FTC Brings Data Breach Case
|November 17, 2006
Company Failed to Use Reasonable Security Measures to Protect Consumers’ Data
Guidance Software Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data contradicted security promises made on its Web site and violated federal law. According to the FTC, Guidance’s data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.
Guidance sells software and related training, materials, and services customers use to investigate and respond to computer breaches and other security incidents.
According to the FTC complaint, Guidance failed to implement simple, inexpensive and readily available security measures to protect consumers’ data. In contrast to claims about data security made on Guidance’s Web site, the company created unnecessary risks to credit card information by permanently storing it in clear readable text. In addition, the complaint alleges that Guidance failed to protect the information by:
- failing to assess adequately the vulnerability of its network to commonly known or reasonably
foreseeable Web-based attacks, such as structured query language injection attacks;
- failing to implement simple, low-cost, and readily available defenses to such attacks;
- storing in clear, readable text network administrator credentials, such as user name
and password, that facilitated access to credit card information stored on the network;
- failing to use readily available security measures to monitor and limit access from the
corporate network to the Internet; and
- failing to employ measures to detect unauthorized access to consumers’ credit
The settlement bars misrepresentations about security measures in the future and requires Guidance to establish and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards. The settlement also requires Guidance to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order. The company also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.
This is the FTC’s fourteenth case challenging faulty data-security practices by companies that handle sensitive consumer information.
The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through December 15, 2006, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: Consent agreements are for settlement purposes only and do not constitute an admission by the defendant of a law violation.