When hackers hit government computers and make off with the personal data of millions of people, there is no punishment.

Yet when U.S. corporations such as Dave & Buster’s or Credit Karma fall victim to hackers, the federal government may choose to sue the company for the resulting theft of consumers’ personal information.

Close

Some critics say it’s hypocritical and supremely unfair for the government to demand more cybersecurity from private companies than the government itself can provide.

Related: Ashley Madison’s Nightmare

The most recent security lapse, perhaps the worst in U.S. history, occurred earlier this month when hackers stole personal data for a whopping 21.5 million people on file at the Office of Personnel Management.

Cory Andrews, senior legal counsel with the Washington Legal Foundation, said it is ironic that one arm of the government is harassing businesses for failing to protect consumer data when the government itself has been an abysmal failure at safeguarding our personal data.

The government’s lawsuit “is the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”

“They’ve been breached and hacked dozens and dozens of times,” he said.

The Federal Trade Commission has been criticized for pursuing civil cases against companies under a vague authority known as Section 5 of the Federal Trade Act, which gives the government power to punish “deceptive and unfair trade practices.” Critics say being victimized by hackers is hardly the same thing as deliberately deceiving consumers.

The government does not have to prove the defendants acted intentionally or benefited in some way.

The FTC has filed 55 lawsuits since 2000 under the 1914 statute to punish data breaches. In most cases, lawsuits end with non-monetary settlements. Companies agree to take certain steps to prevent future breaches and provide training for employees. Fines are authorized only if a corporation violates a consent decree.

Who do you think would win the Presidency?

By completing the poll, you agree to receive emails from LifeZette, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

The strategy has gone largely unchallenged because most companies have chosen to settle rather than fight.

But that could change. A decision is expected soon in a case pending before an appeals court in Philadelphia in which a company argues the government exceeded its authority.

Poli_CyberAttacks_info-thumbLawyers for Wyndham Hotels and Resorts, a New Jersey-based timeshare company that was hit in three separate data breaches from 2008 to 2010, argue the government’s lawsuit “is the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”

The company asked U.S. District Judge Esther Salas to dismiss the complaint, claiming the FTC exceeded its authority. Salas, an Obama appointee, refused.

But Salas did note companies face real difficulties.

“Both (the government and defendant) seem to recognize the importance of data security and the damage caused by data-security breaches,” she wrote in her April 2014 ruling. “Both also seem to acknowledge that we live in a digital age that is rapidly evolving — and one in which maintaining privacy is, perhaps, an ongoing struggle. And, as evident from the instant action, this climate undoubtedly raises a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future.”

Wyndham Resorts appealed, and the parties are waiting for a ruling from the 3rd U.S. Circuit Court of Appeals.

Data breaches have become an increasingly vexing problems for companies large and small as sophisticated hackers systematically attack cybersecurity measures across the Internet. Some 53 million Home Depot customers had their e-mail addresses hacked. Hordes of customer passwords and credit card numbers have been hacked from Wal-Mart and Amazon accounts.

Many of the hackers are well-funded criminal organizations based in Russia, China and other countries.

The government has never published a list of specific steps firms can take to provide a “safe harbor” if they do get hacked.

In the case of Wyndham, Russian-based hackers stole records associated with 619,000 credit card accounts, including account numbers, expiration dates and security codes. The breaches resulted in fraudulent charges totaling $10.6 million, according to court records.

The government hardly has been immune to cybersecurity lapses. The Office of Inspector General for the Government Accountability Office in September faulted the handling of sensitive data collected by the Consumer Financial Protection Bureau, whose very mission is to protect consumers.

A company would be on safer ground if it … makes fewer attempts to safeguard the data.

“CFPB lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments,” the IG stated in a summary of its report. “The lack of written procedures could result in inconsistent application of the established practices.”

FTC spokesman Jay Mayfield defended the commission’s conduct, contending the agency only sues companies that fail to take reasonable precautions to safeguard data.

“It’s not about the breach, per se. It’s about the company’s conduct that may have led to the breach,” he said. “We don’t bring cases whenever there’s a data breach. A data breach is not a violation.”

But Andrews said companies have no clear way to know whether the measures they have in place will pass muster with regulators because the government has never published a list of specific steps firms can take to provide a “safe harbor” if they do get hacked.

Sam Pfeifle, publications director for the International Association of Privacy Professionals, said hacking tactics and technology change so fast that the government would almost have to change such lists every couple of weeks.

“Very quickly, what you need to do would become outdated,” he said.

The association, which tracks breaches, offers guidelines that provide a fairly comprehensive outline of practices to avoid, based on agreements companies have signed with the FTC, Pfeifle said.

The steps include employing hard-to-break passwords for access to sensitive information.

Pfeifle said the FTC sues only the worst violators, whose promises to consumers about data security fail to live up to reality. Critics, however, note the irony that from a legal standpoint, a company would be on safer ground if it told customers it had no security measures to protect personal information — and thus makes fewer attempts to safeguard the data.

But Andrews said complying with consent decrees have their own costs. He said those costs vary from company to company and are hard to estimate. A report last year by the Heritage Foundation noted that at least some of those costs get passed on to consumers.

Ed Mierzwinski, the federal consumer program director and senior fellow at The Public Interest Research Group, said he supports aggressive government action to safeguard personal information. But he acknowledged the limits of the Federal Trade Commission’s authority.

“It only works against some companies,” he said. “It certainly doesn’t work against government agencies. … It’s a solution that only addresses part of the economy.”
[lz_virool paragraph=”3″]