- Journal Archives
- Volume 16
- Volume 15
- Volume 14
- Volume 13
- Volume 12
- Volume 11
- Volume 10
- Volume 9
- Volume 8
- Volume 7
- Volume 6
- Volume 5
- Volume 4
- Volume 3
- Volume 2
- Volume 1
Over the holiday season, Target suffered a highly publicized data breach affecting between 70 and 110 million customers, one of the largest breaches of retail data in history. This personally identifiable data was hacked, according to Target executives, by malware installed on point-of-sale devices in Target’s checkout lines. The malicious software — KAPTOXA — captured data stored on the magnetic stripes of credit and debit cards and is believed to be the work of Russian hackers.
The Department of Homeland Security (DHS) is working in conjunction with a cyber security company, iSIGHT Partners, to investigate the breach. According to Tiffany Jones, a senior vice president at iSIGHT, “It’s not necessarily the specific malware components individually that make this new or sophisticated, but it’s really the size or scale of this operation at large that makes this unique.”
The scale of Target’s data breach has also attracted attention from Capitol Hill, and Target has agreed to testify before members of Congress. Representative Mike Lee [R-NE], Chairman of the House Commerce, Manufacturing, and Trade Subcommittee, said the hearing would focus on data breaches and their effects on consumers. Meanwhile, Senator Menendez [D-NJ] has argued that the Federal Trade Commission (FTC) should have the authority to levy fines against companies that do not adequately protect consumer data.
However, questions exist as to whether the FTC has the authority to investigate and bring an enforcement action against Target or any other companies. Under the FTC Act, the Commission is charged with preventing “unfair or deceptive acts or practices that may affect interstate commerce.” The FTC has approached enforcement under the Act in two ways, focusing on both the “deceptive” and “unfair” prongs. Under this argument, the FTC has brought over 40 data security cases since 2000.
Last year, the FTC brought suit against Wyndham Hotels & Resorts, alleging that the company’s “poor data security practices had led to three data breaches.” The Wyndham data breach resulted in fraudulent charges on consumer accounts and the export of consumer credit card account information.
Wyndham has challenged the FTC’s authority to police companies’ data security policies and practices, arguing that the FTC Act does not grant the agency the authority to regulate cyber security. Wyndham’s attorneys have also argued that the FTC’s process of setting standards, largely through consent orders, is an insufficient form of notice. The litigation, currently underway in federal court, could prove very important to consumers and companies alike. If the court finds the FTC does not have the authority to regulate data security, the question then becomes, who does?
Tagged with: "unfair and deceptive acts and practices" • 15 USC 45 • administrative law • consumer protection • cyber attack • cyber security • deceptive • deceptive trade practices • DHS • FTC • FTC Act • FTC v. Wyndham • government • hacking • information security • lawsuits • Mike Lee • point-of-sale • privacy • regulation • retail • Robert Menendez • Target • technology • ultra vires • unfair • Wyndham
Recent Blog Posts
- The Silk Road: An Insight Into the Future of Internet Regulation?
- JETLaw Symposium on Intellectual Property Tomorrow
- San Jose Strikes Out Again in Suit Against MLB
- National Marine Fisheries Service Enters the Electronic Age
- Google Fiber Considers Expansion to Nine New Metro Areas
- Let’s Communicate: Incoming National Standards for Commercial Data Breaches?
Tagsadvertising antitrust Apple books career celebrities contracts copyright copyright infringement courts creative content criminal law entertainment Facebook FCC film/television financial First Amendment games Google government intellectual property internet JETLaw journalism lawsuits legislation media medicine Monday Morning JETLawg music NFL patents privacy progress publicity rights radio social networking sports Supreme Court of the United States (SCOTUS) technology telecommunications trademarks Twitter U.S. Constitution