FTC Consent Decree Suggests Expectations of Minimum Data Security Measures: Security procedures must support protection statements
The Federal Trade Commission (FTC) recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The consent decree serves as advance notice to businesses that collect sensitive personal data, to ensure that sufficient safeguards are in place to adequately support information security statements. Such businesses should be aware of the FTC's expectations and evaluate their security procedures in light of the decree.
The FTC claimed Life is good offered reassurances of information security, but failed to have in place sufficient measures, in the FTC's view, to back them up, based on the ability of a hacker to use SQL (Structured English Query Language) software to perform “injection attacks” on Life is good's website to access consumers' credit card numbers, expiration dates, and security codes.
To resolve allegations in an FTC draft complaint alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional—for the next 20 years.
Significantly, the FTC pursued Life is good based not on allegations that it violated any privacy- or financial-services-specific law or regulation (such as the FTC's Financial Privacy or Safeguards rules), but rather under the agency's generic unfair-trade-practices authority. The FTC was set to proceed on a theory that the company made representations to the public in the course of soliciting and entering commercial transactions, and then failed to honor its representations.
The FTC alleged that Life is good did not honor this commitment because it:
- Unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit security card codes
- Failed to assess the vulnerability of its website and computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks
- Failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks
- Failed to use readily available security measures to monitor and control connections from the network to the Internet
- Failed to employ reasonable measures to detect unauthorized access to credit card information
Consent decree mandates
The consent decree has the standard provision that Life is good will no longer violate the FTC Act, but in addition, the above-referenced "comprehensive information-security program" that Life is good must institute requires administrative, technical, and physical safeguards tailored to the size of the company as a commercial entity, the nature of its activities, and the sensitivity of the personal information it collects.
Specifically, the consent decree mandates an information-security program that includes:
- Designation of an employee or employees to coordinate the information security program
- Identification of internal and external risks to the security and confidentiality of personal information, and re-assessment of the safeguards already in place
- Creation and implementation of safeguards to control the risks identified in the risk assessment
- Monitoring the safeguards' effectiveness
- Development of reasonable steps to select and oversee service providers that handle personal information of Life is good's customers
- Evaluation and adjustment of the program to reflect the results of monitoring, material changes to the company's operations, or "other circumstances" that may effect program efficacy
- Bookkeeping and record-keeping to facilitate FTC monitoring of compliance with the consent decree
Further, the above-noted independent, third-party security auditor, which Life is good must employ biennially for the next 20 years, will be required to certify the security program meets or exceeds the requirements of the consent decree, and is operating with sufficient effectiveness to provide reasonable assurance of the security of consumers' personal information.
Suggested FTC expectations
While the duration and reach of the information-security program's terms mandated by the consent decree may be heightened in part as a result of Life is good having been open to a hacker's attack that resulted in a compromise of consumers' sensitive data, the basic framework suggests what security measures the FTC believes most companies should have in place.
The consent decree indicates that, in general terms, a company should have an employee (or, if necessary, several employees) charged with:
- Oversight of securing the sensitive personal information the company collects
- Routine information-security risk assessments and establishment of safeguards against identifiable risks
- Deployment of available security defenses and other measures
- Monitoring, bookkeeping and record-keeping that demonstrates the functioning and efficacy of the program
In addition, it appears the FTC expects that companies take at least reasonable steps to ensure that third parties with which a company shares its sensitive information, have in place sufficient measures to ensure that any sensitive data that is shared will be secure upon receipt by the third party. The FTC's announcement of this consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs to ensure they are meeting at least the minimum steps the FTC appears to expect.