Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Businesses Government Privacy The Internet United States

Court: FTC Can Punish Companies With Sloppy Cybersecurity 86

jfruh writes: The Congressional act that created the Federal Trade Commission gave that agency broad powers to punish companies engaged in "unfair and deceptive practices." Today, a U.S. appeals court affirmed that sloppy cybersecurity falls under that umbrella. The case involves data breaches at Wyndham Worldwide, which stored customer payment card information in clear, readable text, and used easily guessed passwords to access its important systems.
This discussion has been archived. No new comments can be posted.

Court: FTC Can Punish Companies With Sloppy Cybersecurity

Comments Filter:
  • I'd like to see clear(er) written guidelines for how say customer data should be cared for. And because their may be valid reasons to deviate from the guidelines, perhaps request that the reason for the deviations be written down by the organization and supplied on request to the FTC.

    • by Anonymous Coward

      I'd like to see clear(er) written guidelines for how say customer data should be cared for. And because their may be valid reasons to deviate from the guidelines, perhaps request that the reason for the deviations be written down by the organization and supplied on request to the FTC.

      Oh, you mean like when a company agrees to process credit card transactions the written guidelines that dictate PCI-DSS 3.0 compliance?

      (Sorry, but in the example provided in TFS, it sure as shit seems pretty cut and dry)

      • I'd like to see clear(er) written guidelines for how say customer data should be cared for. And because their may be valid reasons to deviate from the guidelines, perhaps request that the reason for the deviations be written down by the organization and supplied on request to the FTC.

        Oh, you mean like when a company agrees to process credit card transactions the written guidelines that dictate PCI-DSS 3.0 compliance?

        (Sorry, but in the example provided in TFS, it sure as shit seems pretty cut and dry)

        Can you explain how PCI-DSS 3.0 stops anything getting hacked? You know the Target and Home Depot systems were PCI compliant right?

        The NIST stuff isn't so awful, but it's not in a form that's very useful. It's lots of little specs that don't fit together into a system. However it contains very useful specs on means for an organization to protect itself. This is good.

        This is a solvable problem, but the PCI specs are a barrier to uniform adoption of something effective.

    • Re:Written (Score:4, Informative)

      by Skuld-Chan ( 302449 ) on Monday August 24, 2015 @11:33PM (#50385473)

      PCI Compliance? While I agree its not 100% perfect - having documentation from some compliance officer at your company that you met or exceeded all their baseline recommendations should get you out of hot water if something bad were to happen.

      If you work in the medical field - there's HIPAA - which again most hospitals, clinics and labs probably have a compliance person on staff that is supposed to set policy on this sort of thing and audit systems for compliance.

      If you google around there's a standard for every single business/market you can think of.

    • You know, what you describe is roughly one of the missions of those fancy Data Protection Agencies we have in Europe.
    • Me, too. Since I'm opposed to capital punishment, let's start with life in the electric chair for anyone who thinks it's anywhere near acceptable to store credit card info in plaintext.

  • by Rainbow Nerds ( 4224689 ) on Monday August 24, 2015 @05:48PM (#50383813)

    What constitutes sufficiently strong security practices? This seems subjective unless there are clear rules published. Obviously we'd agree that the practices in the summary are truly awful, but there are plenty of data breaches that don't seem quite as egregious. Are there going to be standards for applying patches to vulnerable software? What about human error such as tricking someone to giving out data they shouldn't or losing hard drives with data? Unless clear standards are published, this seems like an opportunity for selective enforcement. Also, while I understand it's a different agency, the US government is one of the worst offenders in terms of poor security practices. Who will hold the IRS accountable for their data breach, for example? It's hypocritical for the government to hold businesses accountable when they're an awful offender, too.

    • What constitutes sufficiently strong security practices?

      If companies are smart they'll form a trade group and define these themselves. Basically a set of reasonable practices that companies should be expected to follow when handling customer data. Following these practices and having them audited would provide a basis for some amount of safe harbor from government prosecution. If companies do not do this it is highly probable that the government will pass some laws defining such practices at some point and the companies probably won't like them very much.

      Are there going to be standards for applying patches to vulnerable software?

