Data Security Enforcement in the U.S.

1
Data Security Enforcement in the U.S.

• CIOs and CIO Councils
• Good Government, Good Business
• September 26, 2006

2
FTC Data Security Fundamentals

• Section 5 of the Federal Trade Commission Act
  (FTC Act) prohibits unfair or deceptive acts
  or practices in or affecting commerce.
• Prohibited practices include deceptive claims
  that companies make about privacy, including
  claims about the security they provide for
  consumer information.
• Also requires companies holding sensitive data to
  have in place procedures to secure it if the
  failure to do so is likely to cause substantial
  consumer injury.

3
GLBA Safeguards Rule

• Rule Requires
• Financial institutions under the FTC's
  jurisdiction to develop and implement appropriate
  physical, technical, and procedural safeguards to
  protect customer information.
• Provides a strong but flexible framework for
  companies to take responsibility for the security
  of information in their possession

4
GLBA Safeguards Rule

• Elements
• Develop a written information security plan
• Designate employee(s) to coordinate safeguards
• Identify and assess risks to customer information
  
• Oversee service providers
• Periodically update information security program

5
Fair Credit Reporting Act

• Regulates credit bureaus, any entity or
  individual who uses credit reports, and the
  businesses that furnish information to credit
  bureaus.
• The FCRA requires that sensitive credit report
  information be used only for certain permitted
  purposes.

6
The FACTA Disposal Rule

• Requires businesses to take reasonable and
  appropriate measures to prevent the unauthorized
  access to or use of information in a consumer
  report.
• Burn, pulverize, or shred papers
• Destroy or erase electronic files or media
• Select third-party disposal companies with care
• Ensure third-party disposal companies follow rules

7
FALSE SECURITY PROMISES

• Eli Lilly and Company
• Microsoft Corporation
• Guess?, Inc.
• MTS, Inc. and Tower Direct LLC
• Petco Animal Supplies

8
ORDERS

• Cant misrepresent the extent to which company
  maintains and protects the security,
  confidentiality, or integrity of personal
  information it collects from or about consumers
• Must establish and maintain a comprehensive
  security program
• Must obtain a security assessment and report from
  a qualified third party biennially for 20 years

9
Safeguards Rule Enforcement

• Superior Mortgage Corp.
• In September 2005, the FTC settled allegations
  that Superior Mortgage Corp. violated the Rule.
• Allegations
• failed to establish an information security
  program as required by the Rule
• misrepresented that sensitive mortgage
  application information was encrypted before
  being sent by email
• Order prohibits future violations and requires an
  information security program third party
  audits.

10
IN THE MATTER OF CARDSYSTEMS, INC.

• CardSystems
• Failed to take appropriate security measures to
  protect the information of tens of millions of
  consumers, resulting in millions of dollars of
  fraudulent purchases
• Largest known compromise of financial data to
  date

11
ALLEGED UNREASONABLE PRACTICES

• Created unnecessary risks to the information by
  storing it
• Did not implement simple, low-cost, and readily
  available defenses to reasonably foreseeable
  attacks on its computer network
• Did not use strong passwords to prevent a hacker
  from gaining control over computers on its
  network
• Failed to employ sufficient measures to detect
  unauthorized access to personal information or to
  conduct security investigations

12
Decision Order

• Comprehensive conduct relief
• establish and maintain a comprehensive
  information security program
• obtain security assessments and reports for its
  information security program.
• Standard Scofflaw
• provisions to ensure compliance
• recordkeeping
• order distribution
• the filing of a compliance report

13
IN THE MATTER OF CHOICEPOINT, INC.

• The FTC alleged that ChoicePoint failed to use
  reasonable procedures to screen prospective
  subscribers and monitor their access to sensitive
  consumer data, in violation of the FCRA and FTC
  Act.
• These failures allowed identity thieves posing as
  legitimate businesses to obtain access to the
  personal information of over 160,000 consumers,
  including nearly 10,000 consumer reports.
• At least 800 cases of identity theft arose out of
  these incidents.

14
Significant relief for consumers

• Record 10 million civil penalty for violations
  of the FCRA
• 5 million in consumer redress for identity theft
  victims
• Significant injunctive provisions

15
FOUR POINTS THAT GUIDE THE FTCS INFORMATION
SECURITY ENFORCEMENT

• Information security is an ongoing process.
• A companys security procedures must be
  reasonable and appropriate in light of the
  circumstances.
• A breach does not necessarily show that a company
  failed to have reasonable security measures
  there is no such thing as perfect security.
• A companys practices may be unreasonable and
  subject to an FTC enforcement even without a
  known security breach.