Slashdot Mirror
Court: FTC Can Punish Companies With Sloppy Cybersecurity
jfruh writes: The Congressional act that created the Federal Trade Commission gave that agency broad powers to punish companies engaged in "unfair and deceptive practices." Today, a U.S. appeals court affirmed that sloppy cybersecurity falls under that umbrella. The case involves data breaches at Wyndham Worldwide, which stored customer payment card information in clear, readable text, and used easily guessed passwords to access its important systems.
Other than rhetoric and a finger waggle, I'll piss on a park plug if I see any improvement in business security due to this. Most likely, if this ever gets used, businesses will take the FTC to court, say they are not a law enforcement body, and security is not considered misrepresenting... or just throw up their hands and say hackers can get in no matter what.
I'd like to see clear(er) written guidelines for how say customer data should be cared for. And because their may be valid reasons to deviate from the guidelines, perhaps request that the reason for the deviations be written down by the organization and supplied on request to the FTC.
Table-ized A.I.
How exactly do punitive measures improve lax data security policies?
So some company gets wrecked and now it owes the FTC something, great plan, say hello to shell companies harboring data "on the behalf of" the actual company
Fly by nite cloud operators take note! It's money time
What about the recent breach vast amounts of info on people with security clearances from government repos.
What constitutes sufficiently strong security practices? This seems subjective unless there are clear rules published. Obviously we'd agree that the practices in the summary are truly awful, but there are plenty of data breaches that don't seem quite as egregious. Are there going to be standards for applying patches to vulnerable software? What about human error such as tricking someone to giving out data they shouldn't or losing hard drives with data? Unless clear standards are published, this seems like an opportunity for selective enforcement. Also, while I understand it's a different agency, the US government is one of the worst offenders in terms of poor security practices. Who will hold the IRS accountable for their data breach, for example? It's hypocritical for the government to hold businesses accountable when they're an awful offender, too.
M-I-Z
kU still sucks!
Of course, it's much harder to punish the people actually responsible for the bad practices if they're part of a corporation. Especially if they plan ahead how to diffuse the responsibility.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
You are all cows. Cows say moo. MOOOOOO! MOOOOO! Moo cows MOOOOOO! Moo say the cows. YOU FTC COWS!!
Punishments for corporates that get hacked need to be AT LEAST as severe as the punishments for hackers that carry out attacks if sufficient security was not in place. Without this there is little incentive for companies to improve security. Even within corporates if the sec guys who keep banging on about needing to do X to be secure can highlight this as a risk - it's much more likely they'll get listened to.
How about punishing companies that charge "returned check fees" for a simple declined credit card (which is 100% out of the control of us consumers)? You can't get any more anti-consumer than that. More people need to report this kind of shit to credit companies and have their merchants disconnected.
https://www.google.com/webhp?q...
Passwords must be changed every ninety days, it must have one upper case, one lower case, one numeral, one non-alphanumeric, and no reuse of passwords, no substring can be a word or date found in the dictionary. A bunch of uninformed jury would be impressed, that was all the point. That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them. More like, "yes!, Exactly! this process would net us enough scapegoats and sacrificial lambs to be thrown under the bus! I approve!!" would be their response if they understood what would really happen.
Not all government agencies are like that. FAA and NTSB have a decent reputation. If they realize pilots are not following procedures or checklist they would try to understand why and try to make the procedures easier to follow. (I think they would perform even better if we remove from FAA's charter "promotion of air travel" and make it exclusively concentrate on safety of air travel. )
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
What constitutes sufficiently strong security practices?
If companies are smart they'll form a trade group and define these themselves. Basically a set of reasonable practices that companies should be expected to follow when handling customer data. Following these practices and having them audited would provide a basis for some amount of safe harbor from government prosecution. If companies do not do this it is highly probable that the government will pass some laws defining such practices at some point and the companies probably won't like them very much.
Are there going to be standards for applying patches to vulnerable software?
There should be pursuant to my answer above
What about human error such as tricking someone to giving out data they shouldn't or losing hard drives with data?
What about it? The point is to protect customer data so if the company handles it in a sloppy manner then they should pay a penalty for that. As a customer I don't really care that they didn't mean to make a mistake. If I handled their data in a sloppy manner I'd expect to get sued so the same should be true in reverse. Look at it this way, if a bank is tricked into giving someone access to the money in your account they would be liable for your losses, correct? Why should it be any different with data? The only difference is in defining the value of the data but the principle is identical. The company has a fiduciary responsibility to safely store your data and if they are sloppy with that duty of care then they should pay a price.
