According to an arstechnica article Monday, August 24, a federal appeals court ruled that the Federal Trade Commission (FTC) can now sue a company that employs poor IT security practices. This resulted from a lawsuit that the FTC filed against the Wyndham Worldwide Corporation who suffered three breaches from 2008 to 2009. (click here to see FTC vs Wyndham)
FTC Chairwoman Edith Ramierz wrote in a statement to Ars, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
What could this mean to control system community?
This means we can no longer sit back and use the excuses “that’s the way it has always been done” or “so what if someone turns an air handler off” or “nobody cares about hacking a control system”. If the hack occurs through a BAS to customer data, not only could you be liable to consumers, the FTC could come after you as well.
This is not the only action by the FTC. According to an article on Security Week the agency has settled more than 50 cases so far. Given the federal appeals court ruling this week, the FTC authority in such matters have been reaffirmed. Lawsuit such as these will likely increase.
As system integrators, building owner/operators, vendors, and manufacturers we need to step our OT security practices. IT and OT are converging more and more everyday and lines are becoming less obvious. And rightfully so. We have to shoulder our share of the responsibility or we could be in the cross hairs of the FTC as well.
There is a credit card company that uses the phrase “what’s in your wallet”. Maybe we should start asking our selves “what’s in our budget” and add review and upgrade of our IT/OT infrastructure.