Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court: FTC Can Punish Companies With Sloppy Cybersecurity

Posted by samzenpus on Monday August 24, 2015 @09:30AM from the who's-to-blame dept.

jfruh writes: The Congressional act that created the Federal Trade Commission gave that agency broad powers to punish companies engaged in "unfair and deceptive practices." Today, a U.S. appeals court affirmed that sloppy cybersecurity falls under that umbrella. The case involves data breaches at Wyndham Worldwide, which stored customer payment card information in clear, readable text, and used easily guessed passwords to access its important systems.

1 of 86 comments (clear)

Min score:

Reason:

Sort:

Re:Written by Falconnan · 2015-08-24 10:20 · Score: 5, Interesting

Well, if you can't even minimally secure a customer's data, you probably shouldn't collect and keep it. This company was keeping unencrypted financial data on non-firewalled systems. "Bank-like"? Really? How about equivalent to a kid's lemonade stand? Seriously, if I set the bar any lower a snail with a broken foot could clear it.
What would make a big difference would be to force businesses beyond a certain size to assume liability for breaches, with minimum punitive damages and a presumption of responsibility. Then let the insurance companies dictate what will/won't be covered. As soon as there's a financial incentive, you'll get whiplash keeping up with security upgrades.
Frankly, I'd like to see companies punished for attempting to prosecute legitimate security research. However, one battle at a time seems wise.