Should Companies be Accountable for Leaked Customer Data?

John Lister's picture

Companies that don't do enough to protect customer data against hacking are more likely to be sued, thanks to a court ruling this week. A federal appeals court rejected an argument that the Federal Trade Commission (FTC) overstepped its powers by suing a company over three hacking incidents.

The company is question is the Wyndham Hotel chain, in which 619,000 customers' credit card data was leaked. According to the FTC, Wyndham failed to use suitably complex login details on accounts, stored card data on its servers in unencrypted form, and did not use adequate firewalls to protect the data. (Source: ftc.gov)

Misleading Promises Are The Legal Issue

The FTC believes it has the right to sue in such cases, though not for the security failings in themselves. Instead, it says that Wyndham's privacy policy, as detailed on its website, misrepresented the efforts it made to protect customer data. That's classed as deceptive marketing, which is one of the key things the FTC can crack down on under its terms of operation as a federal agency.

Wyndham challenged the FTC's right to bring the case on several grounds, all of which were rejected by the appeals court. One argument involved the precise definition of "unfair behavior," but the appeals court argued that telling customers their data is safe when that is not the case is inherently unfair.

Another Wyndham argument was that a company can't be acting "unfairly" if an incident is sparked by third-party criminals, something the court flat out rejected.

Banana Peel Ploy Slips Up

Finally, Wyndham argued that if the FTC can sue over inadequate cyber security, they should also "require every store in the land to post an armed guard at the door [and sue a supermarket if it is] sloppy about sweeping up banana peels." The court not only rejected this analogy, but also made a snide dig by stating that a supermarket that left so many banana peels lying around that 619,000 customers fell over would also probably find itself in legal bother. (Source: scribd.com)

The ruling will likely be cited as precedent in any future disputes over FTC lawsuits over inadequate security. However, it doesn't necessarily settle the issue of whether it's unlawful for companies to have sloppy customer security if they don't have any listed privacy policy and thus aren't specifically making any misleading claims.

What's Your Opinion?

Should companies have a legal responsibility to protect customer data from hacking? Do you think any of Wyndham's arguments were valid? Which is worse: not safeguarding customer data, or misleading customers about security measures?

Rate this article: 
Average: 4.9 (8 votes)

Comments

Dennis Faas's picture

Any company that stores credit card data should be held responsible if that data is breached. Based on my own experience as a web developer, most websites that use third party credit card processing (such as paypal, for example) are not allowed to have access to credit card numbers, but can still record and access information about customers' purchases if needed. I don't understand why this strategy wasn't used in Wyndham's case, as it is much more secure. This would effectively point any blame to the third party credit card processing company and not the host site.

funkyecat's picture

Absolutely. Companies are responsible for leaked data. Most do not provide any protection/security for their own data as well.

jamies's picture

My view - not just the company, but also the CEO - company owner or shareholders as appropriate for the company ownership, and whoever is actually in charge of their IT, policy and purchasing.

The courts should indicate their assessment of the relative liability (%) of each person, or organisation, and more important than actually imposing a fine should be compensating each and every person or organisation who's details were not held in an appropriately secure manner.
Then again, what happens when a company goes into liquidation? Prison sentences for the persons considered at fault I would hope.

There should be a mitigation allowance if the data disclosure can be shown to have been held in what would be considered a secure manner, but the access to that data was achieved by efforts of a level that should, by the courts be considered to involve efforts and processes that would by their nature, rather than their target involve national security agencies.
As in good enough to breach FBI CIA, DOD and White-house security - rather than just they got at an FBI computer.

That is remembering the 2 teenagers who were convicted of inappropriate access/spying when they accessed an FBI computer using the master install id and passwords that were published in the manufacturers system setup documentation - where it clearly states "Change the id and password when you perform the install".

Never did hear that the persons in charge of the installation ever got told off for not being bothered to implement any useful security on the system.

royala_5291's picture

Yes, companies should be liable, but where's the practical answer...anyone? The large company's and Corp's may be able to handle the extra cost of litigation and to get the security experts needed to create secure data protection (if that's really possible). What about the reported shortage of qualified Security experts? There most likely would not be near enough qualified experts if all businesses got serious about security.

Another problem facing many companies is that IT security is not taken as seriously as it should be. Never really was and still falls far short on the 'VIP lists'.

Smaller companies, mom and pop's, factories, even local gov't offices don't have the $$$, education, or even recognize the talent that is needed for this added data security. If fined and sued, could this be the end of small businesses that support millions of towns and families across the US?

And how can companies' IT departments keep up with the increasing surge of intelligent criminals across the world? Laws can't deter these criminals outside the US, the US can't touch them.

There are many more caveats to this problem, and maybe the Gold Chip program could be a start. Is it fair to lay total blame in one place more than another with so many problems to be solved in this arena and so few permanent answers? Note that nothing can be permanent in technology as quickly as it advances today.

RedDawg's picture

If a company insists on keeping credit card data data, address, or any personally identifying information on their company servers they SHOULD BE FINANCIALLY RESPONSIBLE for any breach resulting in loss of data, and heavily fined as well. In many cases this information has no other use than to ease further sales or marketing. I contract my services to several local businesses, any that retain client information for any reason must use strong encryption (256-bit minimum), passwords I demand vary from 15 to 40 characters complex, in some cases because of the nature of the information it must be maintained off-line, in some cases on CD or DVD. Perfect? no, but I think I could defend them and myself in court better than that!

deuce128's picture

Most definitely. It's their responsibility to ensure that the information that I provide them is safe and secure especially when it comes to financial data.

ecash's picture

I find it interesting that we Sign our Life away every time we have to read a TOS..
ANY contract is a FAIR TRADE of responsibilities..

Anyone with a modicum of tech knowledge can tell you FAIR basic protections..
Anyone from the OLD school, can rig up a Pretty good protection..

Every Installer/Fixer/repair person understands WHY people install AV ware, Anti BOT progs, NOSCRIPT...and these protections do NOTHING if you dont teach the customer...DONT PUSH THE BUTTON..

How many sites have we gone to, that have MORE then 5 scripts vying to get access to your computer??
WHY would you want to BLOCK 3rd party Scripts..WHO is responsible for CRAPPING OUT your computer? The site you are ON, or the 3rd party?
I have asked FF for a Addon that would place a NOTE(yes its possible) on every script that I get from a site, of the NAME of the site I received it from..They said it couldnt be done..

You have to understand that your Browser is an Emulator..Its designed to Run/use 7+ Languages and markup scripts...at the same time..I would rather SANDBOX everyone of them and run them in separate windows..Which isnt easy to do..

It comes down to specifics...HOW you run your servers, and How easy you make it to get into the MAIN server.. MAIN servers should not have access to the NET..everything should run from an access point that CHECKS everything.
Its asif, people have forgotten HOW to protect servers and DATA...There are many tricks..yes tricks. to protect DATA.. And companies that DEPEND on Basic software to do the job, are @#$%@#$%@ STUPID..