If you have poor infosecurity practices and you know it, the FTC now (as of 8/25/2015) has the power to sue you.
Wyndham Wordwide, whom have licensed their brand name through 90 independently owned hotels, has been hacked and had their data breached three separate times, back in 2008 and 2009.
Each Wyndham branded hotel has a property management system that processes customer information (including payment card).
The charges against Wyndham (or independently owned hotels under Wyndham) are:
- Storing payment card data in plaintext
- Easily guessed passwords where the password matched the username
- Not using firewalls where appropriate
- Knowingly allowed an independently owned hotel to connect to the corporate network using an operating system that hasn’t had patches available for it in the last three years
- Didn’t change default user IDs and passwords
- Didn’t adequately restrict third-part vendors to it’s network
- Did not self audit
- Did not have incident response procedures
- Failed to monitor for malware used in previously successful hacking attacks
The US Court of Appeals for the Third Circuit has made the decision to reaffirm the FTC’s authority to hold companies accountable for failing to safeguard consumer data.
Know that the U.S. Government in the form of the FTC, can and most likely will jump in and add even more cost to an expensive data breach.
It’s highly recommended for business executives and business attorneys read the FTC report.FTC report