Written by: Susie Kenerson, CIPP/US Compliance Privacy Officer at CSR Privacy Solutions, Inc.
The Federal Trade Commission (FTC) recently announced a settlement by Consent Order entered into with a Utah company, following the investigation of malicious, unauthorized access on multiple occasions to the company’s server and its distributors’ website portals which contain personal information, including sensitive personal information, of the company’s consumers and its distributors’ consumers.
The draft Complaint presented by the FTC in this matter contains allegations against the company for failure to provide adequate protections of personal information and security of the systems that hold the data. The important shortfalls alleged in the draft Complaint include:
The unauthorized intrusion of the company’s server and access to the company’s distributors’ website portals resulted in multiple exposures where the intruder was able to view, access, acquire and delete files. The access occurred undetected over a period of almost 2 years.
The intruder was able to access and retrieve sensitive personal information, including old unaccounted for information the company did not know existed. The draft Complaint claims the intrusions were not detected because the company lacked technical safeguards to monitor for external intrusions.
The breached company had to exert unexpected time and expense in responding to the breach incident, including the task of employing legal counsel, hiring security experts to investigate the breach incidents, identifying affected distributors and consumers, completing breach notifications to regulators (payment card networks, banks, credit reporting agencies, law enforcement, state regulators) and to their distributors and end consumers, and responding to consumer complaints.
In addition, the Consent Order provisions span a 20-year adherence timeframe and include:
Equally important to note, the process of getting back to pre-breach status may only increase the unexpected time and expense. A breach incident or multiple incidents that occur because a company fails to provide sufficient protections and security of the personal information they maintain, increases the likelihood that a company may experience future loss of revenue, loss of new or existing business contracts, or damage to its reputation. As alleged in the FTC’s draft Complaint, “[d]istributors and end consumers had no way of independently knowing about Respondents’ security failures and could not reasonably have avoided possible harms from such failures.” (¶ 26, FTC’s draft Complaint)
As referenced in the FTC’s draft Complaint, the alleged failures of this company could have been remedied by “implementing readily available and relatively low-cost security measures.” (¶ 11, FTC’s draft Complaint)
CSR Privacy Solutions, Inc. offers these very remedies for small to medium sized businesses (SMB). CSR Readiness® Pro is an award-winning bundle of privacy solutions that businesses use to mitigate the risk of data breach and consequences related to non-compliance associated with the handling of legally protected personal information.
CSR Readiness delivers a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their current data protections, privacy policies, procedures, processes and information security programs. Upon completing the assessment, they are presented with suggested improvements for areas the program identifies as deficient, such as personal information management, digital data security, physical data security, record retention, incident response plan, access and authorization levels. CSR Readiness would be beneficial for a company such as the one named in the FTC action, to ensure all necessary and legally required protections and security are in place to detect and prevent against unauthorized access of their data.
Even with all protections in place, companies may still suffer a data breach. When this happens, CSR’s Breach Reporting Service is the REACTIVE solution that provides privacy reporting for the SMB community. In addition, CSR offers its newest product, CSR-V3 – an automated vendor privacy risk reduction tool which documents vendor management, verification and validation due diligence.