Last week, the FTC announced that both Ceridian Corporation and Lookout Services, Inc. have agreed to settlements related to security breaches that occurred in 2009. In Ceridian’s case, the breach exposed the Social Security numbers and direct deposit information of roughly 28,000 individuals; the Lookout breach exposed the Social Security numbers of approximately 37,000 consumers.
The details of the FTC announcement were interesting on two fronts. First and foremost, there was an absolute lack of strong security measures at both companies, making it child’s play for intruders to gain access to sensitive customer data. Lookout was charged with failure to implement strong password policies, storing passwords in clear text, and failure to provide access control to confidential web pages. Ceridian was charged with storing sensitive personal information in clear text on the company’s network and failure to take reasonable measures to detect and prevent unauthorized access to sensitive data.
The second interesting aspect of this news is that it demonstrates how the FTC is proactively taking action to protect consumers against data breaches. Both companies were charged with “unfair and deceptive trade practices” they advertised security safeguards that they failed to provide. The message is clear: if you suffer a data breach that impacts consumers and have advertised the how great your security is, you’re a target for a federal watchdog!
I like how the FTC is requiring the companies to implement and prove strong controls over access to sensitive data as part of the settlements. By mandating comprehensive data security plans and independent security audits, the FTC has sent a clear signal that companies managing consumer information will be held accountable to high standards of data protection. Notably, by prescribing explicit security plans and audits, the terms of the FTC settlements go well beyond the scope of many security and privacy laws in effect today.