Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court: FTC Can Punish Companies With Sloppy Cybersecurity

Posted by samzenpus on from the who's-to-blame dept.

jfruh writes: The Congressional act that created the Federal Trade Commission gave that agency broad powers to punish companies engaged in "unfair and deceptive practices." Today, a U.S. appeals court affirmed that sloppy cybersecurity falls under that umbrella. The case involves data breaches at Wyndham Worldwide, which stored customer payment card information in clear, readable text, and used easily guessed passwords to access its important systems.

15 of 86 comments (clear)

  1. I agree with this in principle, however... by Rainbow+Nerds · · Score: 4, Insightful

    What constitutes sufficiently strong security practices? This seems subjective unless there are clear rules published. Obviously we'd agree that the practices in the summary are truly awful, but there are plenty of data breaches that don't seem quite as egregious. Are there going to be standards for applying patches to vulnerable software? What about human error such as tricking someone to giving out data they shouldn't or losing hard drives with data? Unless clear standards are published, this seems like an opportunity for selective enforcement. Also, while I understand it's a different agency, the US government is one of the worst offenders in terms of poor security practices. Who will hold the IRS accountable for their data breach, for example? It's hypocritical for the government to hold businesses accountable when they're an awful offender, too.

    --
    M-I-Z
    kU still sucks!
  2. Re:Corporations by penguinoid · · Score: 4, Insightful

    The trouble is when the CEO says "don't bother with security", and his underlings have to obey or get fired, then the CEO claims he can't be blamed for the actions of his underlings. Of course, the way the CEO says "don't bother with security" is by setting spending and productivity requirements, such that no spending can actually be done on security else you get fired for lack of productivity.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  3. oh, man. Prepare for another round. by 140Mandak262Jamuna · · Score: 2, Interesting
    Last time it was the Sorbanes-Oxley act. The company security policies were changed by a committee mainly run by lawyers. These 300$/hr billing rate guys have never logged into anything, always had a bevy of flunkies who did all the access to the computer, who printed out emails and who typed back the responses scrawled on the print outs. The main intent was to show that they had strict security policy in court, rather than implement policies that will actually improve security.

    Passwords must be changed every ninety days, it must have one upper case, one lower case, one numeral, one non-alphanumeric, and no reuse of passwords, no substring can be a word or date found in the dictionary. A bunch of uninformed jury would be impressed, that was all the point. That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them. More like, "yes!, Exactly! this process would net us enough scapegoats and sacrificial lambs to be thrown under the bus! I approve!!" would be their response if they understood what would really happen.

    Not all government agencies are like that. FAA and NTSB have a decent reputation. If they realize pilots are not following procedures or checklist they would try to understand why and try to make the procedures easier to follow. (I think they would perform even better if we remove from FAA's charter "promotion of air travel" and make it exclusively concentrate on safety of air travel. )

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:oh, man. Prepare for another round. by Required+Snark · · Score: 2, Insightful
      So how many big US banks have assumed huge risks for short term profits since Sorbanes-Oxley passed? You talk as if it was a plague of locusts that mysteriously descended out of the sky for no discernible reasons. It passed because Wall Street fucked up the entire world economy out of incompetence and greed.

      Were you asleep since 2008 or are you mentally deficient? Those are the only two reasons I can think of for your idiocy.

      Given the chance, big business behaves like meth freak with rabies. They are not trustworthy. There is no such thing as "business ethics".

      There is only one goal: making the people at the top as rich as possible. Nothing else counts. This is why 10% of the profits of large US companies go to the CEO. That's insane. No where else in the world is this true.

      Even after Sorbanes-Oxley the banking sector remains unchanged. We've seen international currency rigging, wholesale tax cheating and money laundering. There have been tens of billions of dollars of fines. It's still the same rigged game.

      Sorbanes-Oxley is too weak. Until CEOs and board of director members go to jail it will never stop. So far no one has gone to jail. Not one person. The only people who do time are people convicted on insider trading, which is a joke. That is petty crime compared to what people like Mozilo did at Countrywide Mortgage.

