IT security... part of business compliance?

A recent ruling by a US federal appeals court means the Federal Trade Commission can prosecute firms for failing to protect company records through poor IT security.

NEW YORK - 5. Oktober 2015.

The FTC's ability to now sue companies with 'poor information security' could mean profound changes within due diligence processes, either when investors are looking to buy shares in a company or whether another company is looking to merge or take over it.

The case was heard by the Court of Appeals for the Third Circuit as part of an ongoing lawsuit between the FTC and US hotel management company, Wyndham Worldwide Corporation.

Wyndham lost the credit information of over 619,000 customers during three network breaches between 2008 and 2009, resulting in $10.6m of fraudulent payment card use by hackers.

Prosecutors alleged the second breach occurred when hackers re-used malware they had installed during the first breach, while Wyndham was advertising it was using 'industry standard practice' to safeguard customer information.

When the FTC began suing Wyndham in 2012 for failing to protect its sensitive financial information, the hotel group argued that it was itself the victim of theft and therefore should not be penalised.

The court noted that the FTC could pursue cyber security cases under 15 U.S.C. Sec.45; a 1914 law providing the commission with the power to prohibit unfair acts or practices affecting commerce.

While the FTC was under no obligation to list specific security practices Wyndham failed in to bring a case against it, they chose to outline their grievances with Wyndham's security procedures, regardless.

These included: allowing partner hotels to store credit card information in plain text, allowing guessable passwords within property management software, failing to employ firewalls within its corporate network and not stopping third-party vendors from accessing its networks.

The US government has never mandated an IT security level necessary for companies to reach when holding customer data.

Analysts suggest that massive hacks in recent times at physical stores such as Target and Home Depot, not to mentioned highly-publicised online ones like Ashley Madison, have left information security in an anything goes state, within the US.

As such, the FTC has been challenged - under the Obama administration - to require US firms to abide by new principles governing data-collection, and to give consumers more control over personal information.

The FTC said the decision reaffirmed its authority to hold businesses accountable for failing to 'take reasonable steps to secure sensitive consumer information'.


Further Information

Shopping Basket

There are no articles in the shopping basket