Court: FTC Can Punish Companies With Sloppy Cybersecurity 86
jfruh writes: The Congressional act that created the Federal Trade Commission gave that agency broad powers to punish companies engaged in "unfair and deceptive practices." Today, a U.S. appeals court affirmed that sloppy cybersecurity falls under that umbrella. The case involves data breaches at Wyndham Worldwide, which stored customer payment card information in clear, readable text, and used easily guessed passwords to access its important systems.
Re: (Score:3)
Except, the FTC is most definitely a law enforcement body.
http://www.encyclopedia.com/to... [encyclopedia.com]
Re: (Score:2)
Wait wtf
"Today, the Federal Trade Commission serves an important function as a protector of both consumer and business rights."
Consumers have rights in the USA? Surely thats un-American!
Written (Score:1)
I'd like to see clear(er) written guidelines for how say customer data should be cared for. And because their may be valid reasons to deviate from the guidelines, perhaps request that the reason for the deviations be written down by the organization and supplied on request to the FTC.
Re: (Score:1)
Re:Written (Score:5, Interesting)
Well, if you can't even minimally secure a customer's data, you probably shouldn't collect and keep it. This company was keeping unencrypted financial data on non-firewalled systems. "Bank-like"? Really? How about equivalent to a kid's lemonade stand? Seriously, if I set the bar any lower a snail with a broken foot could clear it.
What would make a big difference would be to force businesses beyond a certain size to assume liability for breaches, with minimum punitive damages and a presumption of responsibility. Then let the insurance companies dictate what will/won't be covered. As soon as there's a financial incentive, you'll get whiplash keeping up with security upgrades.
Frankly, I'd like to see companies punished for attempting to prosecute legitimate security research. However, one battle at a time seems wise.
Re:Written (Score:4, Interesting)
I'd like to see a reasonable publication out of the FTC first. Bank-like security would cripple most shops.
"Bank-like security": I don't think that phrase means what you think it means.
I spent ten years as a security consultant in the financial industry, and bank security sucks. Large tech companies do a better job. Google, where I work now, is dramatically better than any major US bank, and although I haven't been behind their curtains it appears to me that Apple, Microsoft, Amazon, etc., are very good as well.
I think what it boils down to is that while banks know they need security they tend to be dominated by bankers, not the sort of technical people who know how to build secure systems. Big tech companies, on the other hand, may or may not actually need as much security but they have lots of geeks, among them a number who understand how to think about I/T security. Well, somewhat. Banks do tend to have a better understanding of the notion of risk mitigation, especially non-technical mitigation; techies tend to think in more absolute terms and about automated solutions. That absolutist, automated view allows fewer compromises, though, and more comprehensive and proactive analysis, where banks tend to be more reactive.
Anyway, I think you'd find that actual bank-like I/T security is not what you imagine bank-like I/T security to be, and wouldn't be particularly onerous.
Re: (Score:1)
I'd like to see clear(er) written guidelines for how say customer data should be cared for. And because their may be valid reasons to deviate from the guidelines, perhaps request that the reason for the deviations be written down by the organization and supplied on request to the FTC.
Oh, you mean like when a company agrees to process credit card transactions the written guidelines that dictate PCI-DSS 3.0 compliance?
(Sorry, but in the example provided in TFS, it sure as shit seems pretty cut and dry)
Re: (Score:2)
I'd like to see clear(er) written guidelines for how say customer data should be cared for. And because their may be valid reasons to deviate from the guidelines, perhaps request that the reason for the deviations be written down by the organization and supplied on request to the FTC.
Oh, you mean like when a company agrees to process credit card transactions the written guidelines that dictate PCI-DSS 3.0 compliance?
(Sorry, but in the example provided in TFS, it sure as shit seems pretty cut and dry)
Can you explain how PCI-DSS 3.0 stops anything getting hacked? You know the Target and Home Depot systems were PCI compliant right?
The NIST stuff isn't so awful, but it's not in a form that's very useful. It's lots of little specs that don't fit together into a system. However it contains very useful specs on means for an organization to protect itself. This is good.
