Reading Time: 62 minutes

When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlined in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.

In addition to Protecting Personal Information, the FTC has resources to help you think through how those principles apply to your business. There’s an online tutorial to help train your employees; publications to address particular data security challenges; and news releases, blog posts, and guidance to help you identify – and possibly prevent – pitfalls.

Protecting Personal Information: A Guide for Business

Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees.

This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business.

Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this brochure will go a long way toward helping you keep data secure.

 A sound data security plan is built on 5 key principles:

  1. TAKE STOCK. Know what personal information you have in your files and on your computers.
  2. SCALE DOWN. Keep only what you need for your business.
  3. LOCK IT. Protect the information that you keep.
  4. PITCH IT. Properly dispose of what you no longer need.
  5. PLAN AHEAD. Create a plan to respond to security incidents.

1. TAKE STOCK. KNOW WHAT PERSONAL INFORMATION YOU HAVE IN YOUR FILES AND ON YOUR COMPUTERS.

  • Inventory all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment to find out where your company stores sensitive data. Also, inventory the information you have by type and location. Your file cabinets and computer systems are a start, but remember: your business receives personal information in a number of ways—through websites, from contractors, from call centers, and the like. What about information saved on laptops, employees’ home computers, flash drives, digital copiers, and mobile devices? No inventory is complete until you check everywhere sensitive data might be stored.
  • Track personal information through your business by talking with your sales department, information technology staff, human resources office, accounting personnel, and outside service providers. Get a complete picture of:
  • Who sends sensitive personal information to your business. Do you get it from customers? Credit card companies? Banks or other financial institutions? Credit bureaus? Job applicants? Other businesses?
  • How your business receives personal information. Does it come to your business through a website? By email? Through the mail? Is it transmitted through cash registers in stores?
  • What kind of information you collect at each entry point. Do you get credit card information online? Does your accounting department keep information about customers’ checking accounts?
  • Where you keep the information you collect at each entry point. Is it in a central computer database? On individual laptops? On a cloud computing service? On employees’ smartphones, tablets, or other mobile devices? On disks or tapes? In file cabinets? In branch offices? Do employees have files at home?
  • Who has—or could have—access to the information. Which of your employees has permission to access the information? Do they need access? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions? Contractors operating your call center?
  • Different types of information present varying risks. Pay particular attention to how you keep personally identifying information: Social Security numbers, credit card or financial information, and other sensitive data. That’s what thieves use most often to commit fraud or identity theft.

SECURITY CHECK

Question:
Are there laws that require my company to keep sensitive data secure?

Answer:
Yes. While you’re taking stock of the data in your files, take stock of the law, too. Statutes like the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information.

Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities. You can determine the best ways to secure the information only after you’ve traced how it flows.

To find out more, visit business.ftc.gov/privacy-and-security.

2. SCALE DOWN. KEEP ONLY WHAT YOU NEED FOR YOUR BUSINESS.

If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary.

  • Use Social Security numbers only for required and lawful purposes— like reporting employee taxes. Don’t use Social Security numbers unnecessarily—for example, as an employee or customer identification number, or because you’ve always done it.
  • If your company develops a mobile app, make sure the app accesses only data and functionality that it needs. And don’t collect and retain personal information  unless it’s integral to your product or service.  Remember, if you collect and retain data, you must protect it.
  • Don’t keep customer credit card information unless you have a business need for it. For example, don’t retain the account number and expiration date unless you have an essential business need to do so. Keeping this information—or keeping it longer than necessary—raises the risk that the information could be used to commit fraud or identity theft.
  • Scale down access to data. Follow the “principle of least privilege.” That means each employee should have access only to those resources needed to do their particular job.

SECURITY CHECK

Question:
We like to have accurate information about our customers, so we usually create a permanent file about all aspects of their transactions, including the information we collect from the magnetic stripe on their credit cards. Could this put their information at risk?

Answer:
Yes. Keep sensitive data in your system only as long as you have a business reason to have it. Once that business need is over, properly dispose of it. If it’s not in your system, it can’t be stolen by hackers.

If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.

3. LOCK IT. PROTECT THE INFORMATION THAT YOU KEEP.

What’s the best way to protect the sensitive personally identifying information you need to keep? It depends on the kind of information and how it’s stored. The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.

Physical Security

Many data compromises happen the old-fashioned way—through lost or stolen paper documents. Often, the best defense is a locked door or an alert employee.

  • Store paper documents or files, as well as thumb drives and backups containing personally identifiable information in a locked room or in a locked file cabinet. Limit access to employees with a legitimate business need. Control who has a key, and the number of keys.
  • Require that files containing personally identifiable information  be kept in locked file cabinets except when an employee is working on the file. Remind employees not to leave sensitive papers out on their desks when they are away from their workstations.
  • Require employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
  • Implement appropriate access controls for your building. Tell employees what to do and whom to call if they see an unfamiliar person on the premises.
  • If you maintain offsite storage facilities, limit employee access to those with a legitimate business need. Know if and when someone accesses the storage site.
  • If you ship sensitive information using outside carriers or contractors, encrypt the information and keep an inventory of the information being shipped. Also use an overnight shipping service that will allow you to track the delivery of your information.
  • If you have devices that collect sensitive information, like PIN pads, secure them so that identity thieves can’t tamper with them. Also, inventory those items to ensure that they have not been switched.

Electronic Security

Computer security isn’t just the realm of your IT staff. Make it your business to understand the vulnerabilities of your computer system, and follow the advice of experts in the field.

General Network Security

  • Identify the computers or servers where sensitive personal information is stored.
  • Identify all connections to the computers where you store sensitive information. These may include the internet, electronic cash registers, computers at your branch offices, computers used by service providers to support your network, digital copiers, and wireless devices like smartphones, tablets, or inventory scanners.
  • Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks. Depending on your circumstances, appropriate assessments may range from having a knowledgeable employee run off-the-shelf security software to having an independent professional conduct a full-scale security audit.
  • Don’t store sensitive consumer data on any computer with an internet connection unless it’s essential for conducting your business.
  • Encrypt sensitive information that you send to third parties over public networks (like the internet), and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees. Consider also encrypting email transmissions within your business.
  • Regularly run up-to-date anti-malware programs on individual computers and on servers on your network.
  • Check expert websites (such as www.us-cert.gov) and your software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches to correct problems.
  • Restrict employees’ ability to download unauthorized software. Software downloaded to devices that connect to your network (computers, smartphones, and tablets) could be used to distribute malware.
  • Scan computers on your network to identify and profile the operating system and open network services. If you find services that you
    don’t need, disable them to prevent hacks or other potential security problems. For example, if email service or an internet connection is not necessary on a certain computer, consider closing the ports to those services on that computer to prevent unauthorized access to that machine.
  • When you receive or transmit credit card information or other sensitive financial data, use Transport Layer Security (TLS) encryption or another secure connection that protects the information in transit.
  • Pay particular attention to the security of your web applications—the software used to give information to visitors to your website and to retrieve information from them. Web applications may be particularly vulnerable to a variety of hack attacks. In one variation called an “injection attack,” a hacker inserts malicious commands into what looks like a legitimate request for information. Once in your system, hackers transfer sensitive information from your network to their computers. Relatively simple defenses against these attacks are available from a variety of sources.

