Popular retailer Life is good® became the latest target of a Federal Trade Commission (FTC) information security enforcement action, following a hacking incident affecting credit cards collected on the company's website. This case is only the most recent reminder of what has become a critical challenge for all companies. Information security is now a realistic risk for all companies in all industries, and federal enforcement actions (along with a variety of other problems) may well arise if effective security practices are not implemented.
The Life is good® settlement stems from an ongoing series of FTC cases, driven by the principle that a failure to maintain and implement an effective information security program constitutes a deceptive trade practice. While part of the FTC settlement derives from general statements made by Life is good® representing that it would keep the information it collects secure, it is clear—from the Life is good® case and its predecessors, mainly the settlement involving B.J.'s Wholesale—that an effective information security program is now a legal requirement for any company that collects personal information about customers or employees.
The FTC Enforcement Action
We are committed to maintaining our customers' privacy. We collect and store information you share with us—name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you.
In the FTC complaint (which apparently followed a successful hacker attack that resulted in access to credit card numbers, expiration dates, and security codes of Life is good® consumers), the Commission alleged that, contrary to these claims, Life is good® failed to provide "reasonable and appropriate security for the sensitive consumer information stored on its computer network." Specifically, the FTC charged that Life is good®:
- Unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit card security codes;
- Failed to assess adequately the vulnerability of its website and corporate computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks;
- Failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks;
- Failed to use readily available security measures to monitor and control connections from the network to the Internet; and
- Failed to employ reasonable measures to detect unauthorized access to credit card information.
Requirements of the Settlement
The FTC settlement followed now familiar precedent. Specifically, the settlement bars Life is good® from making deceptive claims about its privacy and security policies. More significantly, it requires the company to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from consumers. Beyond this general requirement (and consistent with B.J.'s and other recent cases), Life is good® must:
- Designate an employee or employees to coordinate the information security program;
- Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
- Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
- Develop reasonable steps to select and oversee service providers that handle the personal information of Life is good® customers;
- Evaluate and adjust its information-security program to reflect the results of monitoring, any material changes to the company's operations, or other circumstances that may impact the effectiveness of its security program.
Beyond these requirements derived from the security standards of the Gramm-Leach-Bliley Act (which form the key components of the security program that all companies should maintain proactively), the settlement requires an ongoing process for an independent, third-party security auditor to assess the Life is good® security program on a biennial basis for the next 20 years. Following each audit, the auditor will be required to certify that Life is good's® security program meets or exceeds the requirements of the FTC's order and is "operating with sufficient effectiveness to provide reasonable assurance that the security of consumers' personal information is being protected."
Implications for Other Companies
At a minimum, the Life is good® settlement should serve as a reminder to companies—large or small—in all industries that information security obligations are real, and that the risks of security breaches are significant. Moreover, the FTC has shown that it will pursue cases against companies that have failed to develop and maintain an effective security program. While Life is good® did not suffer some of the financial penalties that other companies have received (such as the $15 million payment by ChoicePoint), an FTC action not only creates public relations and customer loyalty concerns, but often leads to litigation, particularly where credit card fraud or identity theft is involved. The audits extending for 20 years are also a significant burden.
Accordingly, companies need to view this case as a reminder and a motivator to assess ongoing security practices. If your company has not conducted a privacy and security assessment in the past few years, now would be a good time to do so. Information security practices—even more than privacy obligations—require almost constant updating. The Life is good® problems identified by the FTC can serve as an initial starting point. Moreover, for any company that accepts credit cards as a means of payment, there are new "PCI" standards in place that not only dictate more detailed security protections but also incorporate stringent contractual commitments to compensate for losses resulting from security failures. Therefore, companies should be conducting security assessments and evaluating whether their information security programs are keeping pace with ongoing developments.
This assessment effort needs to encompass two broad areas. First, companies should recognize the increasing regulation of information security practices—from the Federal Trade Commission's "best practices" to the new standards imposed on any company that accepts credit cards. Companies need to review these requirements, and implement appropriate security practices to meet these standards. Those standards should also drive a review of existing security practices—the core of the assessment—and a comparison to emerging requirements. Remember—security perfection is not required, but failures based on inadequate practices will be visible, prominent and attacked by a wide variety of constituencies. Also, if your company accepts credit cards, be aware of the new "PCI" security standards linked to the increased contractual commitments your bank and credit card company likely will seek from you.
Beyond these overall compliance requirements, companies next need to focus on practical employee training and developing an effective overall security program. This program should recognize that security is not just about controlling your computer network. Security breaches encompass a wide range of problem areas, certainly including hackers, but also paper files, lost data tapes and a variety of physical security measures. Since many of these areas are outside the domain of an information technology department, the first challenge for many companies is figuring out who should oversee an overall information security program.
Within the framework of such information security programmatic efforts, individual behavior matters a lot. Whether it is enforcing password requirements, dictating new practices for the protection of laptops, or simply teaching your employees how to protect information—and how to stay away from sensitive information that is not legitimately part of their work—effective and practical training can go a long way towards reducing security risks.
SSNs - A Key Risk Area
While broader questions of privacy and security can be complicated, companies should pay special attention to the single most sensitive piece of personal information that exists—the Social Security Number. The SSN is the Holy Grail for a data thief—it is the entryway to a wide range of opportunities for identity theft, financial fraud and other privacy and security harms. Yet, in most cases, companies cannot identify with any reasonable precision where the company collects SSNs, what they are used for, where they are stored, and to whom these materials are disclosed. In many cases, SSNs are routinely collected and disclosed simply because people are not thinking about the risks. Reducing dramatically the use and disclosure of Social Security numbers is the most effective means of reducing overall privacy and security risk within a company. Where companies collect this information from customers, the risks are substantial. But many companies also fail to assess the additional risks related to employees' SSNs. SSN information is often widely available across companies, and distributed to a broad range of service providers and business partners, without reasonable analysis of whether this information is needed or whether extra precautions can be taken to reduce risks. Companies should place an enormous priority on a thorough review of overall practices involving Social Security numbers.
Beyond SSNs, where the primary risk is identity theft, more concrete losses that have been experienced recently related to the fraudulent use of credit cards. While credit card fraud has been around for a long time, and there is debate about whether improper use of a credit card constitutes identity theft, the losses from credit card fraud are real. And, unlike in the past, when credit card companies and banks simply treated these losses as a cost of doing business, banks are now making significant efforts to "cost shift" these losses to the retailers and others who are experiencing the security breaches that lead to losses. Accordingly, the monetary risks from a security breach involving credit card numbers are real, and should motivate a strict review of credit card data collection and storage practices.