The litany of the latest database security breaches reads like a laundry list of some of the most prominent companies in the U.S. But your company doesn't have to be prominent or suffer a breach to come under the scrutiny -- and wrath -- of the Federal Trade Commission.
"The threat to businesses extends well beyond the relatively small number that actually
Boiling it down
What it means is that the FTC found these statements deceptive and misleading to consumers because the businesses hadn't employed reasonable measures to protect their systems.
"So it is not just the businesses that suffer an intrusion or compromise that are at risk," Overly said. "Any business handling consumer information could be audited by the FTC to ensure the business' security practices are reasonable and appropriate and comport with the statements that company has made to the public. If not, the FTC could prosecute the company for making misleading statements to consumers regarding the security of their information."
Privacy policies are an obvious target
"More and more companies are putting disclaimers on their Web sites," Wright added. Those often take the form of a statement that says, "Your data is important to us, but we assume no liability for its protection."
However, Overly said it won't protect the organization from liability or claims of deceptive practices. "Commercial Web site privacy policies that promise to protect customer data from unauthorized release but also disclaim liability for losses of customer information will likely face Federal Trade Commission scrutiny if consumer data is lost," Overly said.
Who's been in the hot seat?
BJ's Wholesale Club last week settled with the FTC on charges that its "failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law." According to the FTC, the information stolen from BJ's was used to make millions of dollars of fraudulent purchases. The settlement will require BJ's to implement a comprehensive information security program that includes administrative, technical and physical safeguards, and obtain audits by an independent security firm every other year for 20 years.
The FTC also has forced Guess Inc. and Eli Lilly to increase security. High-profile breaches that may attract its eye include CardSystems, Bank of America, Citibank, Lexis-Nexis, ChoicePoint and others.
Wright noted that N.Y. Attorney General Eliot Spitzer brought an action against Ziff Davis in 2002 for weak Web site security. Hackers had broken into its customer database, stolen credit card numbers and used some of the numbers to commit fraud. Spitzer forced the company to pay a $125,000 fine.
"The fine is low, but keep in mind this is a situation in which no actual compromise occurred," said Overly. "I think this type of action will become very common in the coming months…brought by the FTC or a state attorney general. If the subject of the fine fails to comply and later suffers a loss, the fine will be substantial."