Security Flaw Allegedly Exposed Customers Personal Information to Other Web Users
This is the agency’s fourth case targeting companies that misrepresent the security of consumers’ personal information. “In a fast moving world of electronic commerce, change is inevitable,” said Howard Beales, Director of the FTC’s Bureau of Consumer Protection. “Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities. Just as consumers remodeling their homes would make sure that the doors still have locks, companies should make sure that sensitive data is still protected.”
The settlement bars Tower from misrepresenting the extent to which it maintains and protects the privacy, confidentiality, or security of personal information collected from or about consumers. It also requires that Tower establish and maintain a comprehensive information security program. In addition, the company must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within six months, and every other year thereafter for a period of ten years. The settlement also contains record-keeping provisions to allow the FTC to monitor compliance.
The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 21, 2004, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: A consent agreement is for settlement purposes only and does not constitute an admission of a law violation. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $11,000.
Copies of the complaint and consent agreement are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 032-3209)
Office of Public Affairs
Bureau of Consumer Protection