Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Database
    • IT Management

    FTC Wags Finger at Retail Site for Weak Data Security

    By
    Evan Schuman
    -
    January 24, 2008
    Share
    Facebook
    Twitter
    Linkedin

      The Federal Trade Commission on Jan. 17 cracked down-albeit mildly-on an e-tailer that the government alleged made security claims that were “deceptive and violated federal law.”

      The company, a clothing and home accessories e-tailer named Life Is Good, collected a wide range of information from its consumer customers, including names, addresses, credit card numbers, credit card expiration dates and credit card security codes. “All information is kept in a secure file and is used to tailor our communications with you,” Life Is Good stated on its Web site.

      The government said the promise was misleading. “Contrary to these claims, the FTC alleges that [Life Is Good] failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network,” the commission said in a statement.

      The FTC said the Life Is Good site “unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network and by storing credit security card codes.” The site also “failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks,” the FTC said.

      Much of this, though, would likely have gone on undetected had it not been for a cyber-thief launching a successful SQL injection attack on the site, grabbing lots of that consumer data.

      The government’s punishment was that the site has to pay for a third-party independent security audit every other year for 20 years.

      The settlement-approved, 5-0, by the FTC-“also contains bookkeeping and record keeping provisions to allow the agency to monitor compliance with its order,” the FTC said.

      The problem with the FTC’s proposed settlement is that there is no substantial punishment element. The settlement simply lists some of the things every site should be doing anyway. Based on the particulars made in this statement, LifeIsGood.com is suffering no pain because it was caught.

      For example, consider the every-other-year audit requirement. Because the site accepts credit cards, it should already be subject to PCI (Payment Card Industry) compliance requirements. PCI rules would have the site undergoing a security compliance assessment once a year already. If the site wants to be PCI-compliant, then, the FTC requirement would be irrelevant.

      Technically, we are talking about two very different kinds of reviews. The PCI review is an assessment, which is typically more of a question process, while the FTC procedure would be an SAS (Statement on Auditing Standards) 70 Type II review, which is a true audit.

      As a practical matter, though, the differences aren’t necessarily that pronounced. There are huge variations in how assessors handle PCI reviews, and some of these reviews are almost as demanding as full SAS 70 Type II audits. If the assessor, bank and credit card company agree, they can pretty much make PCI compliance as high a hurdle as they want.

      This is especially true given that any discovered breach such as this will trigger a PCI rule that subjects a retailer of any size-even a Level 4-to the most stringent demands of a Level 1 assessment.

      PCI compliance consultant David Mertz, of Compliance Security Partners, argues that the FTC fine is indeed a huge punishment because of the much higher fees that third-party assessors and auditors will charge for it-fees Mertz estimated at between $10,000 and $25,000 for a PCI third-party assessment and between $75,000 and $250,000 for an FTC-level audit.

      Another PCI compliance consultant, Dave Taylor, who is also president of the PCI Vendor Alliance, sees it differently. “The reason is due to probability, not severity of the audit,” Taylor said. “FTC enforcement actions are rare-BJ Wholesale, etc. The sins of the merchant have to be pretty blatant, and someone has to complain to the feds to get the ball rolling. So, few merchants do a thing specifically to avoid FTC actions. PCI remains much more certain as an annual event driven by an ongoing relationship with the merchant bank.”

      Getting back to the FTC order involving Life Is Good, the commission’s other claims are even more common sense, as opposed to punitive:

      • “The settlement bars [Life Is Good] from making deceptive claims about its privacy and security policies.” And this somehow doesn’t apply to every other site out there-sites that have not been caught doing anything wrong?
      • “It requires the company to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from consumers.” ‘Nuff said.
      • This is punishment?
      • “The program must contain administrative, technical, and physical safeguards appropriate to [Life Is Good’s] size, the nature of its activities, and the sensitivity of the personal information it collects.” Sigh!
      • “[Life Is Good must designate] an employee or employees to coordinate the information security program.”
      • “Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.” Not quite 25 years of hard labor, is it?
      • “Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness.”
      • “Develop reasonable steps to select and oversee service providers that handle the personal information of [Life Is Good] customers.”
      • “Evaluate and adjust its information-security program to reflect the results of monitoring, any material changes to the company’s operations, or other circumstances that may impact the effectiveness of its security program.”

      I have no problem with these nice guidelines on what every site should be doing. But to label them as punishment and to trumpet them as such suggests that the government must think e-tailers are a stunningly gullible bunch.

      Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesn’t plan to stop any time soon. He can be reached at [email protected].

      To read earlier retail technology opinion columns from Evan Schuman, please click here.

      Avatar
      Evan Schuman
      Evan Schuman is the editor of CIOInsight.com's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others. He can be reached by e-mail at [email protected]

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×