US Courts Will Let The FTC Punish Companies For Bad Cybersecurity

US Courts Will Let The FTC Punish Companies For Bad Cybersecurity

Last week, hackers released a lot of data stolen from Ashley Madison and scared the shit out of internet users everywhere. Now, with an uncanny sense of timing, an appeals court says the Federal Trade Commission has the power to regulate companies’ cyber security. That’s good news for you!

A United States appeals court just unanimously upheld a lower court ruling that will let the FTC pursue a lawsuit against Wyndham Hotels for not protecting its customer’s personal financial data. Hackers pulled off a hat trick of breaches back in 2008 and 2009 that ultimately led to the theft of well over half a million Wyndham guests’ credit card information. The FTC’s rather sensical argument for Wyndham’s failure was that the hospitality company “unreasonably and unnecessarily” left its customer information available to hackers. Wyndham accused the government of overreaching, but when you step back and think about it, this is exactly why the FTC exists: to protect consumers.

Protecting consumer data is fairly new but well precedented territory for the FTC. While the agency has a long history of defending consumers against identity theft and breaches in health information, the increasingly frequency of hacks into companies that store financial data show that consumers remain at risk. The FTC is considering a case against Target, for instance, over the hack that exposed the credit card numbers of as many as 40 million Target customers. Today’s appellate court ruling will provide further precedent for the FTC to take action, and if Wyndham appealed, the Supreme Court would have to get involved.

Circuit Judge Thomas Ambro called Wyndham’s argument alarmist, and then he made a funny — but insightful — joke. “It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,” said Ambro. Sounds like a pretty funny supermarket but also pretty dangerous.

The same holds true for companies that don’t protect user data. It’s fun for the hackers, sure. But it’s inevitably dangerous for any American who trusts these companies to protect their private information.


Picture: AP