Court Rules The Government Can Punish Cyber-attack Victims


Third Circuit_LS_option1_0On Monday, in a 3-0 decision, The United States Court Of Appeals for the Third Circuit ruled that the Federal Trade Commission has the authority to sue companies for allowing hackers to steal customer data from their computer systems.  The court’s ruling sends the FEDERAL TRADE COMMISSION v. WYNDHAM WORLDWIDE CORPORATION case back to the lower court.

In 2008 and 2009 hackers absconded with the personal data of over 600,000 Wyndham Hotel customers which resulted in more than $10 million in losses.  

The court determined that lack of adequate security provided by Wyndham is, in fact, engaging in “unfair or deceptive acts or practices in or affecting commerce” – the very thing the FTC is designed to prevent.  

The Opinion of the Court says “In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement… A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The question on the minds of many cybersecurity professionals is whether this ruling is just adding insult to injury or will it be the incentive needed to promote adherence to cybersecurity best practices.

Now, on top of direct financial losses and loss of reputation companies can incur the wrath and punishment of the FTC for falling victim to cyber criminals.

Consumer advocates believe this to be a victory for consumers.  An indication that they expect the threat of FTC punishment to motivate better cybersecurity practices.  

Wyndham accused the FTC of overreaching.  “We believe the facts will show the FTC’s allegations are unfounded,” reads a statement from Wyndham spokesperson Michael Valentino. “Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyber-attacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”

What do you think?  We welcome your comments and opinions on our Facebook page.


The question on the minds of many cybersecurity professionals is whether this ruling is just adding insult to injury or…

Posted by Brilliance Security Magazine on Monday, August 24, 2015