Can the Feds Hold Companies Legally Responsible for Being Hacked?
Does the Federal Trade Commission have this kind of authority?
A judge today has ruled that the Federal Trade Commission (FTC) can push forward with its lawsuit against hotel company Wyndam Worldwide Corp. Wyndam's crime? Being hacked.
The FTC announced the lawsuit in 2012, arguing that it was Wyndam's lax security that allowed for hacking that resulted in the theft of credit card information of more than 600,000 customers and more than $10 million in federal charges. The Washington Post took note of the case in 2012:
The FTC lawsuit, filed in U.S. District Court in Arizona, alleges numerous shortcomings in security practices by Wyndham and its subsidiaries, including the failure to erect firewalls, use appropriate passwords or configure software to keep credit card information secure.
The Wyndham systems were so vulnerable that hackers were able to use a primitive "brute force" attack in which they essentially guessed the password to an administrator's account and used the resulting access to scour the system for personal data for months, the suit said. Much of the data ended up on an Internet domain registered in Russia, which experts say is a major hub of cybercrime.
Wyndham tried to get the case dismissed on the grounds that the FTC does not have authority to regulate data security. Judge Esther Salas of the U.S. District Court of the District of New Jersey refused, though. She wrote that it could be "reasonably inferred" that Wyndham's poor security practices caused the data breach. The FTC is accusing Wyndham of essentially false advertising, saying its promise to protect users' data was "unfair and deceptive," The Hill notes.
This isn't a ruling that the FTC is correct that Wyndham should be held liable. She is ruling that the case may continue to move forward. She did warn in her ruling that her decision should not be taken as a "blank check" by the FTC to "sustain a lawsuit against every business that has been hacked." Just, apparently, the ones that don't meet the government's standards for data security, whatever those may be. The FTC has recommendations and guidance but not actual regulations. Yes, that's right—something the government doesn't have regulations for.