There’s another source of information about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements – no findings have been made by a court – and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, here are ten lessons to learn that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

1. START WITH SECURITY.

 

From personal data on employment applications to network files with customers’ credit card numbers, sensitive information pervades every part of many companies. Business executives often ask how to manage confidential information. Experts agree on the key first step: Start with security. Factor it into the decisionmaking in every department of your business – personnel, sales, accounting, information technology, etc. Collecting and maintaining information “just because” is no longer a sound business strategy. Savvy companies think through the implication of their data decisions. By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road. Of course, all of those decisions will depend on the nature of your business. Lessons from FTC cases illustrate the benefits of building security in from the start by going lean and mean in your data collection, retention, and use policies.

Don’t collect personal information you don’t need.

Here’s a foundational principle to inform your initial decision-making: No one can steal what you don’t have. When does your company ask people for sensitive information? Perhaps when they’re registering online or setting up a new account. When was the last time you looked at that process to make sure you really need everything you ask for? That’s the lesson to learn from a number of FTC cases. For example, the FTC’s complaint against RockYou charged that the company collected lots of information during the site registration process, including the user’s email address and email password. By collecting email passwords – not something the business needed – and then storing them in clear text, the FTC said the company created an unnecessary risk to people’s email accounts. The business could have avoided that risk simply by not collecting sensitive information in the first place.

RockYou, Inc.

Hold on to information only as long as you have a legitimate business need.

Sometimes it’s necessary to collect personal data as part of a transaction. But once the deal is done, it may be unwise to keep it. In the FTC’s BJ’s Wholesale Club case, the company collected customers’ credit and debit card information to process transactions in its retail stores. But according to the complaint, it continued to store that data for up to 30 days – long after the sale was complete. Not only did that violate bank rules, but by holding on to the information without a legitimate business need, the FTC said BJ’s Wholesale Club created an unreasonable risk. By exploiting other weaknesses in the company’s security practices, hackers stole the account data and used it to make counterfeit credit and debit cards. The business could have limited its risk by securely disposing of the financial information once it no longer had a legitimate need for it.

What they did wrong

From at least November 1, 2003, until February, 2004, Respondent did not employ reasonable and appropriate measures to secure personal information collected at its stores. Among other things, Respondent

(1) did not encrypt the information while in transit or when stored on the in-store computer networks;

(2) stored the information in files that could be accessed anonymously — that is, using a commonly known default user id and password;

(3) did not use readily available security measures to limit access to its computer networks through wireless access points on the networks;

(4) failed to employ sufficient measures to detect unauthorized access or conduct security investigations; and

(5) created unnecessary risks to the information by storing it for up to 30 days when it no longer had a business need to keep the information, and in violation of bank rules. As a result, a hacker could have used the wireless access points on an in-store computer network to connect to the network and, without authorization, access personal information on the network.

092305comp0423160

Loader
Loading…

EAD Logo
Taking too long?

Reload Reload document

|

Open Open in new tab

Download [44.00 KB]

BJ’s Wholesale Club Settles FTC Charges

BJ’s Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.

Natick, Massachusetts-based BJ’s operates 150 warehouse stores and 78 gas stations in 16 states in the Eastern United States. Approximately 8 million consumers are currently members, with net sales totaling about $6.6 billion in 2003.

“Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security,” said Deborah Platt Majoras, Chairman of the FTC. “This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information.”

According to the FTC’s complaint, BJ’s uses a computer network to obtain bank authorization for credit and debit card purchases and to track inventory. For credit and debit card purchases at its stores, BJ’s collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. The information is sent from the computer network in the store to BJ’s central datacenter computer network and from there through outside computer networks to the bank that issued the card.

The FTC charged that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJ’s:

  • Failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores;
  • Created unnecessary risks to the information by storing it for up to 30 days, in
    violation of bank security rules, even when it no longer needed the information;
  • Stored the information in files that could be accessed using commonly known default user IDs and passwords;
  • Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
  • Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

The FTC’s complaint charges that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ’s stores, and that the counterfeit cards contained the same personal information BJ’s had collected from the magnetic stripes of the cards. After the fraud was discovered, banks cancelled and re-issued thousands of credit and debit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards. Since then, banks and credit unions have filed lawsuits against BJ’s and pursued bank procedures seeking the return millions of dollars in fraudulent purchases and operating expenses. According to BJ’s SEC filings, as of May 2005, the amount of outstanding claims was approximately $13 million.

The FTC alleges that BJ’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires BJ’s to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires BJ’s to obtain an audit from a qualified, independent, third-party professional that its security program meets the standards of the order, and to comply with standard book keeping and record keeping provisions.

The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through July 16, 2005, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Copies of the complaint and consent agreement are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(FTC File No. 0423160)

CONTACT INFORMATION

Media Contact:

Claudia Bourne Farrell,
Office of Public Affairs
202-326-2181

Staff Contact:
Jessica Rich
Division of Financial Practices
202-326-2148

The FBI is the lead federal agency for investigating cyber attacks by criminals, overseas adversaries, and terrorists. The threat is incredibly serious—and growing. Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Our nation’s critical infrastructure, including both private and public sector networks, are targeted by adversaries. American companies are targeted for trade secrets and other sensitive corporate data, and universities for their cutting-edge research and development. Citizens are targeted by fraudsters and identity thieves, and children are targeted by online predators. Just as the FBI transformed itself to better address the terrorist threat after the 9/11 attacks, it is undertaking a similar transformation to address the pervasive and evolving cyber threat. This means enhancing the Cyber Division’s investigative capacity to sharpen its focus on intrusions into government and private computer networks.

Don’t use personal information when it’s not necessary.

You wouldn’t juggle with a Ming vase. Nor should businesses use personal information in contexts that create unnecessary risks.

In the Accretive case, the FTC alleged that the company used real people’s personal information in employee training sessions, and then failed to remove the information from employees’ computers after the sessions were over.

