Courts Will Let the FTC Punish Companies for Bad Cybersecurity

Illustration for article titled Courts Will Let the FTC Punish Companies for Bad Cybersecurity

Last week, hackers released a ton of data stolen from Ashley Madison, and scared the shit out of internet users everywhere. Now, with an uncanny sense of timing, an appeals court says the Federal Trade Commission has the power to regulate companies’ cyber security. That’s good news for you!

A United States appeals court just unanimously upheld a lower court ruling that will let the FTC pursue a lawsuit against Wyndham Hotels for not protecting its customer’s personal financial data. Hackers pulled off a hat trick of breaches back in 2008 and 2009 that ultimately led to the theft of well over half a million Wyndham guests’ credit card information. The FTC’s rather sensical argument for Wyndham’s failure was that the hospitality company “unreasonably and unnecessarily” left its customer information available to hackers. Wyndham accused the government of overreaching, but when you step back and think about it, this is exactly why the FTC exists: to protect consumers.

Protecting consumer data is fairly new but well precedented territory for the FTC. While the agency has a long history of defending consumers against identity theft and breaches in health information, the increasingly frequency of hacks into companies that store financial data show that consumers remain at risk. The FTC is considering a case against Target, for instance, over the hack that exposed the credit card numbers of as many as 40 million Target customers. Today’s appellate court ruling will provide further precedent for the FTC to take action, and if Wyndham appealed, the Supreme Court would have to get involved.


Circuit Judge Thomas Ambro called Wyndham’s argument alarmist, and then he made a funny—but insightful—joke. “It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,” said Ambro. Sounds like a pretty funny supermarket but also pretty dangerous.

The same holds true for companies that don’t protect user data. It’s fun for the hackers, sure. But it’s inevitably dangerous for any American who trusts these companies to protect their private information.


Image via AP

Contact the author at
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22


Share This Story

Get our newsletter


I’m torn, because on the one hand, this feels like a proper role of government (OPM and IRS hacks notwithstanding). But on the other hand, when companies get hit by nation-state actors, I’m not sure punishing them for consumer collateral damage makes any kind of sense.

Of course, the attribution problem makes this kind of a moot distinction. Who hacked Sony Pictures? North Korea, China, the Russian mob, insiders, anti-copyright hacktivists, or any combination of the one of the above working on behalf of another of the above, depending whom you ask.

Is someone breaking into a company’s network and taking over at least one domain admin account prima facie evidence of negligence or lax security on the company’s part? Or did they just get their asses kicked by a cutting-edge weapon of modern warfare?

Or, to put it in cruder terms, if Germany had successfully conducted an aerial bombardment of a Ford dealership during World War II, would the government have the legal right or imperative to punish the dealership for not having adequate anti-aircraft defenses?

I’m just spitballing here; I don’t really have a good answer for this.