RealTime IT News

Feds Ding Data 'Dumpster'

WASHINGTON -- Some data protection cases are complex and difficult for the Federal Trade Commission (FTC) to prove.

Then there is the case of Nations Title Agency (NTA) and its parent company, Nations Holding Company (NHC).

The FTC claims that the NHC, a real estate services firm with operations in 44 states, tossed consumer home loan applications in an unsecured dumpster. This was just one among a laundry list of lax security practices the FTC lodged against the company, which promised consumers that it maintained "physical, electronic and procedural safeguards" to protect data.

The Kansas City-based NHC settled with the FTC Wednesday, agreeing to not misrepresent the extent of its data protection safeguards. The company also agreed to establish and maintain a comprehensive information security program subject to third-party audits for the next 20 years.

"Careless handling of consumers' sensitive financial information is an open invitation to identity thieves," said FTC Chairman Deborah Platt Majoris. "Enforcing the laws designed to protect consumers' sensitive financial data is a priority at the FTC."

According to the FTC complaint, NTA, NHC and its president, Christopher M. Likens, engaged in a number of lax security practices that, taken together, failed to provide reasonable and appropriate security to protect consumer data.

In addition to the dumpster incidence, the FTC maintains NHC failed to assess risks to the data it collected and stored, both online and offline. The FTC also claims the company failed to implement "simple, low cost, readily available defenses to common Web site attacks."

Majoris noted the NHC case was the FTC's 13th case involving data security.

Keynoting a cybersecurity summit organized by the Progress and Freedom Foundation, Majoris said, "Although many of our data security cases emphasize high-tech security issues, this case serves as a reminder not only that securing high-tech data is essential, but that we cannot forget the low-tech."

Low tech or high tech, Majoris said the FTC investigations have shown that data security has been "surprisingly lax" in a number of large companies.

"No one need worry the FTC is looking for 'perfect' security, or that we are developing a de facto strict liability standard for when a breach occurs, because the cases we have brought have not been close calls," she said.

Majoris' case in point was ChoicePoint, the national data broker that allowed identity thieves to obtain access to the personal information of more than 160,000 customers, including 10,000 consumer reports.

The FTC brought action against ChoicePoint claiming the company failed to use reasonable procedures to screen prospective subscribers and, as a result, put its consumer data at risk.

ChoicePoint settled with the FTC by agreeing to pay $10 million in civil penalties for violations of the Fair Credit Reporting Act and another $5 million in consumer redress for identity theft victims."

"Fortunately, the breach and the ensuing enforcement actions have pushed ChoicePoint to rethink its entire strategy on data security."

The FTC has also used the unfair practices section of the FTC Act to pursue cases against BJ's Wholesale Warehouse, DSW and CardSystems.

Like the NHC case, Majoris said the three companies' collective security measures were found lacking.

"In each case, the FTC alleged that the companies engaged in a number of activities…that failed to provide reasonable security for sensitive consumer information," she said.

BJ's, which operates 150 discount stores and 78 gas stations in 16 states, agreed to change its security policies while submitting to independent audits very other year for 20 years.

National footwear discounter DSW and CardSystems, a credit card processor, agreed to similar settlements with the FTC.

In each case, the security vulnerabilities we alleged were well known within the technology industry," Majoris said. "The companies left their digital doors open."

Majoris added that it is not the role of the FTC to "determine which type of lock to install on a door or which security program to install on a network."

That decision, she said, is up to individual companies based on an individual assessment of risks.

"Our cases recognize that security is an ongoing, individualized process and not a set of rigid standards," Majoris said. "This is not a game of 'cybersecurity gotcha.' We are not trying to catch companies with their digital pants down; rather, we are trying to encourage companies to put their data security defenses up."