So after....
... recent similar issues at the Office of Personal Management, are the FTC going to prosecute the Federal Government?
Or doesn't that count because the Government doesn't engage in trade? (Big Evil Grin)
The Third Circuit US Court of Appeals in Philadelphia has ruled that the Federal Trade Commission does have the right to prosecute firms who mishandle their customers' data. Between 2008 and 2009, hotel chain Wyndham Worldwide – which runs hotels under the Days Inn, Howard Johnson, Ramada, Super 8, and Travelodge brands – …
I'm sure they're bring in expert witnesses to argue that point, but the really it doesn't require too much technical understanding. The fact that they were hacked at least twice using the same method is enough information to say they didn't take reasonable precautions. If your customers get robbed because you left a certain door unlocked, it's reasonable to lock that door so it won't again, isn't it?
I'm not saying "get hacked twice and it's automatically your fault", but when you allow exactly the same thing to happen again, yeah I'd say that's unreasonable.
In court, one set of experts will argue that it was the same way each time, the others different and it still comes down to which set the jury believes assuming they even agree with each other. It should be obvious, and to us it usually is. From the cases I've seen centered around IT, it usually isn't.
@Jack of Shadows
Sure - Wyndham's lawyers will bring in well-paid technical experts to argue that everything is, and was, reasonably protected and 'standard industry practices' were followed.
But even without delving too deep into the technical details that will be argued, there are simple non-technical facts that are incriminating enough.
Take the claims that the hotel "didn't inform its hotel network about the attacks" and "didn't check what operating systems its subsidiaries were using". Those are either facts or not. If those assertions are true then that, clearly, is negligence. You don't need a technical expert to dissect that: a security breach had occurred and the head office did not inform the branches.
Take that outside the realm of IT and it's straight-forward.
Does the average person really think it is an unreasonable imposition on a hotel chain to require them to inform their branches that there has been a security breach and that they may be vulnerable as well?
"And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability."
Nicely said, Third Circuit Court of Appeals...couldn't have said it better myself. And it seems to show a growing jurisprudential distaste for lawyer bullshit.
I agree that that is a fine retort, but it rather misses the point that a supermarket that was found to have left its floors in a condition that resulted in someone slipping over would indeed be sued.
Sure in that instance they wouldn't be sued by the government, but here instance the FTC is acting as advocate for the victims, in a similar way to policing prosecuting cases.