SAN FRANCISCO -- Businesses can learn some lessons from the enforcement action the Federal Trade Commission has taken against companies that fail to protect consumer data, FTC Chairman Deborah Platt Majoras said in an RSA Conference keynote Wednesday.
Speaking at a town hall session on identity theft and cybercrime, Majoras said since 2001, the FTC has brought 14 enforcement actions against companies that failed to provide reasonable data security.
"If you make claims about data security, you better make sure they're accurate," she said, citing the FTC's cases against Microsoft, Tower Records parent MTS Inc., and Petco Animal Supplies Inc. In those cases, the FTC challenged claims the companies made on their Web sites about the security they had in place to protect consumer data.
Next, companies need to be aware of well-known and common security threats and protect against them, she said. The FTC has taken action against companies for a variety of issues from failing to protect against SQL injection attacks to low-tech attacks such as dumpster diving.
The FTC case against ChoicePoint Inc. shows how businesses need to know with who they are sharing information; the FTC contended that ChoicePoint lacked reasonable procedures to verify the legitimacy of its customers.
Last, businesses shouldn't store consumer information that isn't needed, Majoras said. For example, the FTC took action last year against DSW Inc., known for its DSW Shoe Warehouse chain, which had kept magnetic stripe information from credit cards longer than necessary for business purposes. Thieves wound up stealing the data because it didn't have adequate protections.
In all the cases, Majoras said there were simple steps companies could have taken to prevent security breaches.
"The standard is not perfection, but reasonableness," she said.
The FTC's enforcement actions are part of its multifaceted approach to combating identity theft. The agency is active on the consumer education front, including a nationwide identity theft education program it launched last year.
"An educated consumer is an empowered consumer," Majoras said.
The FTC also works with other federal agencies in the Federal Identity Task Force established by President Bush last year, and this spring will host a workshop to explore better methods for authenticating individuals.
"All organizations and the consumers we serve must contribute to creating and maintaining a culture of security for our sensitive personal information," Majoras said. "It can't be an afterthought anymore."
Her keynote was followed by a panel discussion that explored ways to fight identity theft and cybercrime, where consumer education was a hot topic. The town hall was sponsored by the Business Software Alliance.
Ira Winkler, president of Internet Security Advisors Group, said user awareness hasn't proven effective; end users still do "dumb" things like leaving their computers unprotected and responding to spam messages.
But Marc Groman, FTC chief privacy officer, said "calling the American consumer the stupid end user isn't helpful." The FTC needs the industry's help in educating consumers about online security, he added.
Cyberattacks have become so sophisticated that consumers can't be expected to understand everything coming at them online, noted Christopher Painter, principal deputy chief of the U.S. Department of Justice's Computer Crime and Intellectual Property Section.
After Wednesday's event, one attendee said consumers need more control over their personal data.
"I'd like to see more mechanisms that would allow consumers to have more control and ownership over the distribution of their personal information," said David Lindsay, software engineer with the Salt Lake City-based LDS church. "It's a difficult technology challenge."
Information Security magazine Editor Michael S. Mimoso contributed to this report.