Of all the U.S. government regulatory oversight agencies, the Federal Trade Commission (FTC) is the most active and aggressive in looking for and applying penalties to organizations that not only are in noncompliance with laws and regulations, but also those who are not in compliance with their own information security and privacy promises; in other words, those that are practicing “unfair and deceptive trade practices.”
FTC Chairman Deborah Platt Majoras said October 1 in a speech kicking off the 2007 National Cyber Security Awareness Summit that the FTC plans to continue actively going after organizations that do not have appropriate information security programs and practices in place.
This week’s BNA Privacy & Security Law Report (a subscription site) had an article, “FTC Chairman: More Than Two Dozen Data Security Probes Are Open at Agency” summarizing Majoras’ speech.
Majoras provided some important statistics and information that anyone involved with information assurance activities should know:
* In the past “recent years” the FTC has applied 14 enforcement actions against organizations for not providing “reasonable” information protection and security mechanisms.
* The FTC currently has more than 24 open information security investigations going on.
* ChoicePoint was used as an example; Majoras pointed out the company had violated Section 5 of the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive trade practices, and they also violated the Fair Credit Reporting Act. Section 5 of the FTC Act provides for sanctions to be applied in the form of consent orders, such as detailed activities that must be performed for typically 20 years, but it does not allow for the imposition of fines. So, the FCRA charge was the basis on which the court approved the $10 million fine (in January 2006) against ChoicePoint.
* DSW Inc., was the second case, in December 2005, for which the “unfair and deceptive trade practices” portion of Section 5 was applied because of poor infomration security programs and practices.
* Majoras pointed out that the violation in each case was not the data breach, but the non-existance of appropriate security that would have prevented the breach.
It is important for your business leaders to understand this clearly; the FTC can, and will, apply penalties against organizations that do not have proper information security and privacy practices and programs in place, even if there has not yet been a breach. A breach will certainly put the FTC’s spotlight of scrutiny upon an organization, though, and make it that much more likely to undergo an FTC investigation.
Business leaders must understand that the best way to prevent FTC penalties and the associated bad publicity is to avoid an information security incident in the first place by having appropriate security in place.
Tags: awareness and training, FTC Act, Information Security, IT compliance, Majoras, National Cyber Security Awareness Summit, personally identifiable information, PII, policies and procedures, privacy, privacy incident, risk management, security training