Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Government Security

Wyndham Settlement: No Fine, But More Power To the FTC (csoonline.com) 17

itwbennett writes: Earlier this month, Wyndham settled a lawsuit with the FTC over weak security practices that resulted in 3 major data breaches in 2008 and 2009 that compromised the credit card information of more than 619,000 customers and led to more than $10.6 million in fraudulent charges. But all the settlement requires Wyndham to do 'is what any company that handles credit card data is supposed to have been doing for more than a decade, under the Payment Card Industry Data Security Standard (PCI DSS),' writes Taylor Armerding. There was no fine and it seemed as though Wyndham had 'dodged a bullet', says Armerding, But things are not always as they seem. Because the PCI DSS is not a government standard and is not a law 'the case was not about fines for noncompliance, which the FTC doesn't even have the authority to impose,' says Armerding. 'It was instead about power – the authority of the FTC to charge Wyndham with 'unfair and deceptive' practices because of its security flaws.'
This discussion has been archived. No new comments can be posted.

Wyndham Settlement: No Fine, But More Power To the FTC

Comments Filter:
  • by Anonymous Coward

    The FTC's case is simply a nuisance suite for Wyndham. While I'm annoyed at Wyndham for their lax practices, I'm also annoyed, perhaps more annoyed, by the recent efforts of government agencies to exceed their authority and essentially establish laws of their own where they have no such power.

    • Re:Nuisance Suit (Score:4, Insightful)

      by sinij ( 911942 ) on Thursday December 24, 2015 @10:28AM (#51178051)
      I think government is very justified when looking into cases of negligence when it impacts a large number of people. There is very clear case of public interest.
    • by Anonymous Coward

      No. Ohhhhh no. Nonononono. This case was about piercing the corporate veil / common enterprise. It was about a firm seeking to transfer security responsibilities to another firm, thereby avoiding the costs and responsibilities of IT.

      This case sets very interesting precident, add in the past courts have said you can only pierce the corporate veil as a result of fiscal maleficence. But this case raised IT / infosec to the same level. Corporate America should be crapping their pants.

  • PCI sets many standards; very, very few businesses obey them all, and there is essentially zero penalty for non-compliance. For instance: while Christmas shopping, did every store you visited require the use of a card with a chip? The cutoff date for requiring that at any retailer was back in October.

    • Many issuers will impose fines against merchants if the merchant suffered data breaches and was not PCI compliant. These are not always minimal. Some issuers put this into merchant contracts.

      It is not always without costs to the merchant.

Thus spake the master programmer: "Time for you to leave." -- Geoffrey James, "The Tao of Programming"