Judge enhances FTC's power to sue over security breaches

Judge enhances FTC's power to sue over security breaches

Summary: The broadening of the FTC's powers to include cybersecurity and lawsuits over security breaches extends the government's ability to destroy businesses.

TOPICS: Security, Privacy

This week, a New Jersey federal court affirmed the Federal Trade Commission’s (FTC's) assertion that it can sue companies as a result of data breaches. The District Court of New Jersey ruled that the FTC can hold companies liable that fail to implement sufficient security practices. Wyndham Worldwide Corporation had challenged an FTC lawsuit related to a data breach that exposed hundreds of thousands of credit and debit cards, leading to more than $10.6 million in fraud losses. The New Jersey court rejected Wyndham’s challenge and maintained the FTC’s authority to hold companies accountable for data breaches.

The FTC has broad powers dating back to its inception in 1914 that originally protected consumers from fraud and unfair business practices. It also stipulates that consumers can receive monetary rewards for damages.

Under this Act, the Commission is empowered, among other things, to (a) prevent unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce; (b) seek monetary redress and other relief for conduct injurious to consumers; (c) prescribe trade regulation rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; (d) conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce; and (e) make reports and legislative recommendations to Congress.

The judge in the case, U.S. District Judge Esther Salas, basically broadened the already far-reaching powers of the FTC to cover cybersecurity measures. The FTC alleges that Wyndham had improperly configured software, weak passwords, and unsecured servers and these problems left customer information vulnerable to cyber attack.

The implications here are as far-reaching as Judge Salas' ruling. She obviously only ruled concerning the FTC's ability to bring legal action against a company and didn't examine the full gravity of what she's done here. The problem is that broadening these powers to cover cybersecurity negligence is dangerous territory for several reasons.

First, which security experts will the FTC engage or hire to make the determination that a company was negligent in its protection of consumer information?

Second, would the purpose of such legal actions serve to call attention to cyber attacks and mitigate the problems or simply to seek monetary damages and legal fees?

Third, who ultimately is to blame for cyberattacks and breaches? This type of power alleges that is a company's fault and puts no blame on the attacker.

Fourth, this new power may bankrupt many companies either because of legal defense or security measures to prevent such actions.

Fifth, where does the blame go for breaches from bugs like Heartbleed? A company could have armed guards and ultra security measures in place, including staying up to date with the latest OpenSSL packages, and still be vulnerable to compromise because of this bug. Will the FTC go after everyone who falls prey to such attacks?

Finally, are security consultants also liable for damages if they don't find a vulnerability?

A transfer of such sweeping power to any government authority needs to be throttled because abuses of such power, which are far more damaging than stolen passwords and credit card numbers, are going to be costly. The threat of a cyber attack is bad enough but now companies have to fear that their expensive efforts will be seen as "inadequate" or as "negligent". This action will no doubt have a negative effect on innovation, hiring, business expansion, and ultimately the economy itself.

I believe in protecting consumers. I am a consumer. But I'm also a reasonable (somewhat) person who wants to give companies the benefit of the doubt before shaving their profits with frivolous and damaging lawsuits. I think that before a company is led to slaughter for security negligence, there should be some sort of independent, third-party assessment of the damage and of the company's efforts to secure its customer data.

I hope that another judge, or The Supreme Court, will take another look at this situation and decide that it gives too much power to the FTC. It's unfortunate that those who are in power tend to misuse and abuse their power without thinking of the consequences of that misuse.

With great power comes great responsibility. 

What do you think of the FTC's new and confirmed powers? Is it a bad or a good move for businesses? Talk back and let me know.

Related Stories:

Topics: Security, Privacy


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Law of Unintended Consequences


    Agree. This is in no way well thought out and will hopefully be severely throttled if not completely overturned by higher courts. This also opens up financial liability for software vendors, 3rd party solution providers, web / cloud service providers, ISPs, firewall manufacturers, and others. Would it matter if the compromise is the result of a cyber program sponsored by a foreign government or by the NSA?

    For legitimate businesses the market should be more then sufficient. Example: Target. Look at the costs they incurred to address last year's breach resulting in very significant hard dollar costs, brand damage, payments to major card issuers, customer loyalty impact and material customer declines, sr level mgmt career's impacted, increased cyber insurance, etc. There are very few companies that didn't immediately do a deep dive review on their own internal / external security procedures and protocols. And I'm sure there will be a number of private party lawsuits along with a class action or two. No need for the FTC to pile on or open up another avenue for additional legal extortion.

    No free lunch folks. Expand liability (risk) for a business and you get higher costs and fewer services / providers.
  • I'm not convinced the FTC needs to be involved here

    Private lawsuits are probably good enough to deter negligence.
    John L. Ries
    • Private lawsuits may not work...

      Class action suits maybe.

      The problem with private lawsuits is that they are subject to out-of-court settlements with NDAs. That doesn't cause the company to change its behavior.

      FTC lawsuits are to change the company behavior, at least partly by the publicity (tarnishing the company reputation), and partly by penalties.
      • The FTC can also settle out of court...

        ...and usually does, allowing defendants some plausible deniability (frankly, I don't think federal agencies should be allowed to settle without some admission of responsibility on the part of the defendant; unless their lawyers think the evidence dictates that the case be dropped outright). But the FTC also gets to write regs that it uses its power to sue to enforce. Do we need federally mandated standards for encryption, enforceable by lawsuit? I don't think that case has been made.
        John L. Ries
  • It isn't that drastic an exansion...

