The apparel maker Life is Good (LIG) recently settled charges that its pledge to “secure” customer data was deceptive in violation of Section 5 of the Federal Trade Commission Act. The FTC alleged that, despite LIG’s assurances that all customer information “is kept in a secure file,” the company “failed to provide reasonable and appropriate security for the consumer information stored on its network,” which included credit card numbers, expiration dates, and security codes. The FTC alleged that, as a result of LIG’s inadequate security measures, a hacker was able to export LIG’s customer information, including credit card numbers and security codes, through the use of an SQL injection attack on LIG’s Web site from June to August 2006.
The specific security failures identified by the FTC included: (1) failing to encrypt consumer information; (2) creating unnecessary risks for consumers by storing information such as credit card security codes indefinitely without a business need; (3) inadequately assessing the vulnerability of LIG’s web application and network to commonly known or reasonably foreseeable attacks; (4) failing to implement simple, free or low cost, and readily available defenses to such attacks; (5) failing to use readily available security measures to monitor and control connections from the network to the Internet; and (6) failing to employ reasonable measures to detect unauthorized access to consumer information.
This settlement may represent an attempt by the FTC to set a minimum standard for securing customer data to avoid enforcement actions. The consent decree makes clear that, in the FTC’s opinion, a failure to take certain precautionary measures while claiming that sensitive data will be kept secure is an adequate basis for a deception claim under the FTC Act.
Of particular note here is the FTC’s use of its “deception” authority rather than its “unfairness” authority, which it previously used to enforce data security compliance. Deception typically involves a claim that is misleading or not true at all. Acts or practices are “unfair” when they cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and not outweighed by countervailing benefits. It could be that the FTC was not confident it could establish the requisite harm required for an unfairness claim (despite evidence of a hacker attack). It also is conceivable that the FTC wished to establish deception as a basis for data security claims to back up an unfairness claim when harm cannot easily be established.
Under terms of the settlement, LIG is required to establish and maintain a comprehensive security program designed to protect the security of personal information it collects from consumers. The settlement also requires LIG to retain a third party auditor to assess its security program every two years for the next 20 years. LIG also is subject to bookkeeping and record keeping provisions that allow the FTC to monitor compliance.
The complaint, proposed consent order, press release, and analysis of the proposed consent order are availablehere.