It's hypocritical for the government to hold businesses accountable when they're an awful offender, too.
While you are quite correct that's not an excuse to let companies off the hook.
If CEOs are personally responsible for every action taken by a company, say hello to oppressive micro-management.
If CEOs are personally liable for everything a company does you have completely gutted the entire purpose of a corporation which is to insulate the owners and employees from personal liability. There is NO other purpose to a company besides this. It is 100% of the reason corporations exist. Unlimited personal liability makes corporations a completely pointless entity.
No you make the penalties to the company sufficiently draconian and if the CEO didn't do his job to ensure your data was safe then he will probably lose his job at the next board meeting.
Consumers should be the ones suing companies like Target and Home depot. In particular, they will be able to point to them running windows as well as outsourcing at wages below 10,000/year. The later makes them easy targets by Russia and Chinese to offer 10x the salary, esp. since the company is not allowed to operate in these nations.
I prefer the "u" in honour as it seems to be missing these days.
There's no practical way to define "bad practices".
That's simply not true. We do that all the time in any number of professions. Trade groups and government agencies all the time establish what constitutes standard of care for a particular industry. It's positively routine. Accountants do it. Financial traders do it. Doctors do it. There is no reason IT security people cannot do it.
Better is to treat data theft the same as any other theft; punish the thief.
So you think that if a bank neglects to lock its vault allowing your money to be stolen that it should bear no liability for their carelessness? I could not disagree more. Sure you punish the thief but you punish the bank too to ensure that they take better care the next time. Any time an agent is trusted with your property or data they have a duty of care to ensure it is secure.
This sounds good, but it isn't. Companies should be fully legally liable for the damage that their lax cybersecurity causes. It's a failing of our court system and laws that they aren't. FTC enforcement, on the other hand, is going to be ineffective. The FTC is going to give selected companies a slap on the wrist, and it's going to be lenient on big corporate supporters of whatever administration is in power.
Can you say 10's of Millions personal and Security clearance records from the OPM breach, 100's of thousands of taxpayer records lost in the latest IRS data breach. and that is just this year ;)
We all know how well it turned out the first time around...
Can the OPM or IRS get sued for their lax security?
that's every one of them.
What indemnification do the providers of the software give to companies in relation to keeping customer information secure. Is there a case for a class action by the end users of the service against such loses. I see a growth industry in 'cyber' insurance.
when people just read the Rainbow Series.
Fundamentals, people, study the fundamentals.
Never answer an anonymous letter. - Yogi Berra
make it LAW that they have to pay for full ride credit monitoring for a year minimum and the CEO CFO and the CIO all spend at least 90 days in a non club fed prison (per say 10K victims) and maybe we will be talking something.
oh and btw list the company on a central website with number of victims and how lame the breach was.
We do punish criminals, when we catch and convict them. Not what this is about.
When a company cheaps out on rudimentary security, leaving customers exposed to expensive damages, the FTC simply requires the firm share their pain.
It's motivation to conduct basic cost-benefit analysis, which businesses must be good at, including potential damages to customers.
"The company also failed to use "readily available security measures" such as firewalls to limit access between the company's property management systems, its corporate network and the Internet, the FTC charged."
Since the invention of RPC and services that can open any ole port, the firewall is next to useless. Before y'll come back with 'you don't know what you're talking about'. How about impressing us all with your immense intellect and sharing with us the knowledge of how to secure 'computers' connected to the Internet.
Will they punish a Secretary of State who had Top Secret info on a private email server that was running out of a bathroom? That's right, laws are only for the little guy and those "evil" corporations.
Court: FTC Can Punish Companies With Sloppy Cybersecurity
Or, as my RSS feed put it:
Court: FTC Can Punish Companies With Sloppy Cyberse...
systemd is Roko's Basilisk.
What happens when the FTC's caught with sloppy security?
More likely the FTC is just looking for a new way to increase their own power. But let the people who loose stuff and get hurt by such companies prosecute them. Then the people who get hurt get the money. Then the insurance companies, as someone else has said, get to decide who to insure. In the end, the market will decide who stays in business. Just keep the problem causing government out of it. They will muck it up. Usually by going after companies that, by their political bent or other irrelevant reasons, cause them to become big targets.
we could put all SPI ( Sensitive Personal Information ) customer data under the same umbrella that HIPPA covers.
Yes it would be expensive, but if you're going to collect and store private customer data, you damn well better protect it.