Privacy & Data Security: Follow FTC Guidelines… Or Suffer The Consequences

Generally, you are required to protect the information regarding website visitors that is stored on your website’s server by implementing reasonable and appropriate data security measures. If you fail regarding this general requirement, you will be subject to claims from website visitors whose information has been compromised.

In addition, although there is no federal law of general application regarding specific data security obligations, the Federal Trade Commission (FTC) believes that it has the authority to undertake enforcement actions for security violations under Section 5 of the FTC Act which prohibits unfair or deceptive practices.

A good example of enforcement actions by the FTC, particularly regarding what the FTC considers to be the required level of data security safeguards, is the recent case brought by the FTC against Life Is Good.

Lifeisgood.com’s Privacy Statement

Life Is Good collected sensitive consumer information, including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes through its website. Its privacy policy claimed: “We are committed to maintaining our customers’ privacy. We collect and store information you share with us – name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you.”

The FTC Claims

The FTC alleged that, contrary to its privacy policy, Life Is Good failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network.

Specifically, the FTC alleged that Life Is Good:

  • unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit card security codes;
  • failed to assess adequately the vulnerability of its Web site and corporate computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks;
  • failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks;
  • failed to use readily available security measures to monitor and control connections from the network to the Internet; and
  • failed to employ reasonable measures to detect unauthorized access to credit card information.

The Settlement

In its settlement with the FTC announced in a press release dated January 17, 2008, Life Is Good agreed to implement the following 5 administrative, technical, and physical safeguards in the future. These 5 safeguards are 5 excellent tips — delivered straight from the FTC — that you should also follow:

1.   Designate an employee or employees to coordinate the information security program.

2.   Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.

3.   Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness.

4.   Develop reasonable steps to select and oversee service providers that handle the personal information of customers.

5.   Evaluate and adjust its information-security program to reflect the results of monitoring any material changes to the company’s operations, or other circumstances that may impact the effectiveness of its security program.

Conclusion

Sometimes form is as important as substance. What I mean is how you do something, and the fact that you documented it at the time you actually did it, is sometimes just as important as the fact that you did it.

The settlement safeguards in the Life Is Good case are a prime example. Simply having what you believe is a good data security program is one thing, but being able to document that you went through the steps outlined by the FTC is another.

The Life Is Good case points the way to what will work for data security. So, it’s highly recommended that you set up a filing system that preserves your documentation and indicates you went through these steps, and when you did it. Then set up a tickler to remind you to go through the steps on an annual basis.

We know that there is no data security program that is 100% safe from illegal intrusions. If you have an unfortunate data security breach, it’s likely the FTC or a state regulator will come knocking at your door. That’s why it’s so important for you to be able to produce a file that clearly shows you implemented reasonable and appropriate data security measures in accordance with the FTC guidelines.

The future of your business may depend on it.

About Chip Cooper: Full-time practicing Internet Attorney, SaaS Attorney and Software Attorney. My posts help you Protect Your Online Business with Internet Law updates and Website Legal Forms. Follow me on Google+. Sign up for Google Hangouts notices, and download my FREE book 7 Shocking Legal Gotchas That Can Shut Down Your Online Business In a Single Day… And What to Do About It!

Disclaimer: This information is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

Author’s Note:  Although this post is a 2008 settlement, it’s still is good law.

 

Leave a Reply