Guidance Software agreed Thursday to settle Federal Trade Commission (FTC) charges that the computer forensics specialist did not take reasonable security measures to protect sensitive customer data.
The settlement requires Guidance to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.
The company also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.
The Pasadena, Calif.-based Guidance makes software that tracks down and collects information on network breaches.
The company’s EnCase product is used by law enforcement agencies, government investigators and Fortune 1000 companies to track down and investigate digital break-ins, as well as perform network and software audits.
According to the FTC, Guidance’s privacy policy included such statements as “[Guidance] takes every precaution to protect our users’ information” and “your information is protected both online and offline.”
Guidance also claimed users’ information was protected “with the best encryption software in the industry –- SSL.”
The FTC complaint alleges that though Guidance employed SSL encryption, it stored the data in clear, readable text and did not adequately assess the vulnerability of its network to intrusions such as structured query language (SQL) injection attacks.
In addition, the FTC said Guidance failed to use readily available security measures to monitor and limit access from the corporate network to the Internet.
In September of last year, a hacker exploited Guidance’s stated security policies by using SQL injection attacks on the company’s network to install common hacking programs.
Approximately 4,000 credit numbers were taken in the attacks.
Guidance did not discover the hack until three months later and the hacker was able to access customer credit card numbers, expiration dates and security codes stored on the company’s network.
“In truth and in fact, [Guidance] did not implement reasonable and appropriate measures to protect sensitive personal information it obtained from customers against unauthorized access,” the FTC complaint states.
According to the FTC, Guidance’s failure to adhere to its own privacy policy constituted a deceptive trade act.
Guidance did not respond to telephone or e-mail requests for comment.