Most importantly, that means avoiding “unfair or deceptive business practices,” according to one FTC official. But even then, figuring out what's “right” from “wrong” – especially when formulating policies and procedures to protect customers against data privacy issues – can be anything but straightforward.
Consider, for instance, the statement, “We comply with all applicable data protection laws.” That “very typical privacy policy” many organizations rely on is fraught with problems, says Rena Mears, the global and national leader of Deloitte & Touche's privacy and data protection service offering.
“To make a statement like that implies you know where the data came from,” she explains. “But where data enters a system is not always flagged – it could be French or German or Canadian data. So a person looking at the data may not know what laws apply.”
And therein lies a conundrum.
Quite often, different countries'laws to protect the privacy of personally identifying information are in conflict with each other, Mears says. “Some laws say you can keep data for only a short time, others say you must keep data X amount of time.”
As an example, consider the differences in privacy-related regulations between the European Union (EU) and the U.S. The Sarbanes-Oxley Act, as most chief privacy officers realize, has a whistle blower clause that promotes openness, “whereas the EU considers it inappropriate spying, with cultural differences leading to different views,” Mears adds.
In addition, “Regulations in some U.S. industries say you must monitor outbound [network] traffic to determine if certain types of data, such as Social Security numbers, are leaving,” she says. “But some countries say you can't monitor outbound traffic or you interfere with privacy.”
Policies such as, “We comply with...,” are the result of what Mears calls a rush to policy strategy many organizations rely on when dealing with regulatory issues. “The natural course is to get attorneys, executives and compliance folks together and write policies,” Mears explains.
While that's not a bad thing, it doesn't go far enough and consequently can leave an organization behind the eight ball. Writing policies quickly, strictly to match regulatory mandates, “is often done in a vacuum, without consulting with the line-of-business and technical sides of the organization,” Mears says.
That creates a disconnect between the organization's data privacy polices and the business practices and technology required to support them. But the FTC's point of view is that if you say something in a policy, it is fact, and you're doing that. And if you're not doing it, it's called a deceptive trade practice, Mears says.
As many companies, including ValueClick have discovered, “That puts you at risk to the FTC, saying you've committed a deceptive practice and it will provide penalties,” Mears says.
So, what's a chief security officer to do to stay off the FTC's radar? Most important is developing procedures to protect data, says C. Lee Peeler, president of the National Advertising Review Council and executive vice president at the Council of Better Business Bureaus, as well as a former FTC employee.
“Some of the well-publicized data breaches have occurred because of very well-known security flaws that people haven't taken steps to correct,”he says. He has his own theories about why data breaches that catch the FTC's attention continue to occur despite the widespread attention many have received lately. Many times, companies are just moving along and not thinking about security, he says. “It's not something they naturally do, which is why the FTC brings cases to court and why Congress passes laws, such as the Gramm-Leach-Bliley Act,” which requires financial institutions to develop a written information security plan outlining how they're prepared to protect clients' personal information.
“You need a CEO who says data security is important enough to do right,” Peeler adds. And “right” in this case, means taking a thorough inventory of an organization's data sources to gain an understanding of how and where the organization's data is stored and to analyze the vulnerabilities within an organization's data management systems, he says.
Keep only what you need
Jessica Rich, an assistant director in the FTC's division of privacy and protection, who oversees many of the agency's privacy and data security investigations, reaffirms that. “Figure out what data you have and keep only what you need for your business,” she says. “That's a hugely important concept. A number of FTC prosecutions would never have happened if the company had followed that one step.”
Many FTC enforcement activities resulted from situations in which companies “collected and stored information that wasn't necessary for any reasonable business process,” Rich says. The data stored on the magnetic strip on credit and debit cards is a prime example, and “the sensitive information on them that is often replicated to create phony cards shouldn't have been stored in the first place.”
Of course, it's also imperative for organizations to protect the data they elect to keep. “Once you've figured out what you need, figure out what protections are critical,” Rich adds.
As Peeler notes, that involves assessing all of an organization's risks. This assessment should determine who has access to the data and where it's kept, with the goal of developing safeguards to address those risks, she says.
Another key point: “When you don't need the data you've collected, dispose of it properly,” Rich emphasizes. “We have seen a lot of companies put information into dumpsters and leave it loose in public areas.”
Such security breaches waiting to happen are often inexpensive to eliminate, she notes. These measures can, for instance, include simply periodically hiring a paper shredding company to destroy credit and debit card receipts and other documents with personally identifying information on them.
Consumer frustration
From a business perspective, CSOs must also be aware of “what the hottest issues in terms of enforcement at the FTC are at any given time,” says D. Reed Freeman, a partner in the advertising and marketing practice at law firm Kelley Drye & Warren. “It's no surprise that enforcement tends to follow consumer frustration,” which is indicated in consumer complaints.
The hot issues before the FTC now fall into two principal areas, he says. Not surprising, privacy and information security is one, while unfounded weight loss claims is the other.
“Children's privacy and the failure of a company to live up to privacy representations it has made to consumers at the time they collect the consumers' personal information” are hot button issues with the FTC now, Freeman says. “And, of course, failure to appropriately safeguard the information once collected.”
Freeman also notes that the FTC has published nearly 20 settlements it has reached in information security cases. “CSO are well advised to study the complaints in each of those cases because they lay out in detail the types of practices the FTC believes result in an overall inadequate information security program,” Freeman adds.
The penalty flag
When considering whether to prosecute, the FTC evaluates cases for reasonable security measures,” Rich says. “We generally haven't wanted to bring cases close to the line to court – we're looking for cases where data security was so unreasonable it warranted action.”
But once a company catches the FTC's attention, it can expect significant penalties if found guilty. As the ValueClick case shows, a company that's run afoul of the FTC can incur significant financial losses. Moreover, the FTC can demand an annual or semi-annual security audit for 10 to 20 years.
And if companies still need more incentive to figure out what's right, settlements between the FTC and companies it has investigated have also included redress of money lost in illegal activities by consumers.
“We've made them disgorge their ill-gotten gains,” Rich says.
[Sidebar]
Typical FTC action: ValueClick case
The FTC's recent $2.9 million settlement with ValueClick, an integrated online marketing services firm, offers a good example of the types of data security-related missteps the agency prosecutes.
The FTC said that ValueClick and its subsidiaries, Hi-Speed Media and E-Babylon, not only violated federal law with deceptive advertising and emails, but also “failed to secure consumers' sensitive financial information, despite their claims to do so.” In addition, the FTC charged the three companies with misrepresenting the security measures they'd put in place to safeguard customers' sensitive financial information.
Notably, the FTC said the companies published online privacy policies claiming they encrypted customer information, but either didn't actually encrypt the information at all or used non-standard forms of encryption. Also notable was the FTC's charge that several of the companies' websites were vulnerable to SQL injection attacks, despite the fact that the companies claimed they implemented reasonable security measures.
The settlement requires ValueClick and its subsidiaries to develop and maintain a comprehensive security program and undergo independent third-party audits of their programs for the next 20 years.
The FTC has imposed similar penalties in a number of other high-profile cases involving what it called “multiple failures to address well-known vulnerabilities, failure to use readily available and often inexpensive security measures, and substantial injury to consumers in the form of account fraud, time loss and inconvenience.“
ChoicePoint, for instance, following a breach in 2005, paid $10 million in civil penalties and $5 million in consumer redress to settle FTC charges that its security procedures violated consumer privacy rights and federal laws. ChoicePoint's security lapses led to at least 800 cases of ID theft, according to the FTC. – Jim Carr