For organizations that get hacked like Anthem, Target and recently Ashley Madison, the problems are only starting. Apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well. This is excellent ammo to get more IT security budget.
Yesterday, the third U.S. Federal circuit court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against organizations that employ poor IT security practices. The ruling was part of a lawsuit between the FTC and hotel chain Wyndham. This court decision affirms the FTC’s role as a digital watchdog with real-life teeth.
This Is A Big Deal
In 2008 and 2009, Wyndham was hacked three times, losing credit card data for more than 619,000 customers and causing $10.6 million in loss due to fraud. Originally, the FTC sued them in 2012 over the lack of security that led to its massive hack. The hotel chain appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. Wrong move. Yesterday's decision states that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop. This means Wyndham now needs to go back and confront the FTC’s lawsuit in a lower court.
The circuit court also stated that the FTC does not have to detail any specific best practices that Wyndham did not apply. The FTC did however, and it's not a pretty picture. Here are some of the highlights: Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network.
Data Insecurity As ‘Unfair’ Business Practice
The FTC argued that “taken together, they unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” In a statement to Ars, FTC Chairwoman Edith Ramirez wrote, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
The upshot?
This appellate ruling establishes an important precedent for the legal consequences of a data breach. Berkely Law professor Chris Hofnagle said: "Had Wyndham won at the third circuit, it would have called into question the FTC’s ability to police privacy and security”. Well, now we know that the U.S. Government in the form of the FTC can and most likely will jump in and add even more cost to a super expensive data breach.
It's not clear how the hackers got into the hotel chain, but it would not surprise me if it was another phishing email that an employee clicked on. With easy to guess passwords, it is clear that they did not step employees through effective security awareness training. Having that in place is an IT best practice that has great ROI and is a crucial part of your defense-in-depth.
Find out how affordable this is for your organization and be pleasantly surprised.