going civil? It seems a grey area to me.
OldMexican 11 years ago

Can the Feds Hold Companies Legally Responsible for Being Hacked?

The feds can do pretty much what they want. See below:

Judge Esther Salas of the U.S. District Court of the District of New Jersey refused, though. She wrote that it could be "reasonably inferred" that Wyndham's poor security practices caused the data breach.

See? Told ya.

It can be "reasonably inferred" that the woman's skimpy outfit caused the rape.
1. Sevo 11 years ago
  
  And that fine 'can be read as a tax'.
  1. John Galt 11 years ago
    
    Ahhhh Ha ha!
R C Dean 11 years ago

Here's what struck me. This:

She wrote that it could be "reasonably inferred" that Wyndham's poor security practices caused the data breach.

Is not an answer to this:

Wyndham tried to get the case dismissed on the grounds that the FTC does not have authority to regulate data security. Judge Esther Salas of the U.S. District Court of the District of New Jersey refused, though.

As far as I can tell, anyway. Jurisdiction gets to the scope of the agency's authority. Pointing that X may have been caused by Y does not give anyone jurisdiction over it, unless they have authority over Y. So, does the FTC have the authority to regulate data security, or not?

I don't know, and I suspect this judge doesn't either.
1. Scott S. 11 years ago
  
  She does actually address it in the full ruling. Maybe I should have linked to that. "The Hill" does quote from it.
  1. neener neener 11 years ago
    
    "She does actually address it in the full ruling."
    
    Respectfully, no she doesn't. She seems to think she does, and maybe you read it that way, but no, she doesn't.
    
    "The case, Salas admitted in her ruling, is in "unchartered territory."
    
    Wyndham Worldwide has compared its case to a Supreme Court decision that prevented the Food and Drug Administration (FDA) from regulating tobacco, because the law did not specifically authorize its authority in the area.
    
    Unlike that case, however, Salas said it was not clear that Congress specifically meant to exclude data security from the FTC's purview. The case was also different because no other "regulatory scheme" had been written for data privacy like tobacco, she said.
    
    Wyndham, she wrote, "fails to explain how the FTC's unfairness authority over data security would lead to a result that is incompatible with more recent legislation and thus would 'plainly contradict congressional policy.' "
    
    Instead, any laws that include data security provisions seem "to complement?not preclude?the FTC's authority. ... Thus, unlike the FDA's regulation over tobacco, the FTC's unfairness authority over data security can coexist with the existing data-security regulatory scheme."
    
    LOL "unchartered territory"
    1. neener neener 11 years ago
      
      The question is why she has authority over this case. She doesn't answer it, so much as point to reasons why it might be.
    2. prolefeed 11 years ago
      
      "She does actually address it in the full ruling."
      
      Respectfully, no she doesn't. She seems to think she does, and maybe you read it that way, but no, she doesn't.
      
      Anyone can "address" a topic. "Being right" about it is quite a bit harder, and something she failed to achieve.
      1. neener neener 11 years ago
        
        Fair enough, I suppose under that standard she did address it, by essentially ignoring it after mentioning it.
        
        prolefeed 11 years ago
        
        If she had bothered to read the Ninth and Tenth Amendment or Article 1 Section 8, she might have inferred that the FTC has zero constitutional basis to exist at all, much less sue companies for not having computer security up to some bureaucrat's notion of what is adequate.
    3. R C Dean 11 years ago
      
      This is the core of the jurisdictional argument?
      
      Salas said it was not clear that Congress specifically meant to exclude data security from the FTC's purview.
      
      Any agency can regulate anything unless specifically prohibited by Congress?
      
      I stand by my earlier comment that she did not answer the defendant's argument.
2. John Galt 11 years ago
  
  I don't know, and I suspect none of this would be happening if Esther Salas was in the kitchen making us some sandwiches.
  
  Just sayin'
  1. Suthenboy 11 years ago
    
    +1
John Galt 11 years ago

While tossing one's credit card information out onto the Net isn't the safest thing in the world to do, not doing so certainly doesn't guarantee one's account will not be compromised.
prolefeed 11 years ago

If the government can and will sue a company for failure to comply with their "recommendations and guidance", those are de facto regulations, and a particulary pernicious set of them at that.
prolefeed 11 years ago

Wyndham has also claimed that the FTC needs to issue rules and regulations outlining when a company is open to action for lax data security.

Salas retorted that she is "unpersuaded that regulations are the only means of providing sufficient fair notice."

Shorter: "I can just make shit up, and pretend I have the statuatory power to do so."

Even shorter: "FYTW."
1. R C Dean 11 years ago
  
  regulations are the only means of providing sufficient fair notice
  
  So the Administrative Procedure Act, dictating what an agency must do in order to issue legally binding regulations, has now been amended by a judge so its purely advisory?
  1. Automata 11 years ago
    
    The APA allows an agency to act under adjudication or rulemaking. So, no.
Agammamon 11 years ago

The FTC has recommendations and guidance but not actual regulations. Yes, that's right?something the government doesn't have regulations for.

Well, duh. If the government *had* regulations for this, those regulations would have, by definition, been comprehensive enough to stop hacking in its tracks.

Just like every law everywhere.
angus 11 years ago

Will the FTC be in touch with the Pentagon or the NSA anytime soon?

Those systems allow their lowest employees and/or external contractors to access everything.
RishJoMo 11 years ago

Wow man why didnt I think of that?

http://www.GotzAnon.tk
Response 11 years ago

Wyndham was wearing revealing cloths - so she was just asking to be raped... right?
Automata 11 years ago

I am a long time Reason reader, small 'l' libertarian, and huge skeptic of state action. I also happen to do administrative and consumer protection law and know the Wyndham case well. So the fact that some of my favorite Reason commenters are expressing very strong and equally misinformed opinions about this case is distressing to me.
In defense of the decision I'll just say this: in a rapidly changing area of technology like data security, you don't want regulation - the gov wont get it right in the first place and it will be out of date before it even takes effect. What the FTC is doing is enforcing against fraud, essentially. If a company says they use industry standard security and will protect your data, they better actually do that. Prevention of force and fraud is a pretty core government role unless you're an anarchist.

Please log in to post comments

Can the Feds Hold Companies Legally Responsible for Being Hacked?

Does the Federal Trade Commission have this kind of authority?

Latest

Brickbat: Injustice Is Blind

The Government Threatened To Seize His Home Over Tall Grass

The Logical Contradictions of Trump's Case for Tariffs

Cops Called on Dad for Playing Catch with 14-Year-Old Son at Park

ICE Denies Reason Access to Immigration Court In Miami Detention Center

Recommended

Login Form