Data security: It doesn't take a breach to get the FTC's attention

By Shawna McAlearney, News Editor 27 Jun 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

"The threat to businesses extends well beyond the relatively small number that actually experience a compromise of data," said Mike Overly, a partner at law firm Foley & Lardner, which specializes in cyberlaw. "The FTC has conducted several enforcement actions against companies in which no compromise of security has occurred. In those cases, the FTC reviewed the business' security practices and found that they did not fulfill statements made by those companies, typically in privacy policies, that promised to protect consumer information and to ensure such information would not be compromised."

Boiling it down
What it means is that the FTC found these statements deceptive and misleading to consumers because the businesses hadn't employed reasonable measures to protect their systems.

"So it is not just the businesses that suffer an intrusion or compromise that are at risk," Overly said. "Any business handling consumer information could be audited by the FTC to ensure the business' security practices are reasonable and appropriate and comport with the statements that company has made to the public. If not, the FTC could prosecute the company for making misleading statements to consumers regarding the security of their information."

Privacy policies are an obvious target
Privacy policies are often the hook the FTC uses to go after companies, said Benjamin Wright, independent attorney and author of Business Law and Computer Security. He suggests that organizations be extremely careful about what they put in a privacy policy so it isn't read as a guarantee. "Saying 'We're going to secure your data' is very dangerous because legal authorities often interpret that language as being impossible to deliver on what's promised."

"More and more companies are putting disclaimers on their Web sites," Wright added. Those often take the form of a statement that says, "Your data is important to us, but we assume no liability for its protection."

However, Overly said it won't protect the organization from liability or claims of deceptive practices. "Commercial Web site privacy policies that promise to protect customer data from unauthorized release but also disclaim liability for losses of customer information will likely face Federal Trade Commission scrutiny if consumer data is lost," Overly said.

Who's been in the hot seat?
BJ's Wholesale Club last week settled with the FTC on charges that its "failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law." According to the FTC, the information stolen from BJ's was used to make millions of dollars of fraudulent purchases. The settlement will require BJ's to implement a comprehensive information security program that includes administrative, technical and physical safeguards, and obtain audits by an independent security firm every other year for 20 years.

The FTC also has forced Guess Inc. and Eli Lilly to increase security. High-profile breaches that may attract its eye include CardSystems, Bank of America, Citibank, Lexis-Nexis, ChoicePoint and others.

Wright noted that N.Y. Attorney General Eliot Spitzer brought an action against Ziff Davis in 2002 for weak Web site security. Hackers had broken into its customer database, stolen credit card numbers and used some of the numbers to commit fraud. Spitzer forced the company to pay a $125,000 fine.

More recently, Spitzer took on Barnes & Noble.com, which will pay New York state $60,000 and implement a comprehensive information security program under an agreement announced April 29. "The agreement contains no indication that personal information was ever obtained or misused by third parties," Overly said. "Instead, the attorney general's complaint was that the manner in which they programmed their Web site was inherently insecure and in violation of a posted privacy policy."

"The fine is low, but keep in mind this is a situation in which no actual compromise occurred," said Overly. "I think this type of action will become very common in the coming months…brought by the FTC or a state attorney general. If the subject of the fine fails to comply and later suffers a loss, the fine will be substantial."

Tags: Enterprise information security management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary