Failing To Provide Adequate Safeguards Is Costly and Time-Consuming
Consent Order | FTC settlement | Personal Information | Unauthorized access

Written by: Susie Kenerson, CIPP/US Compliance Privacy Officer at CSR Privacy Solutions, Inc.

The Federal Trade Commission (FTC) recently announced a settlement by Consent Order entered into with a Utah company, following the investigation of malicious, unauthorized access on multiple occasions to the company’s server and its distributors’ website portals which contain personal information, including sensitive personal information, of the company’s consumers and its distributors’ consumers.

What was alleged?

The draft Complaint presented by the FTC in this matter contains allegations against the company for failure to provide adequate protections of personal information and security of the systems that hold the data.  The important shortfalls alleged in the draft Complaint include:

  • Failure to have processes for data inventory and disposal of old data
  • Failure to conduct sufficient risk assessments
  • Failure to have measures in place to limit or to detect malicious uploads throughout their network
  • Failure to segment the company’s network
  • Failure to implement safeguards of the information systems
  • Failure to encrypt/pseudonymize stored sensitive personal information such as Social Security numbers and financial account information

The unauthorized intrusion of the company’s server and access to the company’s distributors’ website portals resulted in multiple exposures where the intruder was able to view, access, acquire and delete files.  The access occurred undetected over a period of almost 2 years.

The intruder was able to access and retrieve sensitive personal information, including old unaccounted for information the company did not know existed.  The draft Complaint claims the intrusions were not detected because the company lacked technical safeguards to monitor for external intrusions.

Recovery and adherence to Consent Order provisions is time-consuming and costly.

The breached company had to exert unexpected time and expense in responding to the breach incident, including the task of employing legal counsel, hiring security experts to investigate the breach incidents, identifying affected distributors and consumers, completing breach notifications to regulators (payment card networks, banks, credit reporting agencies, law enforcement, state regulators) and to their distributors and end consumers, and responding to consumer complaints.

In addition, the Consent Order provisions span a 20-year adherence timeframe and include:

  • implementing a written comprehensive information security program for the protection of personal information and security of their systems;
  • having an information security assessment by an independent third party every 2 years;
  • distribute the Consent Order to necessary executives and employees of the company and obtain acknowledgements from each;
  • annually submit a certified report to the FTC stating details of their compliance with the Consent Order requirements;
  • obligation to notify the FTC of any breach incident that has been reported to federal, state or local regulators;
  • strict requirements for internal recordkeeping; and
  • adhere to ongoing compliance monitoring by the FTC.

Equally important to note, the process of getting back to pre-breach status may only increase the unexpected time and expense.  A breach incident or multiple incidents that occur because a company fails to provide sufficient protections and security of the personal information they maintain, increases the likelihood that a company may experience future loss of revenue, loss of new or existing business contracts, or damage to its reputation.  As alleged in the FTC’s draft Complaint, “[d]istributors and end consumers had no way of independently knowing about Respondents’ security failures and could not reasonably have avoided possible harms from such failures.” (¶ 26, FTC’s draft Complaint)

Lessons Learned

As referenced in the FTC’s draft Complaint, the alleged failures of this company could have been remedied by “implementing readily available and relatively low-cost security measures.” (¶ 11, FTC’s draft Complaint)

CSR Privacy Solutions, Inc. offers these very remedies for small to medium sized businesses (SMB).  CSR Readiness® Pro is an award-winning bundle of privacy solutions that businesses use to mitigate the risk of data breach and consequences related to non-compliance associated with the handling of legally protected personal information.

CSR Readiness delivers a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their current data protections, privacy policies, procedures, processes and information security programs.  Upon completing the assessment, they are presented with suggested improvements for areas the program identifies as deficient, such as personal information management, digital data security, physical data security, record retention, incident response plan, access and authorization levels.  CSR Readiness would be beneficial for a company such as the one named in the FTC action, to ensure all necessary and legally required protections and security are in place to detect and prevent against unauthorized access of their data.

Even with all protections in place, companies may still suffer a data breach.  When this happens, CSR’s Breach Reporting Service is the REACTIVE solution that provides privacy reporting for the SMB community.  In addition, CSR offers its newest product, CSR-V3 – an automated vendor privacy risk reduction tool which documents vendor management, verification and validation due diligence.

Contact CSR

I understand CSR will use this information for the purpose of responding to my query or request. I have reviewed their Privacy Policy. I understand I can withdraw consent or make a Data Access Request at any time.