Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Who Would Want to Be a CISO or CPO for a Social Networking Site? | Main | Increase Business Productivity AND Reduce Carbon Dioxide Emissions »

Something You Should Know: FTC Is Aggressively Going After Companies With Poor Security

Of all the U.S. government regulatory oversight agencies, the Federal Trade Commission (FTC) is the most active and aggressive in looking for and applying penalties to organizations that not only are in noncompliance with laws and regulations, but also those who are not in compliance with their own information security and privacy promises; in other words, those that are practicing "unfair and deceptive trade practices."

FTC Chairman Deborah Platt Majoras said October 1 in a speech kicking off the 2007 National Cyber Security Awareness Summit that the FTC plans to continue actively going after organizations that do not have appropriate information security programs and practices in place.

This week's BNA Privacy & Security Law Report (a subscription site) had an article, "FTC Chairman: More Than Two Dozen Data Security Probes Are Open at Agency" summarizing Majoras' speech.

Majoras provided some important statistics and information that anyone involved with information assurance activities should know:

* In the past "recent years" the FTC has applied 14 enforcement actions against organizations for not providing "reasonable" information protection and security mechanisms.

* The FTC currently has more than 24 open information security investigations going on.

* ChoicePoint was used as an example; Majoras pointed out the company had violated Section 5 of the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive trade practices, and they also violated the Fair Credit Reporting Act. Section 5 of the FTC Act provides for sanctions to be applied in the form of consent orders, such as detailed activities that must be performed for typically 20 years, but it does not allow for the imposition of fines. So, the FCRA charge was the basis on which the court approved the $10 million fine (in January 2006) against ChoicePoint.

* DSW Inc., was the second case, in December 2005, for which the "unfair and deceptive trade practices" portion of Section 5 was applied because of poor infomration security programs and practices.

* Majoras pointed out that the violation in each case was not the data breach, but the non-existance of appropriate security that would have prevented the breach.


It is important for your business leaders to understand this clearly; the FTC can, and will, apply penalties against organizations that do not have proper information security and privacy practices and programs in place, even if there has not yet been a breach. A breach will certainly put the FTC's spotlight of scrutiny upon an organization, though, and make it that much more likely to undergo an FTC investigation.

Business leaders must understand that the best way to prevent FTC penalties and the associated bad publicity is to avoid an information security incident in the first place by having appropriate security in place.

Tags:                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 7, 2007 3:23 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/538

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.