Similarly, in foru International, the FTC charged that the company gave access to sensitive consumer data to service providers who were developing applications for the company.

In both cases, the risk could have been avoided by using fictitious information for training or development purposes.

2. CONTROL ACCESS TO DATA SENSIBLY.

 

Once you’ve decided you have a legitimate business need to hold on to sensitive data, take reasonable steps to keep it secure. You’ll want to keep it from the prying eyes of outsiders, of course, but what about your own employees? Not everyone on your staff needs unrestricted access to your network and the information stored on it. Put controls in place to make sure employees have access only on a “need to know” basis. For your network, consider steps such as separate user accounts to limit access to the places where personal data is stored or to control who can use particular databases. For paper files, external drives, disks, etc., an access control could be as simple as a locked file cabinet. When thinking about how to control access to sensitive information in your possession, consider these lessons from FTC cases.

Restrict access to sensitive data.

If employees don’t have to use personal information as part of their job, there’s no need for them to have access to it. For example, in Goal Financial, the FTC alleged that the company failed to restrict employee access to personal information stored in paper files and on its network. As a result, a group of employees transferred more than 7,000 consumer files containing sensitive information to third parties without authorization. The company could have prevented that misstep by implementing proper controls and ensuring that only authorized employees with a business need had access to people’s personal information.

Goal Financial, LLC, In the Matter of

 

Student Lender Settles FTC Charges That It Failed to Safeguard Sensitive Consumer Information and Misrepresented Its Security Practices

A student loan company has agreed to settle Federal Trade Commission charges that it failed to provide reasonable and appropriate security for consumers’ sensitive personal information in violation of federal law. The proposed settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.

According to the FTC’s complaint, Goal Financial, LLC, collects personal information from applicants in the course of providing loans and related services. As a result of security failures, employees transferred more than 7,000 files with consumer information to third parties without authorization, and one employee sold to the public surplus hard drives that contained, in clear text, information about 34,000 consumers.

Goal Financial allegedly violated the FTC’s Safeguards Rule by failing to: adequately assess the risks to consumers’ personal information, adequately restrict access to this information to authorized employees, implement a comprehensive information security program, provide adequate employee training, and, in some instances, contractually require third-party service providers to protect the information. The San Diego-based company allegedly violated the FTC’s Privacy Rule by providing customers with a privacy policy that contained false or misleading statements, and the FTC Act by falsely representing to consumers that it implements reasonable and appropriate measures to protect personal information.

The proposed consent order bars Goal Financial from future data security misrepresentations and requires the company to implement and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards. The settlement also requires the company to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. The settlement also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

This is the FTC’s 17th case to challenge data security practices by a company handling sensitive consumer information.

The Commission vote to accept the complaint and proposed consent agreement was 5-0.

The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, until April 3, 2008, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC requests that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: The Commission issues a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law. The consent agreement is for settlement purposes only and does not constitute an admission by the respondent of a law violation.

Copies of the complaint, consent order, and an analysis to aid public comment are available from the FTC’s Web site at http://www.ftc.gov and the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, an avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://ftc.gov/bcp/consumer.shtm.

CONTACT INFORMATION

MEDIA CONTACT:
Frank Dorman
Office of Public Affairs
202-326-2674
STAFF CONTACT:
Jessica Rich
Bureau of Consumer Protection
202-326-2148

Limit administrative access.

Administrative access, which allows a user to make system-wide changes to your system, should be limited to the employees tasked to do that job.

In its action against Twitter, for example, the FTC alleged that the company granted almost all of its employees administrative control over Twitter’s system, including the ability to reset user account passwords, view users’ nonpublic tweets, and send tweets on users’ behalf. According to the complaint, by providing administrative access to just about everybody in-house, Twitter increased the risk that a compromise of any of its employees’ credentials could result in a serious breach.

How could the company have reduced that risk?

By ensuring that employees’ access to the system’s administrative controls was tailored to their job needs.

Twitter, Inc., a corporation

Twitter Settles Charges that it Failed to Protect Consumers’ Personal Information; Company Will Establish Independently Audited Information Security Program

FOR RELEASE

Social networking service Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the agency’s first such case against a social networking service.

The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

According to the FTC complaint, Twitter allows users to send “tweets” – brief messages of 140 characters or fewer – to “followers” who sign up to receive such messages via e-mail or phone text. Twitter offers privacy settings through which a user may choose to designate tweets as nonpublic. For instance, users can send “direct messages” to a specified follower so that only the specific author and recipient can view the message. Twitter users can also click a button labeled “Protect my tweets,” which makes that user’s tweets private so that only approved followers can view them.

The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

The FTC’s complaint alleged that between January and May of 2009, hackers were able to gain administrative control of Twitter on two occasions. In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into Twitter’s login webpage. The administrative password was a weak, lowercase, common dictionary word. Using the password, the hacker reset several passwords, and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one phony tweet was sent from the account of Fox News.

During a second security breach, in April 2009, a hacker was able to guess the administrative password of a Twitter empoyee after compromising the employee’s personal email account where two similar passwords were stored in plain text. The hacker reset at least one Twitter user’s password, and could access nonpublic user information and tweets for any Twitter users.

According to the FTC’s complaint, Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system, including reasonable steps to:

  • require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
  • prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
  • suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
  • provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
  • enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
  • restrict access to administrative controls to employees whose jobs required it; and
  • impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.

The Commission vote approving the complaint and settlement was 5-0. The FTC will publish an announcement regarding the consent agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, until July 26, 2010, after which the Commission will decide whether to make it final. To file a public comment, please click on the following hyperlink https://public.commentworks.com/ftc/twitter and follow the instructions at that site.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law.

The consent agreement is for settlement purposes only and does not constitute admission by the respondent of a law violation. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC s Web site provides free information on a variety of consumer topics.

(FTC File No. 0923093)
(Twitter NR.wpd)

CONTACT INFORMATION

MEDIA CONTACT:
Claudia Bourne Farrell
Office of Public Affairs
202-326-2181
STAFF CONTACT:
Laura Berger
Bureau of Consumer Protection
202-326-2471

3. REQUIRE SECURE PASSWORDS AND AUTHENTICATION.

 

If you have personal information stored on your network, strong authentication procedures – including sensible password “hygiene” – can help ensure that only authorized individuals can access the data. When developing your company’s policies, here are tips to take from FTC cases.

Insist on complex and unique passwords.