    The FTC has always been a determination of negligence or malpractice of a company.

    The key is "determination that a company was negligent in its protection".

    The hartbleed problem is not a failure of the company being investigated. That company is not at fault as it WAS following best practice.

    Now if the company has taken no action over the problem and has a breach... That is different - the company is NOT following best practice, and thus is "negligent", and open to FTC action.
    • Who decides Best Practice??

      Jesse -

      Who is this enlightened governmental entity you'd have establish, define, update, communicate, and legislate this Cyber Security Best Practice policy for all commercial entities to implement? No hand waving - must be someone you would happily delegate these duties to in our government. And who (other then non-technical lawyers, judges, and bureaucrats) will determine compliance?

      Does the FTC currently define and audit for physical security best practices at companies? Sufficient physical security to keep thieves from file cabinets, safes, inventory, and other valuables? Define standard door bolt configurations, security camera sweep patterns, intruder alarms, standard safe combination best practice, etc? Greatest potential risk for many is employees so do they define mandated background checks and oversight?

      In the end - who has the most to lose if the company doesn't provide sufficient security? I'd think company management, shareholders, their insurance providers would be at the front of that line. As I said above - how much would it be worth to Target's executives, shareholders, insurance providers to be able to go back and plug their security vulnerability before it was exploited? Do you really think an additional fine from the FTC would change their behavior ex post facto?

      We recently updated our cyber security insurance so we could do business with new partners. We had to update and document a bunch of our practices and policies or we would have been denied coverage. And without certain updated technology being implemented our coverage would have cost more money and may have cost us the ability to compete on these particular RFPs. We made a rational business decision without the benefit of the FTC's oversight.
      • Who decides Best Practice?

        "Does the FTC currently define and audit for physical security.."

        Yes. Negligence of banks to provide proper physical security could have the bank company hauled into court - especially if it is rampant across the company. As long as the physical security meets best practices, then there shouldn't be a problem.

        "Do you really think an additional fine from the FTC would change their behavior ex post facto?"

        If the behavior was rampant throughout the company, it could easily put the company out of business.

        "We had to update and document a bunch of our practices and policies or we would have been denied coverage."


        Suppose the "bunch of our practices and policies" was just a sham? Just done to satisfy paperwork tick marks as having been completed.

        All the paperwork in the world doesn't mean that anything has actually changed. If it has, fine, well and good. You likely won't get sued by the FTC... Even if you get investigated.

        If it was a sham, and the FTC does a detailed investigation, then they will find out... And your company should get hauled into court. Usually this is called fraud.

        Now for the question of "who is this enlightened governmental entity you'd have establish, define, update, communicate..."

        There already IS such a government agency. Has been since 1901, currently called the National Institute of Standards and Technology. Specifically the Computer Security Division.

        The FTC can also call on expertise from the FBI - as negligence may even be a criminal offense.
        • I think the degree of public risk is the issue

          If a bank's network is breached, the consequences to the general public tend to be much more severe than if a small retail establishment's online ordering service is; and you might drive the latter out of business, or cause it to curtail services if you make the cost of compliance too great (the bank will just raise its fees).

          And federal regs tend to be expensive to comply with; shouldn't be, but are.
          John L. Ries
          • That's not to say...

            ...that regulators shouldn't be leaning on the bank to make sure it's networks are secure. There's a lot of other people's money at stake.
            John L. Ries
        • Some good points

          Jesse -

          First, thanks for the well thought out reply.

          Perhaps should have been a bit clearer on the point I was trying to make on "a bunch of policies and procedures" to obtain insurance. I wasn't complaining - quite the opposite. We were freely entering into an arrangement in which a 3rd party was indemnifying certain elements of our business against risk. In that case it is perfectly logical for the insurer to mandate that certain 'policies and procedures' be implemented before providing coverage. Take it or leave it. And if we fraudulently claim to have implemented these policies we're in breach and coverage is null and void per standard contract law. And if we're no longer insured our partners will likely kick us to the curb. The FTC has no business being involved.

          In the case of banks the FTC isn't the party regulating them. On the federal level its the FDIC, Central Bank (Federal Reserve), Comptroller of Currency, along with a number congressional legislative regulations and state banking charter laws. I'd suggest banks are a special case as they are called out as quasi-commercial entities that needed federal oversight in the US Constitution. In particular and since the 30's - as long as taxpayers are on the hook for insuring deposits then like any prudent insurer the insured must meet certain standards such as accounting procedures, reserves, reports, and security.

          As for repeated security breaches let me know if you really think another significant breach of the same magnitude at Target wouldn't materially impact / threaten the very existence of their business.

          As for fraud - more then enough current options for real and perceived injured parties to seek financial and injunctive relief. And lack of security would be negligence, not fraud.

          Expanding federal powers without limit always results in unintended consequences. Just my view on the topic.
  • A potential trap

    Eventually the FTC will need to outline what they consider to the minimum acceptable standards. Once this happens, companies are legally off the hook if they meet these standards even if the standards are woefully out of date.

    Part of the Titanic tragedy was the British Board of Trade lifeboat regulations were woefully out of date for a vessel the size of the Titanic. To make matters worse the Titanic exceeds the lifeboat requirements and could with minor alterations carry even more. Both her sisters did in fact more lifeboats after her sinking. The regulators failed to keep up with the industry they were regulating and if the FTC publishes minimal standards they will eventually be woefully obsolete in few years.