This is a solvable problem, but the PCI specs are a barrier to uniform adoption of something effective.
Re:Written (Score:4, Informative)
PCI Compliance? While I agree its not 100% perfect - having documentation from some compliance officer at your company that you met or exceeded all their baseline recommendations should get you out of hot water if something bad were to happen.
If you work in the medical field - there's HIPAA - which again most hospitals, clinics and labs probably have a compliance person on staff that is supposed to set policy on this sort of thing and audit systems for compliance.
If you google around there's a standard for every single business/market you can think of.
Re: (Score:2)
Re: (Score:2)
Me, too. Since I'm opposed to capital punishment, let's start with life in the electric chair for anyone who thinks it's anywhere near acceptable to store credit card info in plaintext.
I agree with this in principle, however... (Score:4, Insightful)
What constitutes sufficiently strong security practices? This seems subjective unless there are clear rules published. Obviously we'd agree that the practices in the summary are truly awful, but there are plenty of data breaches that don't seem quite as egregious. Are there going to be standards for applying patches to vulnerable software? What about human error such as tricking someone to giving out data they shouldn't or losing hard drives with data? Unless clear standards are published, this seems like an opportunity for selective enforcement. Also, while I understand it's a different agency, the US government is one of the worst offenders in terms of poor security practices. Who will hold the IRS accountable for their data breach, for example? It's hypocritical for the government to hold businesses accountable when they're an awful offender, too.
Re: (Score:1)
I don't think anyone would consider the "security practices" described in the article summary to be reasonable. That's also a pretty extreme example. I'd like to think that most businesses have better security practices than this. However, security encompasses a wide variety of things including encryption, applying patches for vulnerabilities, controlling who has access to systems and data, passwords, etc... What one person considers reasonable security might not be considered reasonable by others. If you d
Companies need to get in front of this (Score:2)
What constitutes sufficiently strong security practices?
If companies are smart they'll form a trade group and define these themselves. Basically a set of reasonable practices that companies should be expected to follow when handling customer data. Following these practices and having them audited would provide a basis for some amount of safe harbor from government prosecution. If companies do not do this it is highly probable that the government will pass some laws defining such practices at some point and the companies probably won't like them very much.
Are there going to be standards for applying patches to vulnerable software?
Ther
Re: (Score:2)
Here is your publication of what is "secure" - https://www.pcisecuritystandar... [pcisecuritystandards.org]
Re: (Score:2)
Insurance companies and banks already have informal standards for minimal security that they expect their clients to have. If your credit card is used fraudulently online UK banks will ask if you have any anti-virus software installed, how you store passwords and if your OS is up to date. Considering XP is now no longer supported I wouldn't admit to running that.
Insurance companies have similar standards for both computer security and physical security. If you are burgled and didn't put locks on your doors
Re: (Score:2)
What constitutes sufficiently strong security practices?
This is the main question. What if government mandates certain antivirus program on every computer and who cares if you run linux?
Corporations (Score:2)
Of course, it's much harder to punish the people actually responsible for the bad practices if they're part of a corporation. Especially if they plan ahead how to diffuse the responsibility.
Re: (Score:2)
Re:Corporations (Score:5, Insightful)
The trouble is when the CEO says "don't bother with security", and his underlings have to obey or get fired, then the CEO claims he can't be blamed for the actions of his underlings. Of course, the way the CEO says "don't bother with security" is by setting spending and productivity requirements, such that no spending can actually be done on security else you get fired for lack of productivity.
Re: (Score:2)
then the CEO claims he can't be blamed for the actions of his underlings
Anyone who accepts that argument from the CEO is responsible for whatever they get. The CEO's whole job is being responsible for the actions of his underlings. If they do something wrong that he didn't know about, he's responsible for not knowing about it. If they do something wrong and he did know about it, then he's responsible for it. In rare cases he gets a pass when they do something wrong and actively hide it from him, well enough that it's not reasonable to expect that he could have known about it...
Re: (Score:2)
The CEO's whole job is being responsible for the actions of his underlings. If they do something wrong that he didn't know about, he's responsible for not knowing about it.
