Early 2009 Shows Active FTC Data Security Enforcement; No Room For Lax Safeguards

Sunday, March 1, 2009 - 01:00

Over the last three years, the Federal Trade Commission ("FTC") has settled with fourteen businesses over alleged inadequate data security practices concerning how such businesses protect consumers' personal information. The start of 2009 makes clear that the FTC intends to continue its aggressive enforcement in this area. Within the span of two weeks, the FTC announced two data security actions: one against a computer company in connection with an unsecured website, and the other against a mortgage broker for inadequate disposal practices. Both cases - and indeed, the FTC's frequent activity in this area, as well as increased state regulation - make clear that businesses cannot ignore applicable responsibilities to protect personal data in their control. This article summarizes these new case developments and outlines proactive efforts that businesses can take to reduce their risk of becoming the next target.

Recent FTC Enforcement Actions

Computer Company - Unsecured Website . On February 5, 2009, the FTC announced that it settled charges with Genica Corp. and Compgeeks.com (d/b/a Computer Geeks Discount Outlet and Geeks.com) over charges that the companies violated Section 5 of the FTC Act by failing to provide reasonable security to protect sensitive customer data.1

Through their sales website, for purposes of authorizing payment purchases, the companies collected sensitive personal information from consumers, including a first and last name, address, email address, telephone number, credit card number, credit card expiration date and credit card security code. For a period of time, the companies stored that information in clear, readable text on the network on a computer that was accessible through their company website.

With respect to the storage of this personal information on the network, the FTC alleged that the companies engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security, including: (1) storing personal information in clear, readable text; (2) not adequately assessing the vulnerability of the companies' web application and network to commonly known or reasonably foreseeable attacks, such as "Structured Query Language" ("SQL") injection attacks; (3) not implementing simple, free or low-cost and readily available defenses to such attacks; (4) not using readily available security measures to monitor and control connections between computers on the network and from the network to the internet; and (5) failing to employ reasonable measures to detect and prevent unauthorized access to personal information, such as by logging or employing an intrusion detection system.

For at least a six-month period, hackers repeatedly exploited the practices summarized above by using SQL injection attacks on the companies' website and web application and found personal information stored on the network and exported the information of hundreds of customers, including credit card numbers, expiration dates and security codes, over the Internet to outside computers.

In the companies' privacy policy, they represented that they implemented reasonable and appropriate measures to protect personal information against unauthorized access: i.e. , " We use secure technology, privacy protection controls, and restrictions on employee access in order to safeguard your information ." The FTC concluded that the safeguards implemented were not sufficient, and thus, the companies' safeguard representations were allegedly false or misleading information, which the FTC charged was a violation of Section 5 of the FTC Act.

The Companies settled the charges with the FTC and agreed to a consent order that contains terms consistent with other FTC data breach settlements. Among other restrictions, the order bars the companies from making deceptive privacy and data security claims; requires them to implement and maintain a comprehensive information-security program that includes administrative, technical and physical safeguards; requires the companies to obtain, every other year for 10 years, an audit from a qualified, independent, third-party professional to ensure that the security program meets the standards of the order; and contains standard record-keeping provisions to allow the FTC to monitor compliance. If the companies violate the order in the future, they could face up to $16,000 "per violation" in civil penalties (a term that historically has been interpreted aggressively to permit a substantial civil penalties figure).

Mortgage Broker - Inadequate Disposal Practices . On January 21, 2009, the FTC announced its filing of a complaint in Nevada federal district court against an individual mortgage broker, Gregory Navone. The complaint alleges that the defendant disposed of records containing consumers' sensitive personal information in an unsecured dumpster and failed to implement data security measures necessary for the protection of customers' sensitive personal information. The FTC also charged the defendant with misrepresenting the extent of security controls in place to protect consumer data by two of the brokerage companies owned by the defendant (First Interstate Mortgage Corporation ("FIM") and Nevada One Corporation) and the third-party service providers with which the businesses contracted.

According to the FTC, in December 2006, approximately forty boxes of the defendant's business records containing customer files were found in a publicly available dumpster. The records consisted of tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses and credit reports. The FTC alleged that, prior to disposing of the customer records, the defendant kept them "in an insecure manner" in his garage. The FTC also alleged that the defendant falsely asserted to its customers that its mortgage businesses and their third-party service providers complied with "physical, electronic and procedural safeguards" required by federal law.

