Organizations that have failed to implement “reasonable and appropriate” information security measures sometimes find themselves on the wrong end of a Federal Trade Commission (FTC) allegation of unfair and deceptive trade practice. These enforcement actions have uniformly ended in a settlement that carried significant obligations and continued FTC oversight for as long as 20 years. We earlier reported on the increasing granularity of these actions in “Reasonable” Security: The FTC Requires It, But What is “Reasonable” Security?
In the course of taking these enforcement actions, the FTC has built an increasingly specific body of case law dictating the types of security lapses it deems “unfair” to consumers. A few examples taken from recent actions include:
- Storing information for which the company no longer had any business need in multiple, unencrypted files that could be easily accessed with a commonly-known user ID and password
- Transmitting personal information in clear text
- Failing to require the use of strong passwords and separate passwords to access different programs, computers, and networks
- Failing to require periodic changes of user credentials for persons with access to sensitive nonpublic information
- Failing to suspend user credentials after a certain number of unsuccessful login attempts
- Allowing employees to store passwords in email accounts
- Failing to employ sufficient measures to detect and prevent unauthorized information access, such as an intrusion detection system and monitoring system logs
These allegations demonstrate the FTC’s increasingly granular approach to security –related enforcement. In a move that may signal a continuation of that trend, the FTC has just appointed Edward Felten, a Princeton University professor of computer science and public affairs, as its first chief technologist. As reported by The Washington Post (FTC names Princeton computer security expert as first chief technologist), Felten is expected to advise on both privacy and computer security matters. With this appointment, the FTC is well-equipped to continue and enhance its security-related enforcement activity. Organizations subject to FTC jurisdiction should follow future developments in FTC information security enforcement, but should also be mindful of the FTC’s previous complaints and ensure that their own security programs do not include the types of flaws that have attracted FTC attention in the past.