Can the Government Fine Your Company for Lax Security?

A few years back I wrote a blog called “Buckle up with Cybersecurity … It’s the Law” in which I discussed how state laws regarding data breach notification were popping up all over. But I also noted that the SEC had just published disclosure obligations relating to cybersecurity risks and incidents. The thought process with the SEC was that if millions of dollars of intellectual property was being stolen due a data breach, it would be material to report in regulatory filings — and failure to do so could result in fines.

I wrote at the time that while the disclosure guidance does help investors know more regarding material events and significant risks vis a vis cybersecurity incidents (that companies may in the past have kept silent on), this does put company officers in a bind. First they will have to make a judgment call on the materiality and future impact of a breach and whether to disclose in regulatory filings. Of course in not disclosing, they run the risk of being sued by shareholders if it was later deemed they did not reveal (or reveal enough) about a cyberincident that later caused a material loss. Second, if a company reveals too much about an attack, it may tip the hand of future attackers in terms of what to go after and how to go after it.

US Federal Trade CommissionBut up until now the government could in theory fine you if you did not report a breach, not because you’ve been breached. Well that seems to be changing with a recent court ruling that says another government body, the FTC, can punish firms for lax security when it comes to protecting their customers data.

As The Security Ledger reported:

“The decision by the U.S. Court of Appeals for the Third Circuit found that the FTC was within its rights to sue the hotel operator Wyndham Worldwide after three data breaches at the chain in 2008 and 2009 resulted in fraudulent charges to Wyndham customers totaling some $10.6 million.  The Commission acted within its statutory authority in fining the company for poor cybersecurity practices…

The FTC had alleged in a 2012 case that Wyndham had engaged in ‘unfair cybersecurity practices’ that ‘unreasonably and unnecessarily exposed consumers personal data to unauthorized access and theft.’ Among the failings: Wyndham had stored customers’ payment card data in clear text and regularly allowed the use of easily guessed passwords for accessing property management system. The company also maintained a flat network, with few impediments to moving between the Internet, Wyndham’s corporate network and property management systems for its various hotels and time share apartments.”

In fact, not only can a firm get fined, but per Network World quoting an expert, the FTC could “tie them up with consent decrees that force them to submit to third-party security assessments every two years for 20 years.”

One thing that struck me about the Wyndham case was that one of the main examples of lax security was the use of easily guessed passwords. As I wrote about in a recent blog, it turns out that according to the Verizon 2015 Data Breach Investigations Report, nearly half of data breaches are a result of compromised credentials. Mandiant in fact goes a step further and has historically said that 100% of breaches involved compromised credentials, which no doubt includes “easily guessed passwords.”

Passwords, especially those associated with privileged accounts, continue to be the bane of our security existence. I just read about another attack in which 10 million customer records were stolen.  The culprit?  “Attackers gained administrative privileges to the IT systems.” Which is exactly the same thing that happened at the OPM and JP Morgan and myriad of other recent high profile breaches.

Hopefully the threat of being hacked is enough of a wakeup call for enterprise to do a better job of securing user credentials (e.g. layering on multi-factor authentication, leveraging identity protocols such as SAML, etc.), but maybe the threat of government fines and consent decrees will further motivate enterprises to tackle better securing the identities of both end and privileged users.