      Ther

    • by darkain ( 749283 )

      Here is your publication of what is "secure" - https://www.pcisecuritystandar... [pcisecuritystandards.org]

    • by AmiMoJo ( 196126 )

      Insurance companies and banks already have informal standards for minimal security that they expect their clients to have. If your credit card is used fraudulently online UK banks will ask if you have any anti-virus software installed, how you store passwords and if your OS is up to date. Considering XP is now no longer supported I wouldn't admit to running that.

      Insurance companies have similar standards for both computer security and physical security. If you are burgled and didn't put locks on your doors

    • by burbilog ( 92795 )

      What constitutes sufficiently strong security practices?

      This is the main question. What if government mandates certain antivirus program on every computer and who cares if you run linux?

  • Of course, it's much harder to punish the people actually responsible for the bad practices if they're part of a corporation. Especially if they plan ahead how to diffuse the responsibility.

    • But is that what we really want? If CEOs are personally responsible for every action taken by a company, say hello to oppressive micro-management. I don't mean the normal "my manager wants to cover his ass" micro-management. If you turn this into a "perfect security or jailtime" proposition, there will be real consequenses all the way down the ladder. So maybe the CEO isn't the one ultimately responsible for website security...send the webmaster to jail? How far do we take that? Individual programmers are n
      • Re:Corporations (Score:5, Insightful)

        by penguinoid ( 724646 ) on Monday August 24, 2015 @06:09PM (#50383951) Homepage Journal

        The trouble is when the CEO says "don't bother with security", and his underlings have to obey or get fired, then the CEO claims he can't be blamed for the actions of his underlings. Of course, the way the CEO says "don't bother with security" is by setting spending and productivity requirements, such that no spending can actually be done on security else you get fired for lack of productivity.

        • then the CEO claims he can't be blamed for the actions of his underlings

          Anyone who accepts that argument from the CEO is responsible for whatever they get. The CEO's whole job is being responsible for the actions of his underlings. If they do something wrong that he didn't know about, he's responsible for not knowing about it. If they do something wrong and he did know about it, then he's responsible for it. In rare cases he gets a pass when they do something wrong and actively hide it from him, well enough that it's not reasonable to expect that he could have known about it...

          • by dcw3 ( 649211 )

            The CEO's whole job is being responsible for the actions of his underlings. If they do something wrong that he didn't know about, he's responsible for not knowing about it.

            So, Obama is responsible for Hillary's email server?

            • The CEO's whole job is being responsible for the actions of his underlings. If they do something wrong that he didn't know about, he's responsible for not knowing about it.

              So, Obama is responsible for Hillary's email server?

              I think maybe you didn't read the fourth sentence of my post.

              She hid it from him and there's no way he could reasonably have known. He can prove that, and identify the person responsible. So he gets a pass. Mostly.

              "Mostly" because he appointed her. That's somewhat unfair, but it comes with the job.

              Of course, if it turns out he did know about her private mail server, and that she was using it for government business and didn't order her to stop, then the entire burden of responsibility shifts to him. T

      • If CEOs are personally responsible for every action taken by a company, say hello to oppressive micro-management.

        If CEOs are personally liable for everything a company does you have completely gutted the entire purpose of a corporation which is to insulate the owners and employees from personal liability. There is NO other purpose to a company besides this. It is 100% of the reason corporations exist. Unlimited personal liability makes corporations a completely pointless entity.

        No you make the penalties to the company sufficiently draconian and if the CEO didn't do his job to ensure your data was safe then he will

        • If CEOs are personally liable for everything a company does you have completely gutted the entire purpose of a corporation which is to insulate the owners and employees from personal liability.

          The purpose is to insulate the owners from liability otherwise they would be loathe to invest when their losses could far exceed the potential return. Employees enjoy no such intended insulation. In practice, they have effectively enjoyed protection but that's merely a combination of diffuse responsibility and poor enforcement, not by design.

        • Paperwork should never be protection from criminal liability

      • It should work the same way professional licensing for civil engineering works: the technical professional involved should hold the legal liability (and be licensed so that it's abundantly clear to everyone that he is the one liable), but the company should be required to have its personal-information-holding servers administered by such a licensed professional so that he has the job security to be able to stand up for himself.

