Data security: It doesn't take a breach to get the FTC's attention |
 |
By Shawna McAlearney, News Editor
23 Jun 2005 | SearchSecurity.com |
|
|
The litany of the latest database security breaches reads like a laundry list of some of the most prominent companies in the U.S. But your company doesn't have to be prominent or suffer a breach to come under the scrutiny -- and wrath -- of the Federal Trade Commission.
"The threat to businesses extends well beyond the relatively small number that actually
experience a compromise of data," said Mike Overly, a partner at law firm Foley & Lardner, which specializes in cyberlaw. "The FTC has conducted several enforcement actions against companies in which no compromise of security has occurred. In those cases, the FTC reviewed the business' security practices and found that they did not fulfill statements made by those companies, typically in privacy policies, that promised to protect consumer information and to ensure such information would not be compromised."
Boiling it down
What it means is that the FTC found these statements deceptive and misleading to consumers because the businesses hadn't employed reasonable measures to protect their systems.
"So it is not just the businesses that suffer an intrusion or compromise that are at risk," Overly said. "Any business handling consumer information could be audited by the FTC to ensure the business' security practices are reasonable and appropriate and comport with the statements that company has made to the public. If not, the FTC could prosecute the company for making misleading statements to consumers regarding the security of their information."
Privacy policies are an obvious target
Privacy policies are often the hook the FTC uses to go after companies, said Benjamin Wright, independent attorney and author of Business Law and Computer Security. He suggests that organizations be extremely careful about what they put in a privacy policy so it isn't read as a guarantee. "Saying 'We're going to secure your data' is very dangerous because legal authorities often interpret that language as being impossible to deliver on what's promised."
"More and more companies are putting disclaimers on their Web sites," Wright added. Those often take the form of a statement that says, "Your data is important to us, but we assume no liability for its protection."
However, Overly said it won't protect the organization from liability or claims of deceptive practices. "Commercial Web site privacy policies that promise to protect customer data from unauthorized release but also disclaim liability for losses of customer information will likely face Federal Trade Commission scrutiny if consumer data is lost," Overly said.
Who's been in the hot seat?
BJ's Wholesale Club last week settled with the FTC on charges that its "failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law." According to the FTC, the information stolen from BJ's was used to make millions of dollars of fraudulent purchases. The settlement will require BJ's to implement a comprehensive information security program that includes administrative, technical and physical safeguards, and obtain audits by an independent security firm every other year for 20 years.
The FTC also has forced Guess Inc. and Eli Lilly to increase security. High-profile breaches that may attract its eye include CardSystems, Bank of America, Citibank, Lexis-Nexis, ChoicePoint and others.
Wright noted that N.Y. Attorney General Eliot Spitzer brought an action against Ziff Davis in 2002 for weak Web site security. Hackers had broken into its customer database, stolen credit card numbers and used some of the numbers to commit fraud. Spitzer forced the company to pay a $125,000 fine.
More recently, Spitzer took on Barnes & Noble.com, which will pay New York state $60,000 and implement a comprehensive information security program under an agreement announced April 29. "The agreement contains no indication that personal information was ever obtained or misused by third parties," Overly said. "Instead, the attorney general's complaint was that the manner in which they programmed their Web site was inherently insecure and in violation of a posted privacy policy."
"The fine is low, but keep in mind this is a situation in which no actual compromise occurred," said Overly. "I think this type of action will become very common in the coming months…brought by the FTC or a state attorney general. If the subject of the fine fails to comply and later suffers a loss, the fine will be substantial."
|
