FTC can sue companies with poor information security, appeals court says
Ars Technica 2015-08-24
On Monday, a federal appeals court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against companies that employ poor IT security practices. The ruling, from the United States Court of Appeals for the Third Circuit, came as part of a lawsuit between the FTC and Wyndham Worldwide Corporation, which manages a collection of hotels throughout the US.
In 2008 and 2009, Wyndham suffered three different breaches of its network, ultimately losing payment card information for more than 619,000 customers and causing $10.6 million in loss due to fraud. The FTC sued Wyndham in 2012 for failing to protect its customers from hackers, and Wyndham countered by saying that it was a victim of the hack itself and should not be penalized by the FTC for the breach.
The Philadelphia-based appeals court allowed the FTC's case against Wyndham to go forward in district court, and it noted that the FTC could use its authority to pursue “cybersecurity” cases under 15 U.S.C. Sec.45, part of a 1914 law that gives the FTC the power to prohibit “unfair or deceptive acts or practices in or affecting commerce.” The court also noted that the FTC didn't have to spell out the specific security practices that Wyndham fell short of to bring a case against the company. However, the FTC did that in this instance, claiming that Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network, among other things.