        In other words, make it so that all professional server admins can (and will) ref

    • by tomhath ( 637240 )
      There's no practical way to define "bad practices". Better is to treat data theft the same as any other theft; punish the thief.
      • There's no practical way to define "bad practices".

        That's simply not true. We do that all the time in any number of professions. Trade groups and government agencies all the time establish what constitutes standard of care [wikipedia.org] for a particular industry. It's positively routine. Accountants do it. Financial traders do it. Doctors do it. There is no reason IT security people cannot do it.

        Better is to treat data theft the same as any other theft; punish the thief.

        So you think that if a bank neglects to lock its vault allowing your money to be stolen that it should bear no liability for their carelessness? I could not disagree more.

      • Wrong. Assume that you have your kid at a daycare and they leave the door wide open all the time. In addition, it turns out that the back that you were not allowed to see is where they put the kid and it is right by the road. Then your kid is stolen. It would be BOTH the thief and the daycare that would be gone after. Rightly.
  • by Anonymous Coward

    Punishments for corporates that get hacked need to be AT LEAST as severe as the punishments for hackers that carry out attacks if sufficient security was not in place. Without this there is little incentive for companies to improve security. Even within corporates if the sec guys who keep banging on about needing to do X to be secure can highlight this as a risk - it's much more likely they'll get listened to.

  • by Anonymous Coward

    How about punishing companies that charge "returned check fees" for a simple declined credit card (which is 100% out of the control of us consumers)? You can't get any more anti-consumer than that. More people need to report this kind of shit to credit companies and have their merchants disconnected.

    https://www.google.com/webhp?q... [google.com]

  • by 140Mandak262Jamuna ( 970587 ) on Monday August 24, 2015 @06:19PM (#50384001) Journal
    Last time it was the Sorbanes-Oxley act. The company security policies were changed by a committee mainly run by lawyers. These 300$/hr billing rate guys have never logged into anything, always had a bevy of flunkies who did all the access to the computer, who printed out emails and who typed back the responses scrawled on the print outs. The main intent was to show that they had strict security policy in court, rather than implement policies that will actually improve security.

    Passwords must be changed every ninety days, it must have one upper case, one lower case, one numeral, one non-alphanumeric, and no reuse of passwords, no substring can be a word or date found in the dictionary. A bunch of uninformed jury would be impressed, that was all the point. That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them. More like, "yes!, Exactly! this process would net us enough scapegoats and sacrificial lambs to be thrown under the bus! I approve!!" would be their response if they understood what would really happen.

    Not all government agencies are like that. FAA and NTSB have a decent reputation. If they realize pilots are not following procedures or checklist they would try to understand why and try to make the procedures easier to follow. (I think they would perform even better if we remove from FAA's charter "promotion of air travel" and make it exclusively concentrate on safety of air travel. )

    • These 300$/hr billing rate guys have never logged into anything

      You can be sure they haven't logged into their Madison Ashley account lately!

    • Last time it was the Sorbanes-Oxley act. The company security policies were changed by a committee mainly run by lawyers. These 300$/hr billing rate guys have never logged into anything, always had a bevy of flunkies who did all the access to the computer, who printed out emails and who typed back the responses scrawled on the print outs.

      And that's IT admins' OWN DAMN FAULT!

      The regulations governing civil engineers are sane and good. You know why? Because organizations like the ASCE [wikipedia.org] stepped up to create r

    • Re: (Score:3, Insightful)

      So how many big US banks have assumed huge risks for short term profits since Sorbanes-Oxley passed? You talk as if it was a plague of locusts that mysteriously descended out of the sky for no discernible reasons. It passed because Wall Street fucked up the entire world economy out of incompetence and greed.

      Were you asleep since 2008 or are you mentally deficient? Those are the only two reasons I can think of for your idiocy.

      Given the chance, big business behaves like meth freak with rabies. They are not

    • Sounds like it might be a good time to get back into the security consulting business.

      OTOH, I like my soul.

    • That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them.

      People keep trotting this out as if it was some horrible, boogeyman security practice.

