Courts Uphold FTC Regulation-Punishment to Negligent Company

Threatpost has the story:  https://threatpost.com/court-rules-ftc-has-authority-to-punish-wyndham-over-breaches/114390

From the court brief

http://www2.ca3.uscourts.gov/opinarch/143514p.pdf

are some interesting snippets:

WyndhamvsFTCinthirdcircuit

 

Let’s list the cybersecurity problems that Wyndham had:

  1. Stored CC data (which is a violation of PCI standard)
  2. Passwords were simple (Example: “micros” in a Micros computer default pw)
  3. Did not use firewalls between their corporate network, property management system, and Internet
  4. Cybersecurity inappropriate on property management systems(hotels)
  5. 3rd party vendors were not restricted access to resources properly
  6. Failed to create detection of unauthorized access
  7. Insufficient Incident Response Procedures

 

This is a thorough list of what NOT to do to prevent cyber attacks.

Admittedly even if you do all you can you might get hacked, but if you do not you will get hacked.

And now you will also get punished by government agencies. Who would have thought that the FTC would regulate and punish in a roundabout way the hotel company Wyndham?

How is the FTC able to make a claim? It is because the FTC regulates privacy and Wyndham was negligent in their claim to protect privacy.

 

{ The FTC said that Wyndham engaged in unfair and deceptive practices by claiming that it used “industry standard practices” to secure customer data, though the attackers were able to steal unencrypted data belonging to tens of thousands of customers. }

Be careful what you claim in advertising if you cannot back it up with a proper Cybersecurity plan and policy.
And now because Wyndham attempted to sue the FTC that it should not be able to regulate them, the FTC is now SANCTIONED to regulate everyone who advertises their claim of “privacy security”.
wyndhamhotelsandresorts
(Thanks Wyndham)
So if you claim on your website that you protect my personal information and then you do not protect it “properly” the FTC will find ways to punish you.
So …  I wonder how the FTC will determine what a “proper defense” is?  If you understand anything about regulatory bodies is that this is a moving target, and as more cyber attacks happen more will be expected of you.
Of course I would be remiss to not mention that we help companies with compliance