Based on these facts, the FTC charged in its complaint that the defendant failed to:

• Implement reasonable data security measures in key areas at his companies, including the physical and electronic security of sensitive consumer information and the proper collection, handling and disposal of such information;

• Implement and monitor policies and procedures requiring the secure disposal of credit reports;

• Alert employees or third parties to such documents' sensitive nature or instruct them to take precautions;

• Ensure that employees or third parties assigned to transport documents containing sensitive personal information for disposal are qualified to do so and have received appropriate guidance or training;

• Contractually require third party service providers to maintain appropriate safeguards for customer personal information; and

• Oversee the transport of such documents for disposal or otherwise confirm that the documents are disposed of in a way that ensures that they cannot be read or reconstructed.

In the complaint, the FTC asserts that, as a result of these actions, the defendant violated the Fair Credit Reporting Act (FCRA) and the FCRA's Disposal Rule. In addition, the FTC asserts that the defendant violated Section 5 of the FTC Act by falsely representing the data security practices of its mortgage businesses and the practices of the businesses' third-party service providers. The FTC seeks injunctive relief and civil penalties of up to $2,500 for each separate violation.

Lessons Learned

These cases serve as a reminder of the ever-increasing scrutiny - by the FTC, state attorneys general and private litigants - of businesses' information security practices and whether they are sufficiently protecting personal data against compromise and making accurate representations to the public about such security practices. To be sure, the security and disposal requirements addressed by the FTC in these latest cases are substantially similar to laws enacted over the last few years by a number of states, including Massachusetts, Connecticut, Nevada and California, among many others.

Generally, these laws require persons and businesses handling personal information (whether of employees, customers, prospective customers, etc.) to implement and maintain a comprehensive written information security program that includes applicable policies and procedures designed to protect the personal information from unauthorized access, destruction, use, modification and disclosure.

These laws generally require persons and businesses to:

• Identify how personal data is collected and transferred within and outside the business, and identify and implement controls to protect such data at the various access points (i.e., a vulnerability assessment);

• Avoid retaining personal information where there is no reasonable business justification for such retention;

• Develop a written, comprehensive information security program to facilitate the adoption of reasonable administrative, physical and technical safeguards for personal information;

• Restrict access to personal information stored by the business, including applying additional physical and electronic access restrictions to sensitive personal information;

• Have in place applicable contract terms, and perform reasonable oversight and monitoring, regarding the information security practices of third-party service providers that has access to or handles the business's personal information (including their handling of personal data disposal, archival, data processing and many other functions for the business);

• Train and periodically remind employees about the business's information security policies and procedures;

• Securely dispose of sensitive personal information (i.e., ensure that such hard copy and electronic documents are destroyed, erased, or otherwise made unreadable prior to disposal); and

• Respond appropriately to a data breach by maintaining a response team to help ensure compliance with data breach notification laws.

Failure to have such controls in place could expose a company to legal claims by the FTC, state attorneys general and private litigants. Many of the applicable laws provide for injunctive relief, in which a court could require the business to implement particular security controls within an accelerated time period. These laws also often provide for statutory penalties per violation, which may be construed as per individual consumer record compromised, the number of days the company was considered not in compliance with the relevant law, or using other criteria.Accordingly, the consequences of potential enforcement action can be costly.

The increased regulatory focus on information security practices underscores more than ever that businesses would be wise to re-examine their current information security posture with involvement by key stakeholders within the company and make appropriate adjustments as necessary that are in line with the current legal expectations for such controls. Often, however, companies' information security programs are designed and reviewed by IT-specific personnel only and do not involve an enterprise-wide examination and prioritization of the security controls and resources necessary to maintain and update such controls. This may result in key legal requirements left unaddressed. Given the current regulatory climate and spare excess resources among businesses, having in place a dynamic, enterprise-wide, practical information security program is a critical component of a risk management strategy. 1 See Genica Corp. et al, FTC File No. 082 3113, Pr. Release (Feb. 5, 2009), complaint and settlement agreement available at http://www.ftc.gov/opa/ 2009/02/compgeeks.shtm.

Alysa Z. Hutnik is an Associate in the Washington, D.C. office of Kelley Drye & Warren, LLP where she focuses in privacy, data security, and advertising law.

Please email the author at ahutnik@kelleydrye.com with questions about this article.