FTC Working to Protect Consumers and Businesses from Information Security Breaches

Government agencies, private industry, and consumers must work vigilantly together to safeguard information security and help create a “culture of security,” according to Federal Trade Commission testimony. Addressing the House Committee on Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, FTC Commissioner Orson Swindle today discussed the importance of preventing information security breaches and explained recent FTC actions against organizations believed to be committing privacy violations. He also discussed the FTC’s accomplishments in consumer education and its involvement in domestic and international cybersecurity initiatives.

“Today, maintaining the security of our computer-driven information systems is essential to every aspect of our lives,” Swindle said. He noted that consumers rely on computers at home and at work, with technology advancing on a daily basis. At the same time, this technology can create serious vulnerabilities that can threaten both the security of the information stored and the viability of the systems themselves.

The testimony explains that security breaches can occur for different reasons, specifying that the FTC’s cases have been based on deception. “The companies that have been subject to enforcement actions have made explicit or implicit promises that they would take appropriate steps to protect sensitive information obtained from consumers,” Swindle said. “Their security measures, however, proved to be inadequate; their promises, therefore, deceptive.” He stated that the FTC’s cases involving security breaches illustrate several important principles:

• Security procedures should be reasonable and appropriate under the circumstances. What is reasonable for a particular company will vary based, among other things, upon its size and complexity, the nature of its business, and the sensitivity of the information it collects.
   
• Not all security breaches are violations of FTC law. The FTC recognizes that security breaches sometimes can happen even when a company has taken every reasonable precaution.
   
• Some law violations can occur without a known breach of security. Because appropriate information security practices are necessary to protect consumers’ privacy, companies simply cannot wait for a breach to occur before they take action, particularly when they make explicit promises to consumers.
   
• Good security is an ongoing process of assessing risks and vulnerabilities. The risks companies and consumers confront change over time. “Hackers and thieves will adapt to whatever measures are in place, and new technologies likely will have new vulnerabilities waiting to be discovered,” Swindle said. Companies must assess risks they face on an ongoing basis and make constant adjustments to reduce those risks.

The testimony also discusses the Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions under the FTC’s jurisdiction to develop and implement appropriate safeguards – including a written information security plan – to protect customer information. Each financial institution must: designate one or more employee(s) to coordinate the safeguards; identify and assess the risks to customer information in each relevant area of operation; design, implement, and regularly monitor a safeguards program; hire appropriate service providers and contract with them to implement safeguards; and evaluate and adjust the program in light of relevant circumstances. The testimony noted that the FTC has issued guidance to businesses to help them understand the Rule’s requirements.

The testimony further explains the FTC’s broad educational campaign for consumers and businesses, primarily the FTC Web site www.ftc.gov/infosecurity, featuring “Dewie the e-Turtle” – the FTC’s information security mascot. Swindle mentioned that the FTC recently has issued several consumer alerts on “phishing,” a high-tech scam that uses spam to deceive consumers into disclosing sensitive personal information. The FTC also has hosted numerous workshops, produced a video news release, and coordinated the information security-themed 2003 National Consumer Protection Week with a consortium of public- and private-sector organizations. Additionally, Swindle discussed a recent FTC case against Tower Direct, LLC, announced today, charging that a security flaw in the Tower Web site exposed customers’ personal information to other Internet users, violating federal law and Tower’s privacy policy.

Finally, the testimony discusses the FTC’s active international role in promoting cyber security. In January 2004, the FTC and 36 agencies from 26 countries worldwide launched “Operation Secure Your Server,” an international effort to reduce the flow of spam by urging organizations to close “open relays” and “open proxies.” The participating agencies identified tens of thousands of operators of open relay and proxy servers around the world and sent letters urging them to protect themselves from becoming unwitting sources of spam. Additionally, the FTC helped revise the Organization for Economic Cooperation and Development’s (OECD) “Guidelines for the Security of Information Systems and Networks,” which contain nine principles for establishing a “culture of security.” The FTC also is involved in work undertaken by the Asian Pacific Economic Cooperation forum, the United Nations, the TransAtlantic Business and Consumer Dialogues, the Global Business Dialogue on Electronic Commerce, and bilateral government partners in Asia and the European Union.

Swindle emphasized that developing a “culture of security” is a daunting task. “The FTC and other government agencies have a role to play, but the government cannot do this alone, nor should it try,” he said. The testimony states that the FTC is working with consumer groups, businesses, trade associations, and educators, and encouraging its global partners to do the same.

“Maintaining good security practices is a critical step in preventing these breaches and the resulting harms, which can range from major nuisance to major destruction,” Swindle said. “It is important to recognize one critical aspect of the global information-based economy – we are all in this together.”

The Commission vote to approve the testimony was 5-0.

Copies of the testimony are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov . The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.