      If we are ever going to ride ourselves of our completely corrupt economic system a lot of very rich people are going to have to spend decades in jail and be stripped of every penny they stole. And we are going to have to break up the monopolies and de facto cartels that dominate the economy. Only then will we get back to functioning capitalism. If you think that our economy is capitalistic then you are truly delusional.

      --
      Why is Snark Required?
    2. Re:oh, man. Prepare for another round. by steelfood · · Score: 2

      That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them.

      People keep trotting this out as if it was some horrible, boogeyman security practice.

      Quite frankly, it's probably better than any other security solution. After all, humans have spent thousands of years working on physical locks, while electronic ones (like passwords) have only been around for a few decades. And, physical security is another legitimate layer of security. Sure somebody can break into your work place and grab your passwords. But they'd actually have to be physically there. And the cops are much more likely (and able) to respond to a physical break-in than to some virtual intruder entering virtual storage.

      The worst thing that could happen would be to electronically store the passwords in plain text. You get neither physical nor electronic security. That should be discouraged.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  4. Re:Written by Falconnan · · Score: 5, Interesting

    Well, if you can't even minimally secure a customer's data, you probably shouldn't collect and keep it. This company was keeping unencrypted financial data on non-firewalled systems. "Bank-like"? Really? How about equivalent to a kid's lemonade stand? Seriously, if I set the bar any lower a snail with a broken foot could clear it.

    What would make a big difference would be to force businesses beyond a certain size to assume liability for breaches, with minimum punitive damages and a presumption of responsibility. Then let the insurance companies dictate what will/won't be covered. As soon as there's a financial incentive, you'll get whiplash keeping up with security upgrades.

    Frankly, I'd like to see companies punished for attempting to prosecute legitimate security research. However, one battle at a time seems wise.

  5. Re:I'll piss on a spark plug... by PopeRatzo · · Score: 2

    Most likely, if this ever gets used, businesses will take the FTC to court, say they are not a law enforcement body

    Except, the FTC is most definitely a law enforcement body.

    http://www.encyclopedia.com/to...

    Federal Trade Commission (FTC)
    The Federal Trade Commission (FTC) was established as an independent administrative agency pursuant to the Federal Trade Commission Act of 1914. The purpose of the FTC is to enforce the provisions of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in commerce." The Clayton Antitrust Act (1914) also granted the FTC the authority to act against specific and unfair monopolistic practices. The FTC is considered to be a law enforcement agency, and like other such agencies it lacks punitive authority. Although the FTC cannot punish violators—that is the responsibility of the judicial system—it can issue cease and desist orders and argue cases in federal and administrative courts.

    Today, the Federal Trade Commission serves an important function as a protector of both consumer and business rights. While the restrictions that it imposes on business practices often receive the most attention, other laws enforced by the FTC—such as the 1979 Franchise Rule, which directed franchisors to provide full disclosure of franchise information to prospective franchisees—have been of great benefit to entrepreneurs and small business owners.

    Emphasis added.

    --
    You are welcome on my lawn.
  6. Standard of care by sjbe · · Score: 2

    There's no practical way to define "bad practices".

    That's simply not true. We do that all the time in any number of professions. Trade groups and government agencies all the time establish what constitutes standard of care for a particular industry. It's positively routine. Accountants do it. Financial traders do it. Doctors do it. There is no reason IT security people cannot do it.

    Better is to treat data theft the same as any other theft; punish the thief.

    So you think that if a bank neglects to lock its vault allowing your money to be stolen that it should bear no liability for their carelessness? I could not disagree more. Sure you punish the thief but you punish the bank too to ensure that they take better care the next time. Any time an agent is trusted with your property or data they have a duty of care to ensure it is secure.

