Townsend Security Data Privacy Blog

There’s a New Sheriff in Town – Named the FTC

Posted by Patrick Townsend on Jul 2, 2012 9:45:00 AM

AES Encryption & Related Concepts

AES White Paper

Download the white paper "AES Encryption & Related Concepts"

Click Here to Download Now

Recent weeks have seen an upsurge in enforcement activity by the FTC around data breaches. That’s right, the Federal Trade Commission. We are used to seeing HIPAA enforcement activity by HHS related to data breaches in the medical segment, and merchants and card processors who experience data breaches of credit card information are penalized by the card brands when they are out of compliance.

But the FTC ???

Clearly the Federal Trade Commission is taking published assertions about data privacy seriously, and is treating violations of published privacy policies as a case of consumer fraud. Or, as they like to put it, “unfair and deceptive” trade practices.  So, if you say you are protecting consumer’s personal information, you had better be doing it. And you had better be using security best practices.

Here is an extract from the June issue of InformationWeek article on a recent action against of Wyndham:

The FTC is suing Wyndham for "unfair and deceptive" practices, owing to promises made in the company's privacy policy, which reads, in part: "We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program." According to the FTC, "the case against Wyndham is part of the FTC's ongoing efforts to make sure that companies live up to the promises they make about privacy and data security."

Wyndham is challenging the action, but they are not alone in being targeted by the FTC. There have been recent actions against a car dealership, credit report resellers, restaurants, and even Google.

We’ve been thinking about the cost of data breaches too narrowly.

We’ve been thinking that only highly regulated industries such as medical and banking were subject to data breach fines. We’ve been thinking that small companies were not likely to see action against them for data breaches. At the last trade show I attended, three people on the same day said to me “We are a small privately held company. The data breach laws don’t apply to us.” 

Sorry, the FTC does not agree with you.

There are a lot of things you need to do to protect customer information. But if you are not encrypting that information, you are exposed to this type of action.

And if you think a little further into what it means to encrypt data, you have to figure out how to protect encryption keys. If you are encrypting the information but are not protecting the encryption key, you are also exposed. Think about it this way: When you leave your house or apartment in the morning, you don’t tape your key to the door. So why would you store the encryption key on the same server with the protected data? That is not going to pass the sniff test if you have a data loss.

Here is one last thought: The FTC doesn’t like to have to solve the same problem twice. Typical settlements of FTC actions include many years of mandatory and expensive audits. I’ve heard the business logic that says “If we get caught we will just pay the fine.” Don’t be that guy, life is rarely that simple.  Download our white paper "AES Encryption and Related Concepts" to learn about encryption and key management best practices that can help keep your data safe.

Patrick

Click me

Topics: Data Privacy, Data Breach