So, Obama is responsible for Hillary's email server?
Re: (Score:2)
The CEO's whole job is being responsible for the actions of his underlings. If they do something wrong that he didn't know about, he's responsible for not knowing about it.
So, Obama is responsible for Hillary's email server?
I think maybe you didn't read the fourth sentence of my post.
She hid it from him and there's no way he could reasonably have known. He can prove that, and identify the person responsible. So he gets a pass. Mostly.
"Mostly" because he appointed her. That's somewhat unfair, but it comes with the job.
Of course, if it turns out he did know about her private mail server, and that she was using it for government business and didn't order her to stop, then the entire burden of responsibility shifts to him. T
Re: (Score:2)
Apologies...I was not fully caffeinated prior to posting this morning.
The entire point of a corporation (Score:2)
If CEOs are personally responsible for every action taken by a company, say hello to oppressive micro-management.
If CEOs are personally liable for everything a company does you have completely gutted the entire purpose of a corporation which is to insulate the owners and employees from personal liability. There is NO other purpose to a company besides this. It is 100% of the reason corporations exist. Unlimited personal liability makes corporations a completely pointless entity.
No you make the penalties to the company sufficiently draconian and if the CEO didn't do his job to ensure your data was safe then he will
Re: (Score:3)
If CEOs are personally liable for everything a company does you have completely gutted the entire purpose of a corporation which is to insulate the owners and employees from personal liability.
The purpose is to insulate the owners from liability otherwise they would be loathe to invest when their losses could far exceed the potential return. Employees enjoy no such intended insulation. In practice, they have effectively enjoyed protection but that's merely a combination of diffuse responsibility and poor enforcement, not by design.
Re: (Score:2)
Paperwork should never be protection from criminal liability
Re: (Score:3)
It should work the same way professional licensing for civil engineering works: the technical professional involved should hold the legal liability (and be licensed so that it's abundantly clear to everyone that he is the one liable), but the company should be required to have its personal-information-holding servers administered by such a licensed professional so that he has the job security to be able to stand up for himself.
In other words, make it so that all professional server admins can (and will) ref
Re: (Score:2)
Standard of care (Score:3)
There's no practical way to define "bad practices".
That's simply not true. We do that all the time in any number of professions. Trade groups and government agencies all the time establish what constitutes standard of care [wikipedia.org] for a particular industry. It's positively routine. Accountants do it. Financial traders do it. Doctors do it. There is no reason IT security people cannot do it.
Better is to treat data theft the same as any other theft; punish the thief.
So you think that if a bank neglects to lock its vault allowing your money to be stolen that it should bear no liability for their carelessness? I could not disagree more.
Re: (Score:2)
About Time! (Score:1)
Punishments for corporates that get hacked need to be AT LEAST as severe as the punishments for hackers that carry out attacks if sufficient security was not in place. Without this there is little incentive for companies to improve security. Even within corporates if the sec guys who keep banging on about needing to do X to be secure can highlight this as a risk - it's much more likely they'll get listened to.
LOL, yeah right... (Score:1)
How about punishing companies that charge "returned check fees" for a simple declined credit card (which is 100% out of the control of us consumers)? You can't get any more anti-consumer than that. More people need to report this kind of shit to credit companies and have their merchants disconnected.
https://www.google.com/webhp?q... [google.com]
oh, man. Prepare for another round. (Score:3, Interesting)
Passwords must be changed every ninety days, it must have one upper case, one lower case, one numeral, one non-alphanumeric, and no reuse of passwords, no substring can be a word or date found in the dictionary. A bunch of uninformed jury would be impressed, that was all the point. That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them. More like, "yes!, Exactly! this process would net us enough scapegoats and sacrificial lambs to be thrown under the bus! I approve!!" would be their response if they understood what would really happen.
Not all government agencies are like that. FAA and NTSB have a decent reputation. If they realize pilots are not following procedures or checklist they would try to understand why and try to make the procedures easier to follow. (I think they would perform even better if we remove from FAA's charter "promotion of air travel" and make it exclusively concentrate on safety of air travel. )
Re: (Score:2)
These 300$/hr billing rate guys have never logged into anything
You can be sure they haven't logged into their Madison Ashley account lately!
