Can The FTC Sue You For Lax CyberSecurity ?

by

A couple years ago after some famous website hack, I was sitting in a Chipolte and said to a friend that somewhere down the road companies are going to get sued big time for getting hacked if they were lax in their security. My friend told me I was an absolute moron. His take was that a company did not ask to be hacked and would have no way of knowing if they would be hacked.

So today I was reading an article on AboveTheLaw.com, the headline “Can The FTC Sue You For Lax CyberSecurity? (Spoilers: Yes)” took be back to that conversation and I immediately texted my friend the link. To which he texted back “F U”

Keith Lee is the author of the article and he pointed out how law firms have very lax security in a lot of cases. He went on to get to the gist of the headline. He looked at the case between the FTC and Wyndham Hotel Group.

In my opinion these will be very frequent in the future and the buying and selling of cyber insurance is going to become a very big business.

From the article:

In FTC v. Wyndham, No. 14-3514 (3d Cir. 2015), the FTC had received numerous complaints from consumers about identity theft that was originating from the Wyndham Hotel Group. C’mon, they’re a huge hotel group, they’ve got to have at least pretty decent security, right? Here are some of the more egregious allegations from the FTC’s complaint:

  • The company allowed Wyndham-branded hotels to store payment card information in clear readable text.

  • …to gain “remote access to at least one hotel’s system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.”

  • Wyndham failed to use “readily available security measures”—such as firewalls…

  • …it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years.

  • It allowed hotel servers to connect to Wyndham’s network even though “default user IDs and passwords were enabled . . . , which were easily available to hackers through simple Internet searches.”

Read the full article on AboveTheLaw.com

Comments

  2. Pamela Turns says

    Cybersecurity cannot be something that is not given any attention to low priority status. It has to be an integral part of a small business. Given the numerous threats to IT infrastructures, and how much sensitive client data that law firms retain, still cybersecurity should be a high priority for small firms.