I am excited. I’m really happy to see that the U.S. Federal Trade Commission (FTC) has now made available all the minute details about all their rulings since 1969 in one easy (comparatively) to find location.
Why is this so neat, you ask?
Because the fines and pains applied to others gets the attention of business leaders. They want to avoid being the recipients of those penalties themselves. By showing business leaders the negative impacts of not implementing information security and privacy controls, as demonstrated through FTC penalties, consent orders, and so on, information assurance practitioners have one more avenues for showing the importance of implementing information security and privacy controls.
These decisions contain some details that are valuable for helping organizations see what are considered as standards of due diligence.
For example, a decision from December 15, 2005 ruled that Superior Mortgage Corp., a New Jersey mortgage lender, misrepresented the extent to which it maintains and protects the privacy, confidentiality, or security of personal information collected from or about consumers, and also violated the FTC Act and the Safeguards Rule, through many of their activities, including (as excerpted from the ruling):
“VIOLATIONS OF THE SAFEGUARDS RULE
5. Through its offices and websites, respondent has collected sensitive customer information in connection with the mortgage application process, including customer names, Social Security numbers, credit histories, and bank and credit card account numbers. Since the Safeguards Rule’s effective date until at least May 2005, respondent failed to implement reasonable policies and procedures to protect the security and confidentiality of the information it collects.
6. For example, respondent failed to (a) assess risks to its customer information until more than a year after the Rule’s effective date; (b) institute appropriate password policies to control access to company systems and documents containing sensitive customer information; and (c) encrypt or otherwise protect sensitive customer information before sending it by email. Respondent also failed to take reasonable steps to ensure that its service providers were providing appropriate security for customer information and addressing known security risks in a timely fashion.
7. By failing to implement reasonable security policies and procedures, respondent engaged in violations of the Safeguards Rule, including but not limited to:
A. Failing to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity
B. Failing to design and implement information safeguards to control the risks to customer information and failing to regularly test and monitor them; and
C. Failing to oversee service providers to ensure that they implement safeguards to protect respondent’s customer information.
8. A violation of the Safeguards Rule constitutes an unfair or deceptive act or practice in violation of Section 5(a)(1) of the FTC Act.
VIOLATIONS OF THE FTC ACT
9. Since at least 2002, respondent has collected personal information from consumers through its Online Application Form at www.supmort.com. Since at least 2003, respondent has operated five additional websites that collect personal information from consumers by linking them to the Online Application Form. This online form serves as an initial step for many consumers seeking a loan through respondent.
10. The Online Application Form collects from consumers personal information, including, but not limited to, name, address, date of birth, Social Security number, credit history, and bank and credit card account numbers.
11. Since at least 2002, respondent has disseminated or caused to be disseminated on www.supmort.com the following statement regarding the privacy and confidentiality of personal information collected through respondent’s website:
All information submitted is handled by SSL encryption – see the yellow padlock at the bottom of your browser. Exhibit A (Superior Mortgage webpage dated October 25, 2004).
12. Through the means described in paragraph 11, respondent has represented, expressly or by implication, that the personal information it obtained from consumers through www.supmort.com was encrypted using SSL from the time of submission until receipt by respondent.
13. In truth and in fact, the personal information obtained from consumers through www.supmort.com was not encrypted using SSL from the time of submission until it was received by respondent. Instead, respondent encrypted sensitive personal information only while it was being transmitted between a visitor’s web browser and the website’s server (using SSL); once the information reached the server, it was decrypted and emailed to respondent’s headquarters and branch offices in clear, readable text. Therefore, the representation set forth in paragraph 12 was false or misleading.
14. The acts and practices of respondent as alleged in this complaint constitute unfair or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act.”
Such information demonstrates the importance of such information assurance activities as the need:
* For documented and consistently supported and enforced information security and privacy policies and procedures.
* For performing information risk assessments and applying security controls based upon the results.
* To implement encryption solutions as appropriate to protect PII not only while it is being transmitted, such as within emails and from website forms, but also in storage, based upon risk and upon posted promises.
* To assess and ensure the adequacy of business partner information security programs and associated controls to whom your organization has entrusted PII.
* To incorporate information security controls and mechanisms into applications and systems.
* To create procedures that support posted privacy policies and other information security promises.
* To ensure any implications of security safeguards made within published/posted information are addressed and supported.
* To regularly test and validate safeguards.
* To implement monitoring and logging for security and privacy related activities.
Many of the other rulings details also provide good support for safeguard and privacy activities.
Tags: awareness and training, FTC Act, FTC ruling, Information Security, IT compliance, policies and procedures, privacy, Safeguards Rule, stolen laptops