Most people by now have heard of the Heartbleed bug. It's the programming flaw in one of the most common encryption methods on the internet: OpenSSL. It makes what should be secure websites, and the personal information they contain, vulnerable to hackers. It is more important, though, than just another internet threat. Every business should consider whether it can be liable for depending on the vulnerable encryption software in the first place. This is especially important in light of the Federal Trade Commission's efforts to ensure that businesses take reasonable precautions to protect their customers' digital data.
The same day the Heartbleed bug was announced, April 7, 2014, Federal District Court Judge Esther Salas, upheld the Federal Trade Commission's right to police corporate cybersecurity practices. As we previously mentioned, the court denied Wyndham Worldwide Corp.'s motion to dismiss a suit the FTC brought against it which arose out of three separate alleged hacking incidents that occurred over a two year period.
According to a story by Matt Egan published on April 8, 2014 in Fox Business.com, the FTC sued Wyndham Worldwide Corp. and three subsidiaries, alleging that Wyndham, unreasonably and unnecessarily, exposed consumers' personal data to unauthorized access and theft that resulted in hundreds of thousands of customers having their payment card account information exported to a domain registered in Russia and a fraud loss of more than $10 million. The suit reportedly alleged that, among other things, Wyndham:
- Failed to use readily available security measures like firewalls;
- Allowed software to be configured inappropriately;
- Failed to ensure hotels implemented adequate information security policies;
- Failed to remedy known security vulnerabilities.
What makes the ruling especially relevant to the Heartbleed bug is the way that the encryption software the bug affects is developed and maintained.