Companies That Let Themselves Get Hacked Can Be Sued by the FTC, Court Rules

The decision comes, serendipitously, after hackers published Ashley Madison users’ private data last week.

|
Aug 24 2015, 8:30pm

Image: GotCredit/Flickr

Today, a US appeals court affirmed the Federal Trade Commission's authority to go after companies for having inadequate cybersecurity practices—under a statute passed in 1914.

The ruling means that conduct such as failing to encrypt credit card information, or using easy-to-guess passwords for remote access to systems, can be considered an "unfair" trade practice. A ruling in the other direction would have left a gaping hole in American privacy regulation, since the FTC is the primary enforcer of data security standards today.

The decision comes, serendipitously, after hackers published Ashley Madison users' private data last week.

When hackers breached Wyndham Worldwide Corporation's systems three times in 2008 and 2009, the FTC sued the hotel company—which operates well-known brands such as Ramada, Travelodge and Super 8—alleging that its poor security was an unfair trade practice and that its privacy policy was deceptive. According to the FTC, some of Wyndham's hotels didn't encrypt credit card information, and systems could be remotely accessed using easily-guessed passwords.

In one case, the username and password were both "micros"—which was also the name of the remote access software being used.

Wyndham fought back, claiming the FTC did not have the authority to regulate cybersecurity. (In all fairness, the Federal Trade Commission Act of 1914 is not an obvious choice under which to enforce data privacy and security.) The company argued that this kind of approach would allow the FTC to sue supermarkets that are "sloppy about sweeping up banana peels."

However, the US Court of Appeals for the Third Circuit rejected this argument, calling it "alarmist." In fact, the court went so far as to sarcastically respond that "were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability" under section five of the Federal Trade Commission Act.

In the eyes of the Third Circuit, data security enforcement fits within the FTC's purview partly because poor security is unfair to consumers. In his opinion, Judge Thomas Ambros wrote that "a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business."

Within today's patchwork system of privacy regulation, the Federal Trade Commission is actually "the most active federal agency enforcing privacy and data security, and it has the broadest reach," according to experts such as Daniel Solove and Woodrow Hartzog. Affirming FTC authority in cases like Wyndham is particularly significant because the allegations in that case bear an uncanny resemblance to countless other breaches.

In an interview with Motherboard's Joseph Cox last week, the Ashley Madison hackers said that the breached company had "no security" and that "you could use Pass1234 from the internet to VPN to root on all servers."