Reasonable and Appropriate Data Security – An interesting case that the FTC filed recently (June 26, 2012) against a well-known hotel chain. (Names omitted for the purposes of this blog.) Notice the similarities to the PCI DSS requirements.
I know, you’re thinking, “Ooh, I love to read court cases!” I’ve taken out just some excerpts to show you. (my comments follow)
1. The FTC brings this action under Section 13(b) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 53(b), to obtain permanent injunctive relief and other equitable relief for Defendants’ acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), in connection with Defendants’ failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information. (This means they’re suing them.)
2. Defendants’ failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of ___________ Hotels and Resorts, LLC, and several hotels franchised and managed by Defendants on three separate occasions in less than two years. Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia. In all three security breaches, hackers accessed sensitive consumer data by compromising Defendants’ (city, state) data center. (Not only were they negligent, but they were repeatedly negligent.)
Cited examples of how they were negligent:
a. failed to use readily available security measures to limit access between and among the hotels’ property management systems, the Hotels and Resorts’ corporate network, and the Internet, such as by employing firewalls; (Duh,)
b. allowed software at the hotels to be configured inappropriately, resulting in the storage of payment card information in clear readable text; (Big no no. Huge..)
c. failed to ensure the hotels implemented adequate information security policies and procedures prior to connecting their local computer networks to Hotels and Resorts’ computer network; (policies, schmologies…)
d. failed to remedy known security vulnerabilities on hotels’ servers that were connected to Hotels and Resorts’ computer network, thereby putting personal information held by Defendants and the other hotels at risk. For example, Defendants permitted hotels to connect insecure servers to the Hotels and Resorts’ network, including servers using outdated operating systems that could not receive security updates or patches to address known security vulnerabilities; (If I know about them does that mean I need to fix them?)
e. allowed servers to connect to Hotels and Resorts’ network, despite the fact that well-known default user IDs and passwords were enabled on the servers, which were easily available to hackers through simple Internet searches; (Now, I’m not a techie, and even I know that.)
f. failed to employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess. Defendants did not require the use of complex passwords for access to the hotels’ property management systems and allowed the use of easily guessed passwords. For example, to allow remote access to a hotel’s property management system, which was developed by software developer XXX Systems, Inc., Defendants used the phrase “XXX” as both the user ID and the password; (You mean I can’t use my company name as my password?)
g. failed to adequately inventory computers connected to the Hotels and Resorts’ network so that Defendants could appropriately manage the devices on its network; (What’s an asset inventory?)
h. failed to employ reasonable measures to detect and prevent unauthorized access to Defendants’ computer network or to conduct security investigations; (Detect and prevent? What do you think, I’m Dick Tracy? Who’s going to know, anyway…?)
i. failed to follow proper incident response procedures, including failing to monitor Hotels and Resorts’ computer network for malware used in a previous intrusion; (Fool me once, shame on you; fool me twice, shame on me.) and
j. failed to adequately restrict third-party vendors’ access to Hotels and Resorts’ network and the hotels’ property management systems, such as by restricting connections to specified IP addresses or granting temporary, limited access, as necessary. (Was Bob tinkering around with our systems again last week?)
Personally, I think the FTC has a pretty good case on this one. Reasonable and appropriate.
Do you know reasonable?
Nancy Sykora
Sr. Account Executive
HALOCK partners with organizations to establish reasonable security controls based on the company’s mission, objectives, and social responsibility.
Are you prepared for a cyber security incident?
Assess your incident response readiness. We can help if you have a security incident to help minimize the impact.
Incident Response Hotline: 800-925-0559