“Passwords” like 121212 or qwerty aren’t much better than no passwords at all. That’s why it’s wise to give some thought to the password standards you implement. In the Twitter case, for example, the company let employees use common dictionary words as administrative passwords, as well as passwords they were already using for other accounts. According to the FTC, those lax practices left Twitter’s system vulnerable to hackers who used password-guessing tools, or tried passwords stolen from other services in the hope that Twitter employees used the same password to access the company’s system. Twitter could have limited those risks by implementing a more secure password system – for example, by requiring employees to choose complex passwords and training them not to use the same or similar passwords for both business and personal accounts.

Store passwords securely.

Don’t make it easy for interlopers to access passwords. 

In Guidance Software, the FTC alleged that the company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network. 

Similarly, in Reed Elsevier, the FTC charged that the business allowed customers to store user credentials in a vulnerable format in cookies on their computers. 

In Twitter, too, the FTC said the company failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts. 

In each of those cases, the risks could have been reduced if the companies had policies and procedures in place to store credentials securely.

Businesses also may want to consider other protections – two-factor authentication, for example – that can help protect against password compromises.

In the Lookout ServicesTwitter, and Reed Elsevier cases, the FTC alleged that the businesses didn’t suspend or disable user credentials after a certain number of unsuccessful login attempts. 

Guard against brute force attacks.

Remember that adage about an infinite number of monkeys at an infinite number of typewriters? 

Hackers use automated programs that perform a similar function. 

These brute force attacks work by typing endless combinations of characters until hackers luck into someone’s password.

In the Lookout ServicesTwitter, and Reed Elsevier cases, the FTC alleged that the businesses didn’t suspend or disable user credentials after a certain number of unsuccessful login attempts. 

By not adequately restricting the number of tries, the companies placed their networks at risk.

Implementing a policy to suspend or disable accounts after repeated login attempts would have helped to eliminate that risk.

Protect against authentication bypass.

Locking the front door doesn’t offer much protection if the back door is left open.

In Lookout Services, the FTC charged that the company failed to adequately test its web application for widely-known security flaws, including one called “predictable resource location.” As a result, a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases.

The company could have improved the security of its authentication mechanism by testing for common vulnerabilities.

4. STORE SENSITIVE PERSONAL INFORMATION SECURELY AND PROTECT IT DURING TRANSMISSION.

 

For many companies, storing sensitive data is a business necessity. And even if you take appropriate steps to secure your network, sometimes you have to send that data elsewhere. Use strong cryptography to secure confidential material during storage and transmission. The method will depend on the types of information your business collects, how you collect it, and how you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption, or an iterative cryptographic hash. But regardless of the method, it’s only as good as the personnel who implement it. Make sure the people you designate to do that job understand how your company uses sensitive data and have the know-how to determine what’s appropriate for each situation. With that in mind, here are a few lessons from FTC cases to consider when securing sensitive information during storage and transmission.

Keep sensitive information secure throughout its lifecycle.

Data doesn’t stay in one place. That’s why it’s important to consider security at all stages, if transmitting information is a necessity for your business. In Superior Mortgage Corporation, for example, the FTC alleged that the company used SSL encryption to secure the transmission of sensitive personal information between the customer’s web browser and the business’s website server. But once the information reached the server, the company’s service provider decrypted it and emailed it in clear, readable text to the company’s headquarters and branch offices. That risk could have been prevented by ensuring the data was secure throughout its lifecycle, and not just during the initial transmission.

Mortgage Company Settles Information Security Charges

FTC Alleges Customer Data Was Not Secure

Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security for sensitive customer data and falsely claiming that it encrypted data submitted online. The settlement bars future deceptive claims and requires the company to establish data security procedures that will be reviewed by independent third-party auditors for 10 years.

The FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires financial institutions, including lenders like Superior, to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information. Superior maintained customers’ Social Security numbers, credit histories, and credit card numbers, among other sensitive information. The FTC complaint alleges that Superior violated the Safeguards Rule because it:

  • Failed to assess risks to its customer information until more than a year after the Safeguards Rule took effect;
     
  • Failed to implement appropriate password policies to limit access to company systems and documents containing sensitive customer information;
     
  • Did not encrypt or otherwise protect sensitive customer information before sending it by e-mail; and
     
  • Failed to ensure that its service providers were providing appropriate security for customer information and addressing known security risks in a timely manner.

The FTC also alleged that despite Superior’s claims that sensitive personal information collected at its www.supmort.com Web site was encrypted using secure socket layer technology, the information was only encrypted while it was being transmitted between a visitor’s web browser and the Web site’s server. Once the information was received at the Web site, it was decrypted and e-mailed to Superior’s headquarters and branch offices in clear, readable text. The agency alleged that these claims were deceptive and violated the FTC Act.

The settlement bars Superior from misrepresenting the extent to which it maintains and protects the privacy, confidentiality, or security of any personal information collected from or about consumers, and prohibits violations of the Safeguards Rule. The settlement also requires that Superior hire an independent, third-party auditor to assess its security procedures every two years for the next 10 years, and to certify that these procedures meet or exceed the protections required by the Safeguards Rule. The settlement also contains certain record keeping requirements to allow the FTC to monitor compliance.

Superior Mortgage Corp. is based in Tuckerton, New Jersey. It has offices in New Jersey, Pennsylvania, Florida, Virginia, Maryland, North Carolina, Connecticut, Indiana, and Delaware.

The Commission vote to accept the consent agreement was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through October 27, 2005 after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC requests that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: Consent agreements are for settlement purposes only and do not constitute an admission by the defendant of a law violation.

Copies of the complaint and consent agreement, and an analysis to aid public comment, are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(FTC File No. 052-3136)

CONTACT INFORMATION

Media Contact:
Claudia Bourne Farrell
Office of Public Affairs
202-326-2181
Staff Contact:

Jessica Rich
Bureau of Consumer Protection
202-326-3224

Use industry-tested and accepted methods.

When considering what technical standards to follow, keep in mind that experts already may have developed effective standards that can apply to your business. Savvy companies don’t start from scratch when it isn’t necessary. Instead, they take advantage of that collected wisdom. The ValueClick case illustrates that principle. According to the FTC, the company stored sensitive customer information collected through its e-commerce sites in a database that used a non-standard, proprietary form of encryption. Unlike widely-accepted encryption algorithms that are extensively tested, the complaint charged that ValueClick’s method used a simple alphabetic substitution system subject to significant vulnerabilities. The company could have avoided those weaknesses by using tried-and-true industry-tested and accepted methods for securing data.

