Aug 27, 2015

Despite living in the Information Age, where almost every business is online, many companies still regard cybersecurity as an afterthought. If not an afterthought, something that is low priority. Or something that only needs to be “good enough.” This is especially true with small-to-medium sized businesses (if you’re in a small firm, i.e., your clients). Trying to keep a business running is hard enough, let alone worrying about being singled out by hackers.

This is also true with many law firms. Cybersecurity is something that is seen as an afterthought, if it is given any consideration at all. Yet, as I’ve mentioned before, law firms are often seen as “soft targets” by hackers. Hackers know that law firms tend to be lackadaisical with their security and are often an easy “backdoor” into their clients’ data. Law firms might as well have a target painted on their backs.

While getting hacked and losing the trust of customers and clients would be bad enough, a couple of days ago the U.S. Court of Appeals for the Third Circuit affirmed a district court’s ruling that allowed a lawsuit filed by the FTC to continue for “unfair or deceptive acts or practices in or affecting commerce” when a company has lax cybersecurity standards (PDF of opinion).

In FTC v. Wyndham, No. 14-3514 (3d Cir. 2015), the FTC had received numerous complaints from consumers about identity theft that was originating from the Wyndham Hotel Group. C’mon, they’re a huge hotel group, they’ve got to have at least pretty decent security, right? Here are some of the more egregious allegations from the FTC’s complaint:

• The company allowed Wyndham-branded hotels to store payment card information in clear readable text.

• …to gain “remote access to at least one hotel’s system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.”

• Wyndham failed to use “readily available security measures”—such as firewalls…