U.S. Court Affirms FTC Authority to Enforce Data Breach Rules
NEWS ANALYSIS: The Philadelphia-based U.S. Third Circuit Court of Appeals finds that the Federal Trade Commission can sue Wyndham Hotels for lax security practices that led to a data breach.In a decision that cites a litany of basic security blunders, the United States Third Circuit Court of Appeals unanimously found that the Federal Trade Commission has the authority to sue Wyndham Hotels for unfair cyber-security practices that, "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft." The decision lists a series of network security practices that came to light after a trio of breaches in 2008 and 2009. The fundamental security blunders include storing payment data customer identifying information in clear, unencrypted text. The company, which uses point-of-sale terminals made by Micro Systems, then made all of the user names and passwords "micros." The company's network was essentially wide open to attackers because Wyndham apparently didn't feel the need to use firewalls, properly update server and computer software, control what computers attached to the company network or change default user names and passwords. Network security was so lax that the court observed that Wyndham was unable to tell for sure that it had been hacked and when the event became obvious (because its customers' identities and credit card information were being sold online) it was at a loss to figure out how it happened.
For its part, Wyndham was challenging the FTC's authority to punish it for its security failings. The FTC began enforcing security practices in 2005 in conjunction with its charter that it protect consumers. Since then, companies that have been found not to be in compliance with reasonable security practices have settled with the FTC, signed consent agreements and beefed up their security practices.