  7. more corporate cronyism courtesy of the FTC by NostalgiaForInfinity · · Score: 2

    This sounds good, but it isn't. Companies should be fully legally liable for the damage that their lax cybersecurity causes. It's a failing of our court system and laws that they aren't. FTC enforcement, on the other hand, is going to be ineffective. The FTC is going to give selected companies a slap on the wrist, and it's going to be lenient on big corporate supporters of whatever administration is in power.

    1. Re:more corporate cronyism courtesy of the FTC by fredgiblet · · Score: 2

      I'd love to live in such a world, but we don't. Since we don't proper measures must be taken to secure important customer data. it's the responsibility of the companies to provide SOME degree of security to their information, if they don't then they should be held liable. It's not hard to do so these days, so if you don't then it's pure laziness.

      In the same fashion we shouldn't NEED to have banks with secure vaults, but if you went into a bank and they said "Sorry, someone walked into our vault and took your money, it's gone now." I'm sure you'd be somewhat put out that the bank didn't have security in place.

      Lastly, FINDING the thieves in cases like this is almost impossible, and if we did find them they're probably in a different country and don't have enough money to replay the damages caused anyway. Punishing them is nearly impossible and won't fix the problems that the victims (being the consumers, not the company) have.

  8. Re:The entire point of a corporation by blue9steel · · Score: 2

    If CEOs are personally liable for everything a company does you have completely gutted the entire purpose of a corporation which is to insulate the owners and employees from personal liability.

    The purpose is to insulate the owners from liability otherwise they would be loathe to invest when their losses could far exceed the potential return. Employees enjoy no such intended insulation. In practice, they have effectively enjoyed protection but that's merely a combination of diffuse responsibility and poor enforcement, not by design.

  9. Re:Corporations by mrchaotica · · Score: 2

    It should work the same way professional licensing for civil engineering works: the technical professional involved should hold the legal liability (and be licensed so that it's abundantly clear to everyone that he is the one liable), but the company should be required to have its personal-information-holding servers administered by such a licensed professional so that he has the job security to be able to stand up for himself.

    In other words, make it so that all professional server admins can (and will) refuse to obey "skip the security" orders, and make it illegal for the CEO to replace the professionals with unlicensed yes-men.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  10. Re:Written by swillden · · Score: 3, Interesting

    I'd like to see a reasonable publication out of the FTC first. Bank-like security would cripple most shops.

    "Bank-like security": I don't think that phrase means what you think it means.

    I spent ten years as a security consultant in the financial industry, and bank security sucks. Large tech companies do a better job. Google, where I work now, is dramatically better than any major US bank, and although I haven't been behind their curtains it appears to me that Apple, Microsoft, Amazon, etc., are very good as well.

    I think what it boils down to is that while banks know they need security they tend to be dominated by bankers, not the sort of technical people who know how to build secure systems. Big tech companies, on the other hand, may or may not actually need as much security but they have lots of geeks, among them a number who understand how to think about I/T security. Well, somewhat. Banks do tend to have a better understanding of the notion of risk mitigation, especially non-technical mitigation; techies tend to think in more absolute terms and about automated solutions. That absolutist, automated view allows fewer compromises, though, and more comprehensive and proactive analysis, where banks tend to be more reactive.

    Anyway, I think you'd find that actual bank-like I/T security is not what you imagine bank-like I/T security to be, and wouldn't be particularly onerous.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  11. Will they punish a Secretary of State who... by srichard25 · · Score: 2

    Will they punish a Secretary of State who had Top Secret info on a private email server that was running out of a bathroom? That's right, laws are only for the little guy and those "evil" corporations.

  12. Re:Written by Skuld-Chan · · Score: 3, Informative

    PCI Compliance? While I agree its not 100% perfect - having documentation from some compliance officer at your company that you met or exceeded all their baseline recommendations should get you out of hot water if something bad were to happen.

    If you work in the medical field - there's HIPAA - which again most hospitals, clinics and labs probably have a compliance person on staff that is supposed to set policy on this sort of thing and audit systems for compliance.

    If you google around there's a standard for every single business/market you can think of.