14 DAY TRIAL // A panel of judges for the Third U.S. Circuit Court of Appeals has unanimously ruled that the FTC (Federal Trades Commission) has the legal right to sue companies that fail to protect their customers' data with proper cyber-security measures.
The ruling came after the FTC filed a legal complaint and followed with a lawsuit against Wyndham Hotels for failing to protect customer details.
The ruling gives the FTC new powers (legally)
While the FTC is traditionally viewed as the government body responsible for consumer protection, in recent years, it has begun to slowly take arms against companies that blatantly ignore cyber-security measures.
The agency has filed complaints against multiple companies, regularly ending in various forms of settlements.
Wyndham Hotels is the first one that refused to acknowledge the FTC's power over this issue and responded with a lawsuit, which came to a close yesterday through the Appeals Court's ruling.
This decision is a legal confirmation of the FTC's power over cyber-security problems, and not the "government overreach" as Wyndham representatives have claimed.
Analyzing the case's details, it could be said that the decision was quite predictable, mainly because Wyndham holdings were hacked no more than three times in two years, with the company failing to put security measures in place after each incident.
Wyndham Hotels was hacked three times in two years
The first incident took place in April 2008, when hackers gained access to the internal network of Wyndham Hotels through one of its Phoenix, Arizona branches.
This resulted in "the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia."
This was followed by a second security incident in March 2009, which consisted of a similar kind of attack and allowed hackers to access details "for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges using consumers’ accounts."
The third data breach took place later in 2009, using the same method of deploying memory-scraping malware used in the first two attacks. This one allowed attackers to gain access to 69,000 consumer payment card accounts, and yet again make fraudulent purchases with these details, which were stored in clear text, as in the previous two cases.
You can see why the Appeals Court judges ruled unanimously, and why they deemed the FTC as a necessary "government overreach."
Sometimes, the laziness and stolidity of these kind of corporations require the presence of a man holding a whip next to them.
You can read the official answer of the Federal Trade Commission in the press release box below.