The U.S. Federal Trade Commission (FTC) recently scored a “win” in its quest to make companies more accountable for cyber security. According to a WSJ article, a federal judge supported the FTC in its lawsuit against Wyndham Worldwide Corporation (and three of its subsidiaries) for failing to make reasonable efforts to protect consumer information.
The FTC Act of 1914 gave the FTC broad powers to protect consumers from companies that engage in unfair or deceptive trade practices. It has also allowed the FTC to bring a series of enforcement actions targeting companies' cyber security efforts. Though the judge’s recent Wyndham ruling has not authorized the FTC to "sustain a lawsuit against every business that has been hacked," it could have broad ramifications for the liability of companies whose security systems are breached. Think Target, Neiman Marcus, and others.
As a consumer, I expect the FTC to protect me and my personal data all the time, and so I am 100% in favor of the FTC’s efforts to hold companies, starting with Wyndham, more accountable for network security. The FTC lawsuit alleged that Wyndham:
1) Allowed employees to use easy-to-guess passwords
My take: According to Verizon’s 2013 Data Breach Investigations Report, 76% of network intrusions exploited weak or stolen credentials. At the very least, Wyndham could have easily required users to choose hard-to-guess passwords.
2) Left its systems connected to the Internet without a firewall
My take: Any business with Internet-connected systems should use a network firewall . A network without a perimeter firewall to regulate traffic is analogous to leaving your front door open/unlocked. Scared? I would be.
3) Failed to inventory its systems regularly and, in some cases, was unaware of the physical location of its servers
My take: Taking a regular inventory of systems, including application servers and databases, is essential for checking if services are running properly and that nothing unusual is taking place. Also, knowing server locations can be especially important should there be a need to investigate potential data breaches, react to other emergency situations, for maintenance or even to migrate servers to another location.
4) Stored credit card information on its servers in unencrypted plain text, essentially leaving it wide open for theft
My take: The PCI Data Security Standard specifically requires that stored card data be encrypted or made unreadable. By leaving credit card information (magnetic stripe data) on servers in unencrypted plain text, Wyndham was highly vulnerable and, unsurprisingly, became a victim of multiple data breaches as of 2009.
5) Was responsible for the compromise of more than 600,000 customer accounts
My take: If Wyndham had better security controls and a knowledgeable IT security staff and had followed diligent processes, including properly adhering to the PCI DSS compliance requirements, it could have saved numerous customer records and might not have had the FTC “on its case.”
My suggestion: Think ahead. Be proactive. Consider Juniper’s intrusion deception approach. And protect your network and customer data from intrusions by tricking your adversaries before they can do harm and before you get stuck (like Wyndham) battling a lawsuit.