ValueClick to Pay $2.9 Million to Settle FTC Charges

FOR RELEASE

Online advertiser ValueClick, Inc., will pay a record $2.9 million to settle Federal Trade Commission charges that its advertising claims and e-mails were deceptive and violated federal law. The agency also charged that ValueClick and its subsidiaries, Hi-Speed Media and E-Babylon failed to secure consumers’ sensitive financial information, despite their claims to do so. The settlement, filed by the Department of Justice on behalf of the FTC, requires ValueClick to clearly and conspicuously disclose the costs and obligations consumers must incur to receive the products it touts as “free” and bars future violations of the CAN-SPAM Act. The settlement also bars deceptive claims about the security of the consumer information collected at its e-commerce Web sites.

According to the FTC, ValueClick subsidiary Hi-Speed Media used deceptive e-mails, banner ads, and pop-ups to drive consumers to its Web sites. The e-mails and online ads claimed that consumers were eligible for “free” gifts, including laptops, iPods, and high-value gift cards, and included come-ons such as “Free PS3 for survey,” and “CONGRATULATIONS! Select your FREE Plasma TV.” The FTC alleged that consumers lured to ValueClick’s Web sites by these promises were led through a maze of expensive and burdensome third-party offers – including car loans and satellite television subscriptions – which they were required to “participate in” at their own expense, in order to receive the promised “free” merchandise. The FTC charged that ValueClick’s use of deceptively labeled e-mail offering free gifts and its failure to disclose that consumers must expend substantial sums of money to obtain the promised “free” merchandise violates the CAN-SPAM Act and the FTC Act.

The FTC also charged that ValueClick, Hi-Speed Media, and E-Babylon, misrepresented that they secured customers’ sensitive financial information consistent with industry standards. The FTC alleged the companies published online privacy policies claiming they encrypted customer information, but either failed to encrypt the information at all or used a non-standard and insecure form of encryption. The agency also charged that several of the companies’ e-commerce Web sites were vulnerable to SQL injection, a commonly known form of hacker attack, contrary to claims that the companies implemented reasonable security measures.

The settlement bars future violations of the CAN-SPAM Act. It requires ValueClick and Hi-Speed Media to clearly and conspicuously disclose in their ads and on their promotional Web pages that consumers have to spend money or incur other obligations to qualify for “free” merchandise. The settlement also requires them to provide a list of the obligations – such as applying for credit cards, purchasing products, or obtaining a car loan – that consumers must incur to qualify for a free product. In addition, ValueClick and Hi-Speed Media will pay a $2.9 million civil penalty to resolve the Commission’s CAN-SPAM allegations. This is the largest settlement in a case based on the CAN-SPAM Act, enacted in 2003.

The settlement also bars ValueClick, Hi-Speed Media, and E-Babylon from making misrepresentations about the use of encryption or other electronic measures to protect consumers’ information, and about the extent to which they protect personal information. The order also requires the companies to establish and maintain a comprehensive security program, and obtain independent third-party assessments of their programs, for 20 years.

This is the FTC’s third case targeting the use of deceptive promises of free merchandise by Internet-based “lead generation” operations, and the Commission’s 18th case challenging data security practices by a company handling sensitive consumer information.

The Commission vote to approve the stipulated final order was 5-0. It was filed in U.S. District Court for the Central District of California by the Department of Justice at the FTC’s request.

NOTE: Stipulated final orders are for settlement purposes only and do not constitute an admission by the defendant of a law violation. A stipulated order is subject to court approval and has the force of law when signed by the judge.

The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://ftc.gov/bcp/consumer.shtm.

CONTACT INFORMATION

MEDIA CONTACT:
Claudia Bourne Farrell
Office of Public Affairs
202-326-2181
STAFF CONTACTS:
Stephen L. Cohen
Bureau of Consumer Protection
202-326-3222
(deceptive advertising and CAN-SPAM allegations)
Ethan Arenson
Bureau of Consumer Protection
202-326-2204
(deceptive advertising and CAN-SPAM allegations)
Burke Kappler
Bureau of Consumer Protection
202-326-2043
(data security and encryption allegations)

Ensure proper configuration.

Encryption – even strong methods – won’t protect your users if you don’t configure it properly. That’s one message businesses can take from the FTC’s actions against Fandango and Credit Karma. In those cases, the FTC alleged that the companies used SSL encryption in their mobile apps, but turned off a critical process known as SSL certificate validation without implementing other compensating security measures. That made the apps vulnerable to man-in-the-middle attacks, which could allow hackers to decrypt sensitive information the apps transmitted. Those risks could have been prevented if the companies’ implementations of SSL had been properly configured.

Fandango, Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Sensitive Personal Information

Mobile Apps Placed Credit Card Details, Credit Report Data, Social Security Numbers at Risk

 
FOR RELEASE
 

Two companies have agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps.

The FTC alleged that, despite their security promises, Fandango and Credit Karma failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk. Among other things, the complaints charge that Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure.

As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received. This type of attack is especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers.

“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

To help secure sensitive transactions, mobile operating systems, including iOS and Android, provide app developers with tools to implement an industry standard known as Secure Sockets Layer, or SSL. If properly implemented, SSL secures an app’s communications and ensures that an attacker cannot intercept the sensitive personal information a consumer submits through an app.

By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.   

The settlements with Fandango and Credit Karma are part of the FTC’s ongoing effort to ensure that companies secure the applications they develop and keep their privacy promises to consumers. The FTC has also created a guide to help consumers understand how to stay secure when using public WiFi connections.

Fandango

The Fandango Movies app for iOS allows consumers to purchase movie tickets and view show times, trailers, and reviews. According to the FTC’s complaint, the Fandango Movies app assured consumers, during checkout, that their credit card information was stored and transmitted securely. Despite this promise, for almost four years – from March 2009 until February 2013 – the company disabled SSL certificate validation and left consumers that used its app to make mobile ticket purchases vulnerable to man-in-the-middle attacks.

The complaint alleges that Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue. In addition, the complaint charges that Fandango failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties, and as a result, missed opportunities to fix the vulnerability.

Credit Karma

The Credit Karma Mobile app for iOS and Android allows consumers to monitor and evaluate their credit and financial status.  In its complaint, the FTC alleges that Credit Karma assured consumers that the company followed “industry-leading security precautions,” including the use of SSL to secure consumers’ information. Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks.

According to the FTC, Credit Karma could have easily prevented the vulnerability with basic tests, but did not perform an adequate security review of its iOS app before release. Even after a user warned Credit Karma about the vulnerability in its iOS app, the company failed to test its Android app before launch. As a result, one month after receiving a warning about the issue, the company released its Android app with the very same vulnerability. The complaint charges that Credit Karma failed to appropriately test or audit its apps’ security and failed to oversee the security practices of its application development firm.

