FTC Case Raises Data Breach Stakes

A recent FTC settlement has raised the already high stakes for companies that suffer data and security breaches, according to one technology vendor.

The FTC and Compgeeks.com, which operates Geeks.com, and its parent company agreed to settle charges last month that the online computer and electronics seller “violated federal law by failing to provide reasonable security to protect sensitive customer data,” according to an FTC press release.

In 2007, hackers accessed the sensitive information of hundreds of the company’s customers, the FTC said. The FTC complaint alleged “that until at least December 2007, among other security failures, the respondents routinely stored this sensitive information in unencrypted text on their corporate computer network.”

The FTC also charged that the company had failed to take adequate steps to protect its applications and networks. “And — from January 2007 or earlier through June 2007 or later — hackers repeatedly exploited these vulnerabilities by using SQL injection attacks on the www.geeks.com Web site,” the FTC claimed.

As part of the settlement, the company agreed to adopt stronger safeguards.

The FTC said the company “violated federal law by falsely stating that they took reasonable and appropriate measures to protect personal information from unauthorized access,” noting that the firm’s privacy policy stated in part: “We use secure technology, privacy protection controls, and restrictions on employee access in order to safeguard your information.”

IronKey, which makes encrypted USB drives, wondered in a blog posting if data breaches have now risen to the level of a federal offense.

“We hope that more active prosecution by the FTC in the USA may encourage companies to improve their data protection and encryption situation,” wrote IronKey CEO Dave Jevans.

Enterprise Strategy Group senior analyst Brian Babineau said the case is “a notice to organizations that if you are going to save or are required to save sensitive information for long periods of time, you had better secure and protect it. If there is one thing people should have learned from the compliance boom in the earlier part of this decade, it is that you will be required to save more data for extended periods of time and you need to secure this information. If you fail to do either of these, you risk fines, and worse, loss of consumer trust.”

Back to Enterprise Storage Forum

Paul Shread
Paul Shread
eSecurity Editor Paul Shread has covered nearly every aspect of enterprise technology in his 20+ years in IT journalism, including an award-winning series on software-defined data centers. He wrote a column on small business technology for Time.com, and covered financial markets for 10 years, from the dot-com boom and bust to the 2007-2009 financial crisis. He holds a market analyst certification.

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends, and analysis.

Latest Articles

15 Software Defined Storage Best Practices

Software Defined Storage (SDS) enables the use of commodity storage hardware. Learn 15 best practices for SDS implementation.

What is Fibre Channel over Ethernet (FCoE)?

Fibre Channel Over Ethernet (FCoE) is the encapsulation and transmission of Fibre Channel (FC) frames over enhanced Ethernet networks, combining the advantages of Ethernet...

9 Types of Computer Memory Defined (With Use Cases)

Computer memory is a term for all of the types of data storage technology that a computer may use. Learn more about the X types of computer memory.