FTC Wags Finger At Site For Weak Consumer Data Security

Written by Evan Schuman
January 19th, 2008

The Federal Trade Commission on Thursday cracked down—albeit mildly—on an E-Commerce site that the government made security claims that were "deceptive and violated federal law."

The site——collected a wide range of information from its consumer customers, including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes. It also put a statement on its site that said, "All information is kept in a secure file and is used to tailor our communications with you."

The government said the promise was misleading. "Contrary to these claims, the FTC alleges that Life is good failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network," the FTC said in a statement.

The FTC said the site "unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network and by storing credit security card codes." The site also "failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks," the government organization said.

Much of this, though, would have likely gone on undetected had it not been for a cyber thief launching a successful SQL injection attack on the site, grabbing lots of that consumer data.

The government’s punishment was that the site has to pay for a third-party independent security audit every other year for 20 years.

The settlement—approved by the FTC 5-0—"also contains bookkeeping and record keeping provisions to allow the agency to monitor compliance with its order," the FTC said.

The problem with the FTC’s proposed settlement is that there is no substantial punishment element to it. The settlement simply lists some of the things every site should be doing anyway. According to the particulars made in this statement, is suffering no pain because it was caught.

For example, consider this every-other-year audit requirement. Because the site accepts credit cards, the site should already be subject to PCI compliance. PCI rules would have the site underdoing a security compliance assessment once a year already. If the site wants to be PCI compliant, then, the FTC requirement would be irrelevant.

Technically, we are talking about two very different kinds of probes. The PCI probe is an assessment, which is typically more of a question process, while the FTC probe would be an SAS 70 Type II probe, which is a true audit.

As a practical matter, though, the differences are necessarily that pronounced. There is a huge variation between how different assessors handle PCI reviews and some are almost as demanding as a full SAS 70 Type II audit. If the assessor and the bank and the credit card agree, they can pretty much make a PCI compliance hurdle be as high as they want.

This is especially true given the fact that any discovered breach such as this will trigger a PCI rule that will subject any sized retailer—even a Level 4—to the most stringent demands of a Level 1 assessment.

PCI compliance consultant David Mertz, of Compliance Security Partners LLC, argues that the FTC fine is indeed a huge punishment because of the much higher fees that third-party assessors and auditors will charge for it, dollars that he estimated at between $10,000 and $25,000 for a PCI third-party assessment and between $75,000 and $250,000 for an FTC-level audit.

Another PCI compliance consultant, Dave Taylor, who is also president of the PCI Vendor Alliance, sees it differently. "The reason is due to probability, not severity of the audit," Taylor said. "FTC enforcement actions are rare. BJ Wholesale, etc. The sins of the merchant have to be pretty blatant and someone has to complain to the feds to get the ball rolling. So, few merchants do thing specifically to avoid FTC actions. PCI remains much more certain as an annual event driven by an ongoing relationship with the merchant bank."

Getting back to the FTC order, their other claims are even more common sense, as opposed to punitive.

  • "The settlement bars Life is good from making deceptive claims about its privacy and security policies." And this somehow doesn’t apply to every other site out there, ones that have not been caught doing anything wrong?
  • "It requires the company to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from consumers." ‘Nuff said. This is a punishment?
  • "The program must contain administrative, technical, and physical safeguards appropriate to Life is good’s size, the nature of its activities, and the sensitivity of the personal information it collects." *sigh*
  • LifeIsGood must "Designate an employee or employees to coordinate the information security program.
    Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place." Not quite 25 years of hard labor, is it?
  • "Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness."
  • "Develop reasonable steps to select and oversee service providers that handle the personal information of Life is good customers."
  • Evaluate and adjust its information-security program to reflect the results of monitoring, any material changes to the company’s operations, or other circumstances that may impact the effectiveness of its security program."

    I have no problem with this nice guideline of what every site should be doing. But to label it a punishment and to trumpet it as such suggests that the government must think e-tailers are a stunningly gullible bunch.

  • advertisement

    One Comment | Read FTC Wags Finger At Site For Weak Consumer Data Security

    1. David Mertz Says:

      I am going to disagree with you on the nature of the punishment.

      1) When the FTC determines whether or not an entity is compliant or not, it uses a “reasonable and appropriate” standard. And, further, it looks at applicable industry and regulatory requirements to determine whether or not the entity me its “reasonable and appropriate standard.” So, the evaluation which was used to define the penalties is PCI plus any other requirements.
      2) The company has most likely already incurred penalties — fines, penalties, reimbursement costs, investigation costs, and litigation costs — at an average cost of $180 per compromised account.
      3) The company experiences negative publicity. TJ Maxx is the exception — most companies experience stock and/or sales declines.
      4) Don’t discount the cost of the bi-annual security audit. PCI assessments are not a substitute for what the FTC is looking for. Rather, what the FTC is looking for is SAS 70 Type II audits. And, the costs of SAS 70 Type II Audits for companies of any size range for between $75,000 to %$250,000 or more. Mulitply this by 10 and you have significant penalties.
      5) And, the audits have to be reported back to the FTC. The FTC reviews and has to approve the results of the assessment. If the entity fails the FTC review, then the settlement with the FTC can be revoked and new penalties assessed by the FTC.
      6) And, since the entity does deal with PCI, then they automatically become a level merchant instead of whatever level they were before — and most likely they were not Level1. As a result, they now have another penalty — the PCI Assessment costs with VISA oversight.
      7) And, there are hidden costs of making sure the entity is meeting FTC requirements which include attorney’s fees, shifting of Executive Management’s focus from business to legal and regulatory issues, etc.

      There is much more to this than meets the eye. The FTC penalty basically establishes a federal agency as a business partner/governor nosing around the business for a period of 20 year. Few if any entities would consider this a slap on the wrist.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.