Most online businesses promise they'll protect customer data as if it were their own. Now the government is holding them to it, writes SecurityFocus columnist Mark Rasch.
The last couple of weeks have been a busy time for information security law and privacy. First, the California law that requires disclosure of break-ins that compromise personal data went into effect on July 1st. Senator Diane Feinstein introduced legislation that would make such disclosure requirements mandatory nationwide. Aimster lost its appeal, Verizon ponied up its database, and the RIAA declared legal war on its customers.
The Interior Department was ordered offline again because it can't provide adequate security. The California Supreme Court declared that a former Intel employee's massive e-mail to his former colleagues was not a "trespass to chattels" and thereby limited (albeit slightly) the ability of network owners to decide what can and cannot be done on their networks.
But the most important event from a legal and security perspective was the fact that the United States Federal Trade Commission indicated its intention to actively pursue companies that obtain personal information by promising a level of security, and then not delivering it.
The FTC's enforcement action arose out of a series of events first reported on SecurityFocus involving Guess, Inc. A computer security "expert" demonstrated that the Guess Web page was vulnerable to an SQL injection attack, that could have exposed personal information about customers to public view. Of course, in exposing this attack, the then-19-year old hacker probably committed a felony violation of the federal computer crime law, but the FTC did not seem to be interested in referring that particular aspect of the case to the Department of Justice.
In the case of Guess, they promised consumers that their data "would be encrypted at all times" -- a logical impossibility. The 19-year old hacker demonstrated that Guess was subject to an SQL injection attack, which could expose customers' personal data. Thus, Guess wasn't living up to its promises, and therefore collected the data under false pretenses -- what the FTC concluded was a "deceptive trade practice."
Twenty To Life
The problem is that posted policies are written by lawyers and marketing experts and are rarely reviewed by IT security professionals. As a result, they contain grandiose promises -- goals, not realities -- that practically beg customers to sue. And changing the policies isn't as easy as putting in a new line of HTML -- a company would have to inform all of the customers about whom it had collected personal data under the old policy about the changes, and have them agree to the changes. Typical privacy policies (taken from the Web) include promises like:
"We will safeguard, according to strict standards of security and confidentiality, any information our customers share with us. We will permit only authorized employees, who are trained in the proper handling of customer information, to have access to that information. We will always maintain control over the confidentiality of our customer information. We will continuously assess ourselves to ensure that customer privacy is respected. or "the importance of security for all personally identifiable information associated with our customers is of utmost concern to us."
Woe be on the unwary consumer that actually listens to such platitudes -- but more woe be on the unwitting company that makes such promises, for they will be held to those standards.
In the past few months, the FTC or state regulators have proceeded with enforcement actions against Microsoft for failing to secure its Passport service as promised (yet another such vulnerability was discovered this past week), against Eli Lilly for an e-mail screw-up that resulted in the disclosure of some patents taking the drug Prozac, and against publisher Ziff Davis for failing to deliver the level of security it promised.
The Guess settlement required the company to -- for the next twenty years:
- Designate an employee or employees to coordinate and be accountable for the information security program
- Identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation
- Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures
- Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know may have a material impact on its information security program
- Obtain within one year, and on a biannual basis thereafter, an assessment and report from a qualified, objective, independent third-party professional, certifying that: (1) Guess has in place a security program that provides protections that meet or exceed the protections required by Part II of this order; and (2) Guess's security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of consumer's personal information has been protected
- Retain documents relating to compliance and submit them to the FTC.
In other words, Guess must have a rigorous information security program that includes external and internal security assessments, security and firewall monitoring, and independent audit and verification -- things it should have had all along.
More than any other development in the law, the Guess case should empower security professionals to obtain the resources they need to do the things they already know must be done.