      Quite frankly, it's probably better than any other security solution. After all, humans have spent thousands of years working on physical locks, while electronic ones (like passwords) have only been around for a few decades. And, physical security is another legitimate layer of security. Sure somebody can break into your work place and grab your passwords. But they'd actually have to be physically there. And the cops are m

  • Consumers should be the ones suing companies like Target and Home depot. In particular, they will be able to point to them running windows as well as outsourcing at wages below 10,000/year. The later makes them easy targets by Russia and Chinese to offer 10x the salary, esp. since the company is not allowed to operate in these nations.
  • This sounds good, but it isn't. Companies should be fully legally liable for the damage that their lax cybersecurity causes. It's a failing of our court system and laws that they aren't. FTC enforcement, on the other hand, is going to be ineffective. The FTC is going to give selected companies a slap on the wrist, and it's going to be lenient on big corporate supporters of whatever administration is in power.

    • Re: (Score:1, Troll)

      by tompaulco ( 629533 )
      We shouldn't be punishing companies for lax security. We should be punishing criminals for breaking in. There should be no need to even have a password. There should be only a user name to identify the customer. The fact that we accept that people are going to try to access other people's accounts and rather than consider punishing them, we consider instead to punish the victim of the crime for wearing such a short skirt is just appalling.
      We shouldn't have to have passwords, lock doors, have security syste
      • I'd love to live in such a world, but we don't. Since we don't proper measures must be taken to secure important customer data. it's the responsibility of the companies to provide SOME degree of security to their information, if they don't then they should be held liable. It's not hard to do so these days, so if you don't then it's pure laziness.

        In the same fashion we shouldn't NEED to have banks with secure vaults, but if you went into a bank and they said "Sorry, someone walked into our vault and took
      • You prove again that sufficiently advanced stupidity is indistinguishable from sarcasm.

    • by AmiMoJo ( 196126 )

      I doubt even full legal liability for the damage would help. Look at Ashley Madison, it will be a miracle if they survive now, and their entire business was built around being discrete, and yet they didn't care enough to have solid security. Their management would rather make some short term profits and get paid than spend money on security that might even slow their growth rate. Notice how they see basic security features like being able to delete your data as both something they should profit from and som

      • I doubt even full legal liability for the damage would help.

        Yes, I'm sure you do. That's because you don't understand how markets work.

        Look at Ashley Madison, it will be a miracle if they survive now, and their entire business was built around being discrete, and yet they didn't care enough to have solid security.

        So they go out of business. That's a far worse penalty than any fine the FTC could impose. With better legal liability, the founders of Ashley Madison would be paying until they die.

        In addition, cu

  • Can the OPM or IRS get sued for their lax security?
  • that's every one of them.
  • What indemnification do the providers of the software give to companies in relation to keeping customer information secure. Is there a case for a class action by the end users of the service against such loses. I see a growth industry in 'cyber' insurance.
  • when people just read the Rainbow Series.

    Fundamentals, people, study the fundamentals.

  • make it LAW that they have to pay for full ride credit monitoring for a year minimum and the CEO CFO and the CIO all spend at least 90 days in a non club fed prison (per say 10K victims) and maybe we will be talking something.

    oh and btw list the company on a central website with number of victims and how lame the breach was.

  • "The company also failed to use "readily available security measures" such as firewalls to limit access between the company's property management systems, its corporate network and the Internet, the FTC charged."

    Since the invention of RPC and services that can open any ole port, the firewall is next to useless. Before y'll come back with 'you don't know what you're talking about'. How about impressing us all with your immense intellect and sharing with us the knowledge of how to secure 'computers' connec
  • by srichard25 ( 221590 ) on Monday August 24, 2015 @08:25PM (#50384693)

    Will they punish a Secretary of State who had Top Secret info on a private email server that was running out of a bathroom? That's right, laws are only for the little guy and those "evil" corporations.

  • Court: FTC Can Punish Companies With Sloppy Cybersecurity

    Or, as my RSS feed put it:

    Court: FTC Can Punish Companies With Sloppy Cyberse...

  • What happens when the FTC's caught with sloppy security?
  • we could put all SPI ( Sensitive Personal Information ) customer data under the same umbrella that HIPPA covers.

    Yes it would be expensive, but if you're going to collect and store private customer data, you damn well better protect it.

If you suspect a man, don't employ him.

Working...