The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC’s view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers’ credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.
• unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit security card codes
• failed to assess the vulnerability of its website and computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks
• failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks
• failed to use readily available security measures to monitor and control connections from the network to the Internet
• failed to employ reasonable measures to detect unauthorized access to credit card information
The consent decree has the standard provision that the company will no longer violate the FTC Act, but in addition, the above-referenced “comprehensive information-security program” that Life is good must institute requires administrative, technical, and physical safeguards tailored to the size of Life is good as a commercial entity, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, the consent decree mandates an information-security program that includes:
• designation of an employee or employees to coordinate the information security program
• identification of internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place
• creation and implementation of safeguards to control the risks identified in the risk assessment
• monitoring the safeguards’ effectiveness
• development of reasonable steps to select and oversee service providers that handle personal information of Life is good customers.
• evaluation and adjustment of the program to reflect the results of monitoring, material changes to the company’s operations, or “other circumstances” that may effect program efficacy
• bookkeeping and record-keeping to facilitate FTC monitoring of compliance with the consent decree
Further, the above-noted independent, third-party security auditor that Life is good must employ biennially for the next 20 years, will be required to certify the security program meets or exceeds the requirements of the consent decree, and is operating with sufficient effectiveness to provide reasonable assurance of the security of consumers’ personal information.
While the duration and reach of the information-security program’s terms mandated by the consent decree may be heightened in part as a result of Life is good having been open to a hacker’s attack that resulted in a compromise of consumers’ sensitive data, the basic framework suggests what security measures the FTC believes most companies should have in place. It indicates that, in general terms, a company should have an employee (or, if necessary, several employees) charged with oversight of securing the sensitive personal information the company collects, routine information-security risk assessments and establishment of safeguards against identified risks, and monitoring, bookkeeping and record-keeping that demonstrates the functioning and efficacy of the program. In addition, it appears the FTC expects companies take at least reasonable steps to ensure that third parties with which a company shares its sensitive information, have in place sufficient measures to ensure that nay sensitive data that is shared will be secure upon receipt by the third party.
The FTC’s announcement of the consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs to ensure they are meeting at least the minimum steps the FTC appears to expect. The FTC’s Protecting Personal Information: A Guide for Businesses is a good resource in this regard as well.