| In the Life Is Good case, the Federal Trade | | | | In its settlement with the FTC announced in a press |
| Commission recently provided clear guidelines that it | | | | release dated January 17, 2008, Life Is Good agreed to |
| expects all websites to follow. If you don't, you might | | | | implement the following 5 administrative, technical, and |
| be on the receiving end of an FTC enforcement | | | | physical safeguards in the future. These 5 safeguards |
| action, too. | | | | are 5 excellent tips -- delivered straight from the FTC |
| In addition, the Federal Trade Commission (FTC) | | | | -- that you should also follow: |
| continues to aggressively file suits for security | | | | 1. Designate an employee or employees to coordinate |
| violations under Section 5 of the FTC Act which | | | | the information security program. |
| prohibits unfair or deceptive practices. | | | | 2. Identify internal and external risks to the security and |
| A good example is the enforcement action brought by | | | | confidentiality of personal information and assess the |
| the FTC against for failure to implement reasonable | | | | safeguards already in place. |
| and appropriate data security measures. This case is | | | | 3. Design and implement safeguards to control the |
| significant because the FTC expects all sites to follow | | | | risks identified in the risk assessment and monitor their |
| guidelines provided in the settlement of the case. | | | | effectiveness. |
| Lifeisgood.com's Privacy Statement | | | | 4. Develop reasonable steps to select and oversee |
| Life Is Good collected sensitive consumer information, | | | | service providers that handle the personal information |
| including names, addresses, credit card numbers, credit | | | | of customers. |
| card expiration dates, and credit card security codes | | | | 5. Evaluate and adjust its information-security program |
| through its website. Its privacy policy claimed: "We are | | | | to reflect the results of monitoring any material |
| committed to maintaining our customers' privacy. We | | | | changes to the company's operations, or other |
| collect and store information you share with us - name, | | | | circumstances that may impact the effectiveness of |
| address, credit card and phone numbers along with | | | | its security program. |
| information about products and services you request. | | | | Conclusion |
| All information is kept in a secure file and is used to | | | | Sometimes form is as important as substance. What I |
| tailor our communications with you." | | | | mean is how you do something, and the fact that you |
| The FTC Claims | | | | documented it at the time you actually did it, is |
| The FTC alleged that, contrary to its privacy policy, | | | | sometimes just as important as the fact that you did it. |
| Life Is Good failed to provide reasonable and | | | | The settlement safeguards in the Life Is Good case |
| appropriate security for the sensitive consumer | | | | are a prime example. Simply having what you believe |
| information stored on its computer network. | | | | is a good data security program is one thing, but being |
| Specifically, the FTC alleged that Life Is Good: | | | | able to document that you went through the steps |
| 1. unnecessarily risked credit card information by storing | | | | outlined by the FTC is another. |
| it indefinitely in clear, readable text on its network, and | | | | The Life Is Good case points the way to what will |
| by storing credit card security codes; | | | | work for data security. So, it's highly recommended |
| 2. failed to assess adequately the vulnerability of its | | | | that you set up a filing system that preserves your |
| Web site and corporate computer network to | | | | documentation and indicates you went through these |
| commonly known and reasonably foreseeable attacks, | | | | steps, and when you did it. Then set up a tickler to |
| such as SQL injection attacks; | | | | remind you to go through the steps on an annual basis. |
| 3. failed to implement simple, free or low-cost, and | | | | We know that there is no data security program that |
| readily available security defenses to SQL and similar | | | | is 100% safe from illegal intrusions. If you have an |
| attacks; | | | | unfortunate data security breach, it's likely the FTC or |
| 4. failed to implement security measures that are | | | | a state regulator will come knocking at your door. |
| available on the open market to monitor and control | | | | That's why it's so important for you to be able to |
| connections from the network to the Internet; and | | | | produce a file that clearly shows you implemented |
| 5. failed to employ reasonable measures to detect | | | | reasonable and appropriate data security measures in |
| unauthorized access to credit card information. The | | | | accordance with the FTC guidelines. |
| Settlement | | | | The future of your business may depend on it! |