The US government is getting closer to being able to hold companies liable for cyber security breaches. Three years ago I wrote about a lawsuit by the Federal Trade Commission against Wyndham hotels (actually a collection of business entities). They alleged, among other things, that Wyndham used bad passwords, stored customers’ data unencrypted. After requesting that the suit be dismissed, a federal appeals court ruled on August 24th that the case can proceed.
Before I go any further I want to make it crystal clear that Wyndham has not lost the suit by the FTC, and they have only been accused of possible wrongdoing. I have no inside or personal information about the case, and I make no judgements about what Wyndham actually did.
What is particularly interesting to me in this case is that the court of Appeals affirmed in its ruling. The ruling begins:
The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement.
That means that the government can bring legal action against companies “with allegedly deficient cybersecurity”. As one continues reading, the rational is clear: the alleged poor cyber security practices were “unfair”. Legally, in this case according to the ruling, unfair means “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
There is clearly an issue here whether the Government should play in these situations. The Electronic Frontier Foundation and the Electronic Privacy Information Center (along with other groups) filed amicus briefs in this case supporting the FTC’s position. They are interesting reading. My questions to you are whether or not you agree with these consumer-advocacy groups and what – if any – role government should play in requiring companies to employ cyber security measures?
In either case, cyber security professionals need to be aware of the organizations’ legal responsibilities to follow established “best practices”. Don’t use default passwords, encrypt data, and so forth. We mention many of these in Learning Tree’s System and Network Security Introduction.
I find this case fascinating because of 1) the cyber security issues involved, and 2) the roles of government and the market in forcing companies to maintain good cyber security. I will continue to follow this case as it progresses and I will let you know what I find out.
To your safe computing,
Check out Learning Tree’s Cyber Security Knowledge Center in recognition of National Cyber Security Month.