Settlements

The settlements require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.

The Commission vote to accept the consent agreement packages containing the proposed consent orders for public comment was 4-0. The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through April 28, 2014, after which the Commission will decide whether to make the proposed consent orders final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments can be submitted electronically by following the instructions on the web-based form. [Submit comment on Fandango settlement | Submit comment on Credit Karma settlement] Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

CONTACT INFORMATION

MEDIA CONTACT:
Jay Mayfield
Office of Public Affairs
202-326-2181

STAFF CONTACTS:
Nithan Sannappa
Bureau of Consumer Protection
202-326-3185

Jarad Brown
Bureau of Consumer Protection
202-326-2927

5. SEGMENT YOUR NETWORK AND MONITOR WHO’S TRYING TO GET IN AND OUT.

 

When designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the internet.

Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity.

Here are some lessons from FTC cases to consider when designing your network.

Segment your network.

Not every computer in your system needs to be able to communicate with every other one.

You can help protect particularly sensitive data by housing it in a separate secure place on your network. That’s a lesson from the DSW case.

The FTC alleged that the company didn’t sufficiently limit computers from one in-store network from connecting to computers on other in-store and corporate networks.

As a result, hackers could use one in-store network to connect to, and access personal information on, other in-store and corporate networks.

The company could have reduced that risk by sufficiently segmenting its network.

DSW Inc. Settles FTC Charges

Agency Says Company Failed to Protect Sensitive Customer Data

 
FOR RELEASE
 

Shoe discounter DSW Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law. According to the FTC, DSW’s data-security failure allowed hackers to gain access to the sensitive credit card, debit card, and checking account information of more than 1.4 million customers. The settlement will require DSW to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.

Columbus, Ohio-based DSW operates approximately 190 stores in 32 states. In 2004, DSW generated $961 million in net sales and sold approximately 23.7 million pairs of shoes.

According to the FTC’s complaint, DSW uses computer networks to obtain authorization for credit card, debit card, and check purchases at its stores and to track inventory. For credit and debit card purchases, DSW collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. This magnetic stripe information is particularly sensitive because it contains a security code that can be used to create counterfeit cards that appear genuine in the authorization process. For check purchases, DSW collects information such as routing number, account number, check number, and the consumer’s driver’s license number and state. In each case, the information was wirelessly transmitted to a computer network located in the store, and from there was sent to the appropriate bank or check processor.

The FTC charges that until at least March 2005, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information. Specifically, the agency alleges that DSW:

  • Created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
  • Failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
  • Stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
  • Failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
  • Failed to employ sufficient measures to detect unauthorized access.

The FTC charges that a total of approximately 1.4 million credit and debit cards and 96,000 checking accounts were compromised, and that there have been fraudulent charges on some of these accounts. Further, some customers whose checking account information was compromised have incurred out-of-pocket expenses in connection with closing their accounts and ordering new checks. Some checking account customers have contacted DSW to request reimbursement for their expenses, and DSW has provided some amount of reimbursement to these customers. According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million.

The FTC alleges that DSW’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires DSW to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order. DSW also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.

This is the FTC’s seventh case challenging faulty data security practices by retailers and others.

The Commission vote to accept the proposed consent agreement was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through January 2, 2006, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: Consent agreements are for settlement purposes only and do not constitute an admission by the defendant of a law violation.

Copies of the complaint and consent order are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(FTC File No. 052-3096)

CONTACT INFORMATION

Media Contact:
Claudia Bourne Farrell,
Office of Public Affairs
202-326-2181
Staff Contact:
Jessica Rich,
Bureau of Consumer Protection
202-326-3224

Monitor activity on your network.

“Who’s that knocking on my door?”

That’s what an effective intrusion detection tool asks when it detects unauthorized activity on your network.

In the Dave & Buster’s case, the FTC alleged that the company didn’t use an intrusion detection system and didn’t monitor system logs for suspicious activity.

The FTC says something similar happened in Cardsystem Solutions.

The business didn’t use sufficient measures to detect unauthorized access to its network.

Hackers exploited weaknesses, installing programs on the company’s network that collected stored sensitive data and sent it outside the network every four days. In each of these cases, the businesses could have reduced the risk of a data compromise or its breadth by using tools to monitor activity on their networks.

6. SECURE REMOTE ACCESS TO YOUR NETWORK.

 

Business doesn’t just happen in the office. While a mobile workforce can increase productivity, it also can pose new security challenges. If you give employees, clients, or service providers remote access to your network, have you taken steps to secure those access points? FTC cases suggest some factors to consider when developing your remote access policies.

Ensure endpoint security.

Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a computer with remote access to it. That’s the message of FTC cases in which companies failed to ensure that computers with remote access to their networks had appropriate endpoint security. For example, in Premier Capital Lending, the company allegedly activated a remote login account for a business client to obtain consumer reports, without first assessing the business’s security. When hackers accessed the client’s system, they stole its remote login credentials and used them to grab consumers’ personal information. According to the complaint in Settlement One, the business allowed clients that didn’t have basic security measures, like firewalls and updated antivirus software, to access consumer reports through its online portal. And in Lifelock, the FTC charged that the company failed to install antivirus programs on the computers that employees used to remotely access its network. These businesses could have reduced those risks by securing computers that had remote access to their networks.

 

Mortgage Company Settles Data Security Charges

Data Breach Compromised Privacy of Hundreds of Consumers

 
FOR RELEASE
 

A Texas-based mortgage lender has settled Federal Trade Commission charges that it violated federal law by failing to provide reasonable security to protect sensitive customer data. The lender made the data vulnerable, the complaint alleges, by allowing a third-party home seller to access the data without taking reasonable steps to protect it. A hacker compromised the data by breaking into the home seller’s computer, obtaining the lender’s credentials, and using them to access hundreds of consumer reports.

According to the FTC’s complaint, Premier Capital Lending, Inc. (Premier) violated the FTC’s Safeguards and Privacy Rules, as well as Section 5 of the FTC Act. The proposed settlement bars deceptive claims about privacy and security, and requires the company to establish a comprehensive information security program and hire an independent third-party security professional to review the program every other year for 20 years.

The FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires financial institutions, including lenders like Premier, to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information. Premier routinely obtains credit reports from consumer reporting agencies that contain sensitive personal information about customers and potential customers. The FTC complaint alleges that Premier violated the Safeguards Rule because it:

  • allowed a home seller to use its account for accessing credit reports in order to refer purchasers for financing without taking reasonable steps to verify the seller’s procedures to handle, store, or dispose of sensitive personal information;
  • failed to assess the risks of allowing a third party to access credit reports through its account;
  • failed to conduct reasonable reviews of credit report requests made on its account by using readily available information (such as management reports and invoices) to detect signs of unauthorized activity; and
  • failed to assess the full scope of credit report information stored and accessible
    through its account and thus compromised by the hacker.

