Government Security Lawsuit

By Henry Bagdasarian

As companies fail to protect their systems, government security lawsuit will increase potentially in proportion to data breach incidents. These poor security practices ultimately lead to computer hacks and theft of personal information placing consumers at risk, prompting government agencies which are tasked with ensuring the protection of consumer information through oversight and audits to bring forth lawsuits against negligent companies to force them to adopt better security standards, policies and procedures. As we know, there is a cost associated with data protection which prompts companies to postpone security initiatives and related costs as much as possible, however, with government security lawsuits underway, the cost of poor security may be higher if companies are not proactive with the allocation of the appropriate resources to properly secure their systems and data.

In a recent government security lawsuit, the Federal Trade Commission claimed that Wyndham Worldwide Corporation failed to adequately safeguard its computer systems, allowing hackers to access customer information. Interestingly, the FTC prevailed in its court arguments, twice.

In the government security lawsuit, FTC claimed that Wyndham engaged in a number of security malpractices that "unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft”. According to the FTC, these poor security controls led to three unauthorized intrusions between 2008 and 2010 which allegedly caused the compromise and transfer of more than 619,000 consumer payment card account numbers on a domain registered in Russia which resulted in fraudulent charges on many financial accounts, and more than $10.6 million in fraud loss.

According to the FTC complaint, the security failures included:

• Failure to use readily available security measures such as IDS, IPS, and firewalls;
• Storage of unencrypted or de-identified credit card information;
• Lack of security controls for connecting local computer networks to corporate-level networks;
• Failure to address known security vulnerabilities;
• Use of default user names and passwords for access to systems;
• Failure to require the use of complex passwords to access company systems;
• Failure to properly manage digital assets;
• Failure to adequately monitor unauthorized access to computers;
• Failure to investigate security incidents; and
• Failure to limit third-party access to company systems.

In its counter argument, Wyndham argued that the FTC lacks authority to regulate data security standards of commercial entities. The company argued that by adopting targeted data security legislation, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act, Congress has settled on "a less extensive regulatory scheme." 

Data breaches result in about $500 million in damages annually and are one of the top concerns of American consumers and government agencies.

Notice that some of the listed failures above in bold are related to identity and access management which makes it extremely important to hire and retain Certified Identity and Access Manager (CIAM) professionals who guide companies and oversee their system access security and identity management programs which authenticate, authorize, and monitor user activities.

Learn about CIAM after the Government Security Lawsuit article.