Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Federal Trade Commission (“FTC”) has published new guidance that “summarizes lessons learned” from the FTC’s 50-plus data security settlements while also announcing a series of data security conferences.
In the new guidance titled “Start With Security: A Guide for Business,” the FTC acknowledges that the data security requirements contained in the settlements apply only to the affected companies. However, the settlements—and the FTC’s distillation of them—reveal regulatory expectations and identify risks that can affect companies of all types and sizes. In this post, we summarize the FTC’s new guidance and provide details on the FTC’s data security conferences happening this fall.
Addressing the expectations revealed in the guidance may not eliminate all data security risk, but the guidance is a useful resource for assessing data security programs. For those looking to explore the FTC’s data security materials on their own, the FTC announced a new “at-a-glance” site where key FTC materials are available.
The FTC identified ten lessons from its data security settlements. We summarize the FTC’s expectations and provide brief descriptions of some of the settlements from which they derive:
RockYou – allegedly collected users’ email addresses and passwords unnecessarily and thereby increased the risk of unauthorized access to email accounts;
Accretive – allegedly used consumers’ personal information in employee training sessions, and did not remove the information from employees’ computers after the sessions were over; and
foru International – allegedly allowed service providers to access sensitive consumer data during the development of applications where such access was not necessary.
Goal Financial – allegedly failed to implement reasonable restrictions on employee access to customers’ personal information, which resulted in personal information being transferred to third parties without authorization; and
Twitter – allegedly granted administrative access to employees whose jobs did not require such access, thereby increasing the risk of hackers gaining administrative access via compromised employee credentials.
Twitter – allegedly did not require employees to use hard-to-guess passwords;
Guidance Software – allegedly stored user credentials in plain text;
Twitter – allegedly failed to prohibit employees from storing administrative passwords in plain text in their personal email accounts;
Lookout Services and Twitter –allegedly failed to suspend or disable user credentials after multiple unsuccessful login attempts; and
Lookout Services – allegedly failed to adequately assess the vulnerability of its web application to widely-known security flaws.
Superior Mortgage Corporation – allegedly failed to encrypt emails containing customers’ sensitive information;
ValueClick – allegedly stored sensitive customer information in a database using an encryption method having significant vulnerabilities; and
Fandango and Credit Karma – both companies allegedly failed to validate SSL certificates, thereby undermining the benefits of encrypted SSL communications.
DSW – allegedly did not appropriately restrict computers on in-store networks from connecting to computers on corporate networks or networks at other stores; and
Dave and Buster’s and Cardsystem Solutions – both companies allegedly failed to implement reasonable measures (e.g., intrusion detection systems) to detect unauthorized access to their networks.
Premier Capital Lending – allegedly failed to adequately evaluate a business client’s security practices before granting the client remote access to its network;
Settlement One – allegedly granted clients access to an online portal without first ensuring that these clients had implemented basic security measures, such as firewalls and updated antivirus software;
Lifelock – allegedly failed to install antivirus software on computers used to remotely access its network; and
Dave and Buster’s – allegedly failed to restrict third-party access rights.
MTS, HTC America, and TRENDnet – allegedly did not train their employees in secure coding practices, which led to security vulnerabilities in software;
HTC America, Fandango, and Credit Karma – allegedly did not follow security guidelines issued by platforms, such as those contained in the iOS and Android guidelines for developers;
TRENDnet – allegedly failed to test a feature that purportedly rendered camera feeds private; and
Guess? – allegedly failed to test its web application for Structured Query Language injection attacks, a commonly known and reasonably foreseeable vulnerability.
GMR Transcription – allegedly failed to require service providers to implement reasonable security measures, such as encrypting sensitive data; and
Upromise – allegedly failed to verify whether a toolbar developed by a service provider collected information consistent with Upromise’s privacy disclosures.
TJX Companies – allegedly failed to update their anti-virus software within a reasonable timeframe;
HTC America – allegedly failed to implement processes for receiving and responding to reports of security vulnerabilities; and
Fandango – allegedly did not have effective processes in place for receiving and responding to security vulnerabilities.
Gregory Navone – allegedly left boxes of sensitive consumer information unprotected in his garage;
LifeLock – allegedly left faxes containing consumers’ personal information in easily accessible areas;
Accretive and CBR Systems– allegedly failed to prevent personal information from being transported without adequate security measures, making the information vulnerable to theft; and
Rite Aid, CVS Caremark, and Goal Financial – allegedly disposed of sensitive information without rendering the information unreadable.
The FTC will be addressing its data security recommendations at two conferences this fall. The first of these conferences will occur in San Francisco on September 9th and will focus on security considerations for start-ups and developers. The second event will take place in Austin on November 5th; the focus of the Austin event has yet to be announced. The events will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response. They will be free, open to the public, and will not require pre-registration.
Authored by James Denvil and Brian Kennedy