According to the FTC, a hacker exploited Premier’s failures by breaching the seller’s computer, obtaining Premier’s user name and password, and using these credentials to obtain at least 400 credit reports through Premier’s account.

The FTC complaint also alleges that Premier violated Section 5 of the FTC Act and the Privacy Rule by failing to live up to its own privacy policy, which claimed: “We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. Our control policies, for example, authorize access to customer information only by individuals who need access to do their work.”

The complaint against the Arlington, Texas-based Premier – which specializes in loans for consumers to purchase manufactured homes and the lots they occupy – also names Premier co-owner Debra Stiles as a respondent in this case. She has agreed to the terms of the proposed settlement.

The Commission vote to accept the proposed consent agreement was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through December 5, 2008, after which the Commission will decide whether to make it final.

Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

(FTC File No. 0723004)
(PCL.final.wpd)

CONTACT INFORMATION

MEDIA CONTACT:
Betsy Lordan,
Office of Public Affairs
202-326-3707
STAFF CONTACT:
Jessica Rich,
Bureau of Consumer Protection
202-326-2148

Put sensible access limits in place.

Not everyone who might occasionally need to get on your network should have an allaccess, backstage pass. That’s why it’s wise to limit access to what’s needed to get the job done. In the Dave & Buster’s case, for example, the FTC charged that the company failed to adequately restrict third-party access to its network. By exploiting security weaknesses in the third-party company’s system, an intruder allegedly connected to the network numerous times and intercepted personal information. What could the company have done to reduce that risk? It could have placed limits on third-party access to its network – for example, by restricting connections to specified IP addresses or granting temporary, limited access.

7. APPLY SOUND SECURITY PRACTICES WHEN DEVELOPING NEW PRODUCTS.

 

So you have a great new app or innovative software on the drawing board. Early in the development process, think through how customers will likely use the product. If they’ll be storing or sending sensitive information, is your product up to the task of handling that data securely? Before going to market, consider the lessons from FTC cases involving product development, design, testing, and roll-out.

Train your engineers in secure coding.

Have you explained to your developers the need to keep security at the forefront? In cases like MTSHTC America, and TRENDnet, the FTC alleged that the companies failed to train their employees in secure coding practices. The upshot: questionable design decisions, including the introduction of vulnerabilities into the software. For example, according to the complaint in HTC America, the company failed to implement readily available secure communications mechanisms in the logging applications it pre-installed on its mobile devices. As a result, malicious third-party apps could communicate with the logging applications, placing consumers’ text messages, location data, and other sensitive information at risk. The company could have reduced the risk of vulnerabilities like that by adequately training its engineers in secure coding practices.

Follow platform guidelines for security.

When it comes to security, there may not be a need to reinvent the wheel. Sometimes the wisest course is to listen to the experts. In actions against HTC AmericaFandango, and Credit Karma, the FTC alleged that the companies failed to follow explicit platform guidelines about secure development practices. For example, Fandango and Credit Karma turned off a critical process known as SSL certificate validation in their mobile apps, leaving the sensitive information consumers transmitted through those apps open to interception through man-in-the-middle attacks. The companies could have prevented this vulnerability by following the iOS and Android guidelines for developers, which explicitly warn against turning off SSL certificate validation.

Verify that privacy and security features work.

If your software offers a privacy or security feature, verify that the feature works as advertised. In TRENDnet, for example, the FTC charged that the company failed to test that an option to make a consumer’s camera feed private would, in fact, restrict access to that feed. As a result, hundreds of “private” camera feeds were publicly available. Similarly, in Snapchat, the company advertised that messages would “disappear forever,” but the FTC says it failed to ensure the accuracy of that claim. Among other things, the app saved video files to a location outside of the app’s sandbox, making it easy to recover the video files with common file browsing tools. The lesson for other companies: When offering privacy and security features, ensure that your product lives up to your advertising claims.

Test for common vulnerabilities.

There is no way to anticipate every threat, but some vulnerabilities are commonly known and reasonably foreseeable. In more than a dozen FTC cases, businesses failed to adequately assess their applications for well-known vulnerabilities. For example, in the Guess? case, the FTC alleged that the business failed to assess whether its web application was vulnerable to Structured Query Language (SQL) injection attacks. As a result, hackers were able to use SQL attacks to gain access to databases with consumers’ credit card information. That’s a risk that could have been avoided by testing for commonly-known vulnerabilities, like those identified by the Open Web Application Security Project (OWASP).

8. MAKE SURE YOUR SERVICE PROVIDERS IMPLEMENT REASONABLE SECURITY MEASURES.

 

When it comes to security, keep a watchful eye on your service providers – for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they’re meeting your requirements. FTC cases offer advice on what to consider when hiring and overseeing service providers.

Put it in writing.

Insist that appropriate security standards are part of your contracts. In GMR Transcription, for example, the FTC alleged that the company hired service providers to transcribe sensitive audio files, but failed to require the service provider to take reasonable security measures. As a result, the files – many containing highly confidential health-related information – were widely exposed on the internet. For starters, the business could have included contract provisions that required service providers to adopt reasonable security precautions – for example, encryption.

Verify compliance.

Security can’t be a “take our word for it” thing. Including security expectations in contracts with service providers is an important first step, but it’s also important to build oversight into the process. The Upromise case illustrates that point. There, the company hired a service provider to develop a browser toolbar. Upromise claimed that the toolbar, which collected consumers’ browsing information to provide personalized offers, would use a filter to “remove any personally identifiable information” before transmission. But, according to the FTC, Upromise failed to verify that the service provider had implemented the information collection program in a manner consistent with Upromise’s privacy and security policies and the terms in the contract designed to protect consumer information. As a result, the toolbar collected sensitive personal information – including financial account numbers and security codes from secure web pages – and transmitted it in clear text. How could the company have reduced that risk? By asking questions and following up with the service provider during the development process.

9. PUT PROCEDURES IN PLACE TO KEEP YOUR SECURITY CURRENT AND ADDRESS VULNERABILITIES THAT MAY ARISE.

 

Securing your software and networks isn’t a one-and-done deal. It’s an ongoing process that requires you to keep your guard up. If you use third-party software on your networks, or you include third-party software libraries in your applications, apply updates as they’re issued. If you develop your own software, how will people let you know if they spot a vulnerability, and how will you make things right? FTC cases offer points to consider in thinking through vulnerability management.

