A United States federal judge recently ruled the Federal Trade Commission has the authority to file lawsuits against companies for failing to take “reasonable and appropriate” data security measures.
The FTC sued hotel chain Wyndham Worldwide in 2012 of “repeated failures” to protect its customers’ data that led to multiple data breaches between 2008 and 2010. More than 600,000 customer accounts have been compromised as a result of these breaches, and at least one breach went undetected for almost four months, according to the lawsuit. The regulator alleged the company, which operates Days Inn, Howard Johnson, Ramada Inn, Super 8, and Travelodge, led customers to believe their data was more secure than it was.
Wyndham Worldwide claimed the suit should be dismissed because the FTC did not have authority to sue companies. In a 42-page ruling, District Judge Esther Salas of the US District Court of New Jersey ruled the FTC had satisfied the legal requirements to bring the hotelier to trial.
The agency claimed Wyndham allowed employees to use easy-to-guess passwords, didn’t have all its systems behind a firewall, didn’t regularly inventory its systems, and stored credit card information in unencrypted plain text.
Wyndham’s practices were “unfair” because they were “likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves,” the FTC said in the suit.
Investing in better security—such as multi-factor authentication, encryption of sensitive data, and implementing data controls—can be costly, and it may seem cheaper to just deal with the resulting fines when the data breach happens. The ruling that the FTC can sue companies can change the security equation, as it is now potentially more expensive to not make these investments.
Consider the case of Wyndham. If found guilty, the hotel chain may be faced with a hefty price tag, as the FTC is seeking “such relief as the Court finds necessary to redress injury to consumers resulting from Defendants’ violations of the FTC Act, including but not limited to, rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies.”
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.