Blog – MFT Nation

Bad Data Security Practices Can Lead to FTC Punishment


Federal Appeals Court Says FTC has Authority to Regulate Data Security Practices

MFT Nation has written before about the FTC vs. Wyndham Worldwide Corp. case.  The FTC sued Wyndham after three separate hacking incidents led to more than $10 million in fraud losses for customers.  Wyndham allegedly did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

In our previous posts we did not address a corollary issue raised by the FTC vs. Wyndham case–whether companies that fail to provide customers with reasonable data security protections can be punished by federal regulators.  Earlier this week, a federal appeals court confirmed that the FTC can punish companies for unreasonable data security practices.  The appeals court ruling is interesting on several levels, but for purposes of this post, I want to share some of the humorous and biting ways the court dealt with some of Wyndham’s arguments.

Reductio Ad Absurdum Invites a Tart Retort

For example, Wyndham asserted that a business shouldn’t be held liable if “the business itself is victimized by criminals.”  Basically, Wyndham tried to deflect attention from its alleged wrongdoing by pointing the finger at another wrongdoer, the hackers.  Wyndham suggested that if it can be held liable in such circumstances, then the FTC could conceivably sue supermarkets that are “sloppy about sweeping up banana peels.”  I kid you not; Wyndham actually proffered this argument.

The appeals court had fun with it, though, describing the argument as reductio ad absurdum.  For non-lawyers and those who don’t speak Latin, the court is telling Wyndham that its argument is absurd.  And the court used the banana peel analogy to explain the absurdity of Wyndham’s argument:  “It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”  Generally speaking, you’re not doing well when the court feels your argument “invites a tart retort.”

In Some Instances, the Third Time Isn’t a Charm

Wyndham also argued that it was not given adequate notice of “what specific cybersecurity practices are necessary to avoid liability.” To this argument, the court quickly offered another tart retort: “We have little trouble rejecting this claim.” The court explained:

As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all.

In other words, Wyndham’s practices would fail under any cybersecurity standard imposed by the FTC.  And the court went on to say that Wyndham’s case was made “even weaker given it was hacked not one or two, but three times.  At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed.”

Beaten by Not Broken

What did Wyndham say about the ruling?  It remained defiant, saying that ultimately “the facts will show the FTC’s allegations are unfounded.”  But in a more conciliatory tone, Wyndham did acknowledge that “safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”

Stay tuned to MFT Nation for further developments in the FTC vs. Wyndham case, as well as others affecting the world of data security.

bTrade Home 4

Data Security: Keep Data Secure Even After Discarding The Hardware

You may know that some people, referred to euphemistically as “dumpster divers,” search through garbage for items they find useful/valuable.  But did you know that some dumpster divers are much more sophisticated and focused on harvesting data stored on discarded hard drives, full workstations, old mainframe tapes, and now cell phones?  With everyone seemingly worried about hackers on the wild internet, we forget about this other security risk.  And it is real.  These sophisticated dumpster divers can recover data from such discarded items. (more)


Update #5: To Copyright APIs, or Not to Copyright, That is the Question

In a previous post about the long running Oracle vs. Google case, we noted that “Oracle has a federal appeals court precedent on its side, which it can use as a sword against all other Java API users who Oracle believes may be violating its copyrights.  So, unless and until another court decides otherwise, the IT community should be aware that Oracle may be on the hunt for violators.” (more)


bTrade Recognized as a “Leader” in MFT Field

I’m pleased to report that bTrade has been acknowledged by Info-Tech Research Group as an “experienced and recognized leader in the MFT industry.”  The acknowledgement follows a period of evaluation by Info-Tech of bTrade and its MFT products, and is memorialized in a vendor landscape report appropriately titled, “Select and Implement a Managed File Transfer Solution.” (more)


Update #4: To Copyright APIs, or Not to Copyright, That is the Question

The United States Supreme Court (aka, the “Supremes”) left today for summer vacation, and on the way out the door they posted a list of cases they will hear in the fall term.  We thought MFT Nation readers would want to know that the Oracle v. Google case was not on the list.  So what does this development mean? (more)

Travelers Survey: Cybersecurity Ranks as the Second Greatest Concern for All Businesses

I want to offer a short follow-up to a previous MFT Nation post about the results of Aon’s Risk Solutions survey in which its business clients ranked cybersecurity as a Top 10 concern, for the first time ever.


Is Your Home Office Ready For Disaster?

Summer has not made its official start yet, but we have already seen some fairly unusual and extreme weather.  Whether you are a full-time home-office worker, working from home temporarily over the summer, or planning a “working vacation” (and if you are, shame on you!), there are precautions to be taken to protect your sensitive data and ensure that you have as consistent a connection as possible. (more)

Update: Beware of Data Security Vendors That Try to be All Things to All People

We wanted to follow-up with MFT Nation readers to let them know that our recent blog entitled: “Beware of Data Security Vendors That Try to be All Things to All People” was recently featured in an article by the publication (more)


Web Design BangladeshBangladesh Online Market