Update and patch third-party software.

Outdated software undermines security. The solution is to update it regularly and implement third-party patches. In the TJX Companies case, for example, the FTC alleged that the company didn’t update its anti-virus software, increasing the risk that hackers could exploit known vulnerabilities or overcome the business’s defenses. Depending on the complexity of your network or software, you may need to prioritize patches by severity; nonetheless, having a reasonable process in place to update and patch thirdparty software is an important step to reducing the risk of a compromise.

Heed credible security warnings and move quickly to fix them.

When vulnerabilities come to your attention, listen carefully and then get a move on. In the HTC America case, the FTC charged that the company didn’t have a process for receiving and addressing reports about security vulnerabilities. HTC’s alleged delay in responding to warnings meant that the vulnerabilities found their way onto even more devices across multiple operating system versions. Sometimes, companies receive security alerts, but they get lost in the shuffle. In Fandango, for example, the company relied on its general customer service system to respond to warnings about security risks. According to the complaint, when a researcher contacted the business about a vulnerability, the system incorrectly categorized the report as a password reset request, sent an automated response, and marked the message as “resolved” without flagging it for further review. As a result, Fandango didn’t learn about the vulnerability until FTC staff contacted the company. The lesson for other businesses? Have an effective process in place to receive and address security vulnerability reports. Consider a clearly publicized and effective channel (for example, a dedicated email address like security(@)yourcompany.com) for receiving reports and flagging them for your security staff.

10. SECURE PAPER, PHYSICAL MEDIA, AND DEVICES.

 

Network security is a critical consideration, but many of the same lessons apply to paperwork and physical media like hard drives, laptops, flash drives, and disks. FTC cases offer some things to consider when evaluating physical security at your business.

Securely store sensitive files.

If it’s necessary to retain important paperwork, take steps to keep it secure. In the Gregory Navone case, the FTC alleged that the defendant maintained sensitive consumer information, collected by his former businesses, in boxes in his garage. In Lifelock, the complaint charged that the company left faxed documents that included consumers’ personal information in an open and easily accessible area. In each case, the business could have reduced the risk to their customers by implementing policies to store documents securely.

 

LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False

 
FOR RELEASE
 

LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.

In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service.

According to the FTC’s complaint, LifeLock has claimed:

  • “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.”
  • “Please know that we are the first company to prevent identity theft from occurring.”
  • “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”

The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.

The FTC’s complaint further alleged that LifeLock also claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false.

In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed:

  • “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
  • “All stored personal data is electronically encrypted.”
  • “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”

The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

The FTC and state settlements with LifeLock bar deceptive claims, and prohibit the company from misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service.” They also bar misrepresentations about the risk of identity theft, and the manner and extent to which LifeLock protects consumers’ personal information. In addition, the settlements require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.

The Attorneys General of Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in this settlement.

In addition to LifeLock, the FTC complaint named co-founders Richard Todd Davis and Robert J. Maynard, Jr., who will be barred from the same misrepresentations as LifeLock.

The Commission vote to authorize staff to file the complaint and the settlement with LifeLock and Richard Todd Davis was 4-0. The Commission vote to authorize staff to file the settlement with Robert J. Maynard, Jr. was 3-1, with Commissioner J. Thomas Rosch dissenting. The documents were filed in the U.S. District Court for the District of Arizona.

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and at www.ftc.gov/lifelock.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendant has actually violated the law. Stipulated judgements are for settlement purposes only and do not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.

In addition to announcing the LifeLock case, the FTC’s Northeast Regional Office sponsored an event to kick off National Consumer Protection week. The goal was to alert consumers to the top complaint categories in the Northeast Region and to arm consumers with the tools to recognize and protect themselves against all types of fraud. Also participating were the Better Business Bureau serving Metropolitan New York, the New York Attorney General’s Office, the New York City Department of Consumer Affairs, and AARP.

The Federal Trade Commission works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftccomplaintassistant.gov or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.

(FTC File No. 072-3069)

CONTACT INFORMATION

MEDIA CONTACT:
Claudia Bourne Farrell
Office of Public Affairs
202-326-2181
STAFF CONTACT:
Maneesha Mithal or David Lincicum
Bureau of Consumer Protection
202-326-2771 or 202-326 2773

Protect devices that process personal information.

Securing information stored on your network won’t protect your customers if the data has already been stolen through the device that collects it. In the 2007 Dollar Tree investigation, FTC staff said that the business’s PIN entry devices were vulnerable to tampering and theft. As a result, unauthorized persons could capture consumer’s payment card data, including the magnetic stripe data and PIN, through an attack known as “PED skimming.” Given the novelty of this type of attack at the time, and a number of other factors, staff closed the investigation. However, attacks targeting point-of-sale devices are now common and well-known, and businesses should take reasonable steps to protect such devices from compromise.

Keep safety standards in place when data is en route.

Savvy businesses understand the importance of securing sensitive information when it’s outside the office. In Accretive Health, for example, the FTC alleged that an employee left a laptop containing more than 600 files, with 20 million pieces of information related to 23,000 patients, in the locked passenger compartment of a car, which was then stolen. The CBR Systems case concerned alleged unencrypted backup tapes, a laptop, and an external hard drive – all of which contained sensitive information – that were lifted from an employee’s car. In each case, the business could have reduced the risk to consumers’ personal information by implementing reasonable security policies when data is en route. For example, when sending files, drives, disks, etc., use a mailing method that lets you track where the package is. Limit the instances when employees need to be out and about with sensitive data in their possession. But when there’s a legitimate business need to travel with confidential information, employees should keep it out of sight and under lock and key whenever possible.

Dispose of sensitive data securely.

Paperwork or equipment you no longer need may look like trash, but it’s treasure to identity thieves if it includes personal information about consumers or employees. For example, according to the FTC complaints in Rite Aid and CVS Caremark, the companies tossed sensitive personal information – like prescriptions – in dumpsters. In Goal Financial, the FTC alleged that an employee sold surplus hard drives that contained the sensitive personal information of approximately 34,000 customers in clear text. The companies could have prevented the risk to consumers’ personal information by shredding, burning, or pulverizing documents to make them unreadable and by using available technology to wipe devices that aren’t in use.

LOOKING FOR MORE INFORMATION?

The FTC’s Business Center has a Data Security section with an up-to-date listing of relevant cases and other free resources.

HOW TO USE AND SHARE START WITH SECURITY

Start with Security offers free easy-to-use resources for building a culture of data security throughout any business. Includes tips on how to use and share the Start with Security resources with employees, customers and partners.