A recent FTC settlement has raised the already high stakes for companies that suffer data and security breaches, according to one technology vendor.
The FTC and Compgeeks.com, which operates Geeks.com, and its parent company agreed to settle charges last month that the online computer and electronics seller “violated federal law by failing to provide reasonable security to protect sensitive customer data,” according to an FTC press release.
In 2007, hackers accessed the sensitive information of hundreds of the company’s customers, the FTC said. The FTC complaint alleged “that until at least December 2007, among other security failures, the respondents routinely stored this sensitive information in unencrypted text on their corporate computer network.”
The FTC also charged that the company had failed to take adequate steps to protect its applications and networks. “And — from January 2007 or earlier through June 2007 or later — hackers repeatedly exploited these vulnerabilities by using SQL injection attacks on the www.geeks.com Web site,” the FTC claimed.
As part of the settlement, the company agreed to adopt stronger safeguards.
The FTC said the company “violated federal law by falsely stating that they took reasonable and appropriate measures to protect personal information from unauthorized access,” noting that the firm’s privacy policy stated in part: “We use secure technology, privacy protection controls, and restrictions on employee access in order to safeguard your information.”
IronKey, which makes encrypted USB drives, wondered in a blog posting if data breaches have now risen to the level of a federal offense.
“We hope that more active prosecution by the FTC in the USA may encourage companies to improve their data protection and encryption situation,” wrote IronKey CEO Dave Jevans.
Enterprise Strategy Group senior analyst Brian Babineau said the case is “a notice to organizations that if you are going to save or are required to save sensitive information for long periods of time, you had better secure and protect it. If there is one thing people should have learned from the compliance boom in the earlier part of this decade, it is that you will be required to save more data for extended periods of time and you need to secure this information. If you fail to do either of these, you risk fines, and worse, loss of consumer trust.”