监管部门为什么惩罚黑客袭击受害者

    黑客侵入了X公司的电脑系统，盗走了数千名顾客的信用卡账号。得知此事后，X公司公开道歉，并承诺将加强安全防范。老百姓的公愤喧嚣一时后便归于沉寂，直到同样的循环又在Y公司身上发生。

    只有少数案例没有按着这个剧本走。比如上周早些时候，美国联邦贸易委员会（Federal Trade Commission）将温德姆国际酒店集团（Wyndham Worldwide）告上法庭，理由是后者没有采取足够措施保护客户信息。亚利桑那州的联邦法院受理了此案。联邦贸易委员会在起诉书中称，过去两年里，黑客先后三次入侵了温德姆集团的电脑系统，但在此之后,温德姆集团并没有采取足够措施升级安全系统。

    温德姆集团回应称，联邦贸易委员会的指控缺乏法律依据。

    和温德姆集团不同的是，大多数遭受黑客袭击的企业都没有撞到联邦贸易委员会的枪口上。就算黑客袭击造成了非常严重的后果，但只要这些公司采取了合理的安全措施，就能躲过惩罚。

    不过一旦联邦贸易委会员认定一家公司的安全系统门户大开，使客户信息处于容易失窃的状态，这家公司可能就要吃官司了。因为所有企业肯定都承诺过要保护它们收集的消费者信息，遵守标准的行业准则。而对安全系统存在的漏洞视而不见则明显违反了该隐私政策。

    联邦贸易委会员隐私与身份保护部的检察官克里斯汀•科恩指出：“我们一直认为，遭受黑客袭击不是犯罪。我们只调查那些隐私政策容易误导顾客的公司——他们可能做了一些有欺骗性或是不公平的事。”

    过去10年里，联邦贸易委员会已经对大约35家涉嫌虚报、误报企业数据安全性的公司提起了诉讼或达成和解。例如今年年初，社交游戏网站RockYou就与联邦贸易委员会达成和解，而Twitter也曾在2010年与联邦贸易委员会达成了类似和解。

    美国近年的黑客袭击频频得手，与之相比，区区三十多起诉讼与和解显得十分苍白。据身份失窃资源中心 （dentity Theft Resource Center）报道，光是去年，美国就发生了419起黑客案件，受影响人数多达2,290万人。该中心主任雷克斯•戴维斯表示，实际上得手的袭击次数肯定还要更高，因为很多公司在遭到黑客袭击后都没有对外披露。

    温德姆集团旗下运营着戴斯酒店（Days Inn）、速8（Super 8）和华美达（Ramada）等知名酒店品牌。联邦贸易委会员在上周二递交的起诉书称，温德姆集团甚至没有实施基本的安全措施。例如该集团把用户的信用卡账号保存在文本文档里，黑客轻易地就可以读取到。

    2008年温德姆集团第一次遭遇黑客袭击就造成了50万张信用卡账户流出，有数十万个账号被发送到注册在俄罗斯的一个主机上。在接下来的两年里，温德姆集团又遭受了两次攻击，造成5万多张信用卡和借记卡账号失窃。

    联邦贸易委会员表示，黑客们最多可以利用他们获得的信息诈骗到1,060万美元。但温德姆集团反击称，据他们的了解，没有客户因此蒙受经济损失。

    Hackers infiltrate Company X's computers and make off with thousands of customer credit card numbers. After learning of the theft, Company X apologizes and promises to beef up its security. A storm of public indignation builds and then passes until, soon after, the cycle repeats itself when hackers attack another Company Y. And so on.

    Only rarely does the script deviate like it did this week when the Federal Trade Commission sued Wyndham Worldwide (WYN) for failing to do enough to protect its customer information. The complaint, filed in federal court in Arizona, alleged that Wyndham did little to upgrade security after hackers breached its computer system three times in two years.

    Wyndham responded that the case was without merit.

    Unlike Wyndham, most companies that fall victim to hackers never enter the F.T.C.'s crosshairs. As long as businesses have reasonable security measures, they can avoid punishment after even serious breaches.

    What draws the F.T.C.'s attention is when it believes a company left the door wide open to its customer information. Such inattention violates privacy policies in which companies invariably promise that they safeguard the consumer data they collect, using standard industry practices.

    "We have always said that it is not a violation to be hacked," said Kristin Cohen, an attorney in the F.T.C.'s division of privacy and identity protection. "We can only go after companies that have misleading privacy policies -- either they did something that was deceptive or unfair."

    Over the past decade, the F.T.C. has reached settlements or sued around 35 companies for misrepresenting their data security. For example, RockYou, a social game site, settled with the agency earlier this year while Twitter did so in 2010.

    The number of cases pales next to the proliferation of successful hacker attacks in the United States. Last year alone, there were 419 breaches reported affecting 22.9 million people, according to the Identity Theft Resource Center, a group that tracks the problem. The number of successful attacks is almost certainly higher, however, because many companies fail to disclose when their defenses are defeated, said Rex Davis, director of operations for the center.

    In its complaint Tuesday, the F.T.C. said that Wyndham, which operates and franchises Days Inn, Super 8 and Ramada hotels, failed to implement basic security measures. Credit card numbers were stored in text files that hackers could easily read, for example.

    The first hacker attack against Wyndham in 2008 compromised 500,000 credit card accounts, and led to hundreds of thousands of account numbers being sent to a domain registered in Russia. Two more attacks over the next two years accessed another 50,000 credit and debit card numbers.

    The F.T.C. said that the hackers were able to use the information they obtained to make $10.6 million in fraudulent charges. Wyndham countered that it knows of no customers who suffered a financial loss.