The transcript of FTC Chairman Deborah Platt Majoras’ keynote on February 6 at the RSA conference, “ID Theft and Cyber-crime: Where Thieves Victims, Industry and Government Intersect” is available on the FTC site.
I’ve often stressed how the FTC Act basically applies to all organizations of all sizes in all industries doing business in the U.S. that have been entrusted to handle personal information. Too many organizations still believe that information security privacy issues only need to be handled by healthcare or financial organizations. The FTC has made many published statements to demonstrate that all organizations had better get their act together and implement safeguards for personally identifiable information (PII). Some of the statements within Majoras’ keynote emphasize this.
“Our primary authority derives from Section 5 of the FTC Act, which empowers the Commission to take action against deceptive and unfair practices in or affecting commerce. The flexible nature of our Section 5 authority allows the Commission to protect consumers and competition from conduct that has not been specifically addressed through other legislation. As such, we are often at the forefront of new markets, new technologies, and unfortunately, new illegal practices.”
Surprisingly, many organizations still do not understand the impact the FTC Act has upon them, and they also do not understand the FTC is aggressive in addressing FTC Act infractions.
Majoras indicated the FTC receives 15,000 to 20,000 consumer communications per week reporting breaches and identity theft concerns. PER WEEK. She provided a few examples.
“A consumer from Los Angeles recently contacted the FTC and reported that his employer had experienced a data breach, in which the consumer’s employee records, including Social Security number, were compromised. An identity thief opened five credit card accounts in the consumer’s name, resulting in thousands of dollars in charges. In addition, the thief deposited a fraudulent $2,500 check into the consumer’s checking account and immediately withdrew $1,900. Of course the check bounced, resulting in the consumer losing the $1,900. In the month since discovering the theft, this consumer has spent literally hundreds of hours trying to resolve this issue. In another incident reported to the FTC, an Indianapolis woman had at least nine credit card accounts opened in her name, with more than $9,000 in charges in one month’s time. Regrettably, these two examples, involving thousands of dollars in fraudulent charges and significant expenditures of time, are all too typical for identity theft victims.”
Majoras discussed many of the FTC’s education initiatives.
“An educated consumer is an empowered consumer, and this year’s theme for National Consumer Protection Week (which is this week), sponsored by the FTC in cooperation with hundreds of federal, state, and local agencies and national advocacy organizations, is ‚ÄúRead Up and Reach Out. Be an Informed Consumer.‚Äù We are working with private sector entities on several outreach events as part of National Consumer Protection Week.”
Use the FTC materials they freely offer from their website. Use the FTC! They will work with you to make presentations, podcasts and other types of events. Too many folks bemoan not having enough budget for their training and awareness efforts, and that is probably true. However, use some of the many free…and good…materials and offerings from the government, and particularly from the FTC. After all, your U.S. taxpayer dollars paid for it; use them!
“The Commission’s multifaceted approach to combating identity theft also includes strong law enforcement against companies that fail to take reasonable steps to protect sensitive consumer information.”
Indeed. Other regulatory oversight agencies should follow their example.
“There is no doubt that there is no perfect security and sometimes even responsible security measures will not stop a thief. Nonetheless, companies and organizations that maintain sensitive consumer data must ensure that they have reasonable and appropriate systems in place, or they certainly will open the door to identify theft. Those who have failed to take reasonable security measures have faced the Commission’s ‚Äúfull court press‚Äù of aggressive law enforcement. Since 2001, the FTC has brought 14 enforcement cases against businesses that have failed to provide reasonable data security. These enforcement actions can provide some lessons for businesses.
First, if you make claims about data security, be sure that they are accurate. The Commission has brought several cases against companies that allegedly misrepresented their own security procedures. In actions against Microsoft, Petco, and Tower Records, the FTC challenged claims on the companies’ websites that each had strong security procedures in place to protect consumer information. The FTC alleged that, contrary to these claims, the companies did not have even the most basic security measures in place.
Second, be aware of well-known and common security threats and protect against them. In many of our cases, we alleged that companies failed to protect their customer information from a simple and well-known type of attack – an SQL injection – to install hacker tools on the companies’ computer networks. In other cases, we have challenged failures to protect data from obvious low-tech security threats such as dumpster diving. For example, we sued a mortgage company that had, among other things, thrown consumer loan files into a dumpster.
Third, know with whom you are sharing your customers’ sensitive information. Perhaps our most well-known security case was against ChoicePoint, which sold 160,000 consumer files to identity thieves posing as clients. In its complaint, the Commission alleged that ChoicePoint lacked reasonable procedures to verify the legitimacy of its customers.
Fourth, do not retain sensitive consumer information that you do not need. In cases we announced last year against BJ’s Warehouse and DSW Shoe Warehouse, the companies stored full magnetic stripe information unnecessarily ‚Äì long after the time of the transaction, when the companies no longer had a business need for the information. The magnetic stripe information was unencrypted and had weak access controls. As a result, thieves were able to hack into a single store’s database and from there into the company’s central database, where they obtained hundreds of thousands of credit card numbers and security codes.”
All companies and organizations are expected to do these things.
Print out this part of the speech. Point it out to your CEO. You must have information security and privacy in place if you have PII. If you don’t the FTC may very well initiate a “full court press of aggressive law enforcement” against your company!
“Moreover, there is no one-size-fits-all, cookie-cutter plan that will work for all businesses. Any security plan should be adapted to the size and nature of the business, the nature of the information the business maintains, the security tools that are available, and the security risks the business is likely to face.”
Important point. Too many organizations complain about not having laws with very specific details about what they must do. As Majoras points out quite eloquently, what you need to do depends upon your own unique organization.
“In addition, the FTC and the federal bank regulators are hard at work on the so-called ‚ÄúIdentity Theft Red Flags‚Äù rule, which is required under the FACT Act. Once promulgated, this rule will require businesses that maintain personal consumer information to implement procedures to identify signs of possible identity theft.”
Something else that I know many organizations are not yet aware of. Do not wait for your lawyers to notify you about these things. YOU, informatio security and privacy professionals, need to take the initiative to be up on these laws that require information safeguards.
Tags: awareness and training, FTC, FTC Act, identity theft, Information Security, IT compliance, policies and procedures, privacy, privacy breach