Re: (Score:2)
And that's IT admins' OWN DAMN FAULT!
The regulations governing civil engineers are sane and good. You know why? Because organizations like the ASCE [wikipedia.org] stepped up to create r
Re: (Score:3, Insightful)
Were you asleep since 2008 or are you mentally deficient? Those are the only two reasons I can think of for your idiocy.
Given the chance, big business behaves like meth freak with rabies. They are not
Re: (Score:2)
Sounds like it might be a good time to get back into the security consulting business.
OTOH, I like my soul.
Re: (Score:3)
That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them.
People keep trotting this out as if it was some horrible, boogeyman security practice.
Quite frankly, it's probably better than any other security solution. After all, humans have spent thousands of years working on physical locks, while electronic ones (like passwords) have only been around for a few decades. And, physical security is another legitimate layer of security. Sure somebody can break into your work place and grab your passwords. But they'd actually have to be physically there. And the cops are m
consumers can and should sue as well (Score:2)
more corporate cronyism courtesy of the FTC (Score:3)
This sounds good, but it isn't. Companies should be fully legally liable for the damage that their lax cybersecurity causes. It's a failing of our court system and laws that they aren't. FTC enforcement, on the other hand, is going to be ineffective. The FTC is going to give selected companies a slap on the wrist, and it's going to be lenient on big corporate supporters of whatever administration is in power.
Re: (Score:1, Troll)
We shouldn't have to have passwords, lock doors, have security syste
Re: (Score:3)
In the same fashion we shouldn't NEED to have banks with secure vaults, but if you went into a bank and they said "Sorry, someone walked into our vault and took
Re: (Score:2)
You prove again that sufficiently advanced stupidity is indistinguishable from sarcasm.
Re: (Score:2)
I doubt even full legal liability for the damage would help. Look at Ashley Madison, it will be a miracle if they survive now, and their entire business was built around being discrete, and yet they didn't care enough to have solid security. Their management would rather make some short term profits and get paid than spend money on security that might even slow their growth rate. Notice how they see basic security features like being able to delete your data as both something they should profit from and som
Re: (Score:1)
Yes, I'm sure you do. That's because you don't understand how markets work.
So they go out of business. That's a far worse penalty than any fine the FTC could impose. With better legal liability, the founders of Ashley Madison would be paying until they die.
In addition, cu
And what about the government? (Score:2)
unfair/deceptive (Score:2)
Indemnification against sloppy cybersecurity (Score:2)
I remember the good old days... (Score:2)
when people just read the Rainbow Series.
Fundamentals, people, study the fundamentals.
Prison time for the CxO folks would work. (Score:1)
make it LAW that they have to pay for full ride credit monitoring for a year minimum and the CEO CFO and the CIO all spend at least 90 days in a non club fed prison (per say 10K victims) and maybe we will be talking something.
oh and btw list the company on a central website with number of victims and how lame the breach was.
Firewalls and cyber security .. (Score:2)
Since the invention of RPC and services that can open any ole port, the firewall is next to useless. Before y'll come back with 'you don't know what you're talking about'. How about impressing us all with your immense intellect and sharing with us the knowledge of how to secure 'computers' connec
Will they punish a Secretary of State who... (Score:3)
Will they punish a Secretary of State who had Top Secret info on a private email server that was running out of a bathroom? That's right, laws are only for the little guy and those "evil" corporations.
Re: (Score:2)
Since that hasn't happened yet, it's a moot point.
RSS abbreviation (Score:2)
Court: FTC Can Punish Companies With Sloppy Cybersecurity
Or, as my RSS feed put it:
Court: FTC Can Punish Companies With Sloppy Cyberse...
Uh huh (Score:2)
Perhaps (Score:2)
we could put all SPI ( Sensitive Personal Information ) customer data under the same umbrella that HIPPA covers.
Yes it would be expensive, but if you're going to collect and store private customer data, you damn well better protect it.