Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court: FTC Can Punish Companies With Sloppy Cybersecurity

Posted by samzenpus on from the who's-to-blame dept.

jfruh writes: The Congressional act that created the Federal Trade Commission gave that agency broad powers to punish companies engaged in "unfair and deceptive practices." Today, a U.S. appeals court affirmed that sloppy cybersecurity falls under that umbrella. The case involves data breaches at Wyndham Worldwide, which stored customer payment card information in clear, readable text, and used easily guessed passwords to access its important systems.

5 of 86 comments (clear)

  1. I agree with this in principle, however... by Rainbow+Nerds · · Score: 4, Insightful

    What constitutes sufficiently strong security practices? This seems subjective unless there are clear rules published. Obviously we'd agree that the practices in the summary are truly awful, but there are plenty of data breaches that don't seem quite as egregious. Are there going to be standards for applying patches to vulnerable software? What about human error such as tricking someone to giving out data they shouldn't or losing hard drives with data? Unless clear standards are published, this seems like an opportunity for selective enforcement. Also, while I understand it's a different agency, the US government is one of the worst offenders in terms of poor security practices. Who will hold the IRS accountable for their data breach, for example? It's hypocritical for the government to hold businesses accountable when they're an awful offender, too.

    --
    M-I-Z
    kU still sucks!
  2. Re:Corporations by penguinoid · · Score: 4, Insightful

    The trouble is when the CEO says "don't bother with security", and his underlings have to obey or get fired, then the CEO claims he can't be blamed for the actions of his underlings. Of course, the way the CEO says "don't bother with security" is by setting spending and productivity requirements, such that no spending can actually be done on security else you get fired for lack of productivity.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  3. Re:Written by Falconnan · · Score: 5, Interesting

    Well, if you can't even minimally secure a customer's data, you probably shouldn't collect and keep it. This company was keeping unencrypted financial data on non-firewalled systems. "Bank-like"? Really? How about equivalent to a kid's lemonade stand? Seriously, if I set the bar any lower a snail with a broken foot could clear it.

    What would make a big difference would be to force businesses beyond a certain size to assume liability for breaches, with minimum punitive damages and a presumption of responsibility. Then let the insurance companies dictate what will/won't be covered. As soon as there's a financial incentive, you'll get whiplash keeping up with security upgrades.

    Frankly, I'd like to see companies punished for attempting to prosecute legitimate security research. However, one battle at a time seems wise.

  4. Re:Written by swillden · · Score: 3, Interesting

    I'd like to see a reasonable publication out of the FTC first. Bank-like security would cripple most shops.

    "Bank-like security": I don't think that phrase means what you think it means.

    I spent ten years as a security consultant in the financial industry, and bank security sucks. Large tech companies do a better job. Google, where I work now, is dramatically better than any major US bank, and although I haven't been behind their curtains it appears to me that Apple, Microsoft, Amazon, etc., are very good as well.

    I think what it boils down to is that while banks know they need security they tend to be dominated by bankers, not the sort of technical people who know how to build secure systems. Big tech companies, on the other hand, may or may not actually need as much security but they have lots of geeks, among them a number who understand how to think about I/T security. Well, somewhat. Banks do tend to have a better understanding of the notion of risk mitigation, especially non-technical mitigation; techies tend to think in more absolute terms and about automated solutions. That absolutist, automated view allows fewer compromises, though, and more comprehensive and proactive analysis, where banks tend to be more reactive.

    Anyway, I think you'd find that actual bank-like I/T security is not what you imagine bank-like I/T security to be, and wouldn't be particularly onerous.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Re:Written by Skuld-Chan · · Score: 3, Informative

    PCI Compliance? While I agree its not 100% perfect - having documentation from some compliance officer at your company that you met or exceeded all their baseline recommendations should get you out of hot water if something bad were to happen.

    If you work in the medical field - there's HIPAA - which again most hospitals, clinics and labs probably have a compliance person on staff that is supposed to set policy on this sort of thing and audit systems for compliance.

    If you google around there's a standard for every single business/market you can think of.