Skip to main content

The French movie classic “The Wages of Fear” — remade in 1977 as “The Sorcerer” by American director William Friedkin — was a taut thriller about a team of toughs transporting a payload of volatile nitroglycerine to a remote location in South America.  They meet with hazards along the way:  a rope bridge hanging by a thread over a flood-swollen river, a boulder blocking a twisted mountain path, and a stretch of road so pot-holed it’s called “The Washboard.”

The connection to your business’ approach to data security might not seem readily apparent, but if you have sensitive personal information on your network or in your files, there’s an analogy to draw.  Just as your driving habits would change if you were behind the wheel with a trunk full of nitro, so must you adjust your company’s practices, given the sensitivity of the information in your possession.

That’s one of the principles illustrated in the FTC’s settlement with Ceridian Corporation.  Ceridian provides payroll processing and other HR services to business customers.  One product, Powerpay, is a web-based system small businesses can use to collect and store employee data — for example, names, addresses, email addresses, phone numbers, Social Security numbers, dates of birth, and direct deposit bank account numbers — to automate their payroll processing.

Certainly, Ceridian was aware of the sensitivity of the data involved.  According to its own contracts, “When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.”

But as the FTC’s lawsuit alleges, Ceridian engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal data it collected and maintained.  Specifically, the FTC charged that the company:

  • stored personal information in easy-to-read text;
  • created unnecessary risks by storing it indefinitely on its network without a business need;
  • didn’t adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable risks, like SQL injection attacks;
  • didn’t implement readily available free or low-cost defenses; and
  • failed to employ reasonable measures to detect and prevent unauthorized access.

As a result, says the FTC, hackers exploited those failures by mounting an SQL injection attack on the Powerpay site and web app, making off with the personal data of close to 28,000 employees of Ceridian’s small business customers, including in some cases their Social Security numbers, bank account info, and dates of birth.  To settle the case, Ceridian has agreed to put in place a comprehensive information security program, including independent third-party security audits every other year for the next 20 years.

What do savvy marketers take from the FTC’s law enforcement action?

Staying socially secure.  Of course, businesses want to take care with all data in their possession, but some information — Social Security numbers, for example — up the ante when it comes to protection.  Unscrambling the egg when ID thieves get a hold of, say, credit card numbers can be tough enough: reams of paperwork disputing unauthorized charges and hours on the phone straightening out accounts.  But when what’s at stake are Social Security numbers, the consequences can follow victims for the rest of their lives.  OK, maybe SSNs aren’t unstable nitroglycerine on a desolate mountain road, but don’t tell that to people whose lives have been turned upside down by identity theft involving their Social Security number.

Prune the low-hanging fruit.  Hackers will be with us always.  So our job is to make their job as hard as possible.  Many of the precautions that can boost the security of your network are readily available at low or even no cost.  One simple step: Contact your software vendors for patches to address new threats.  Make it a recurring appointment on your calendar to check with them for updates.  In addition, many programs will go ahead and install urgent security patches and other fixes if your IT staff enables the “automatic updates” feature.

CERT-ainly safer.  Part of the Department of Homeland Security, US-CERT (the United States Computer Emergency Readiness Team) provides response support and defense against cyber attacks and shares information with government and industry.  US-CERT’s Reading Room offers a wealth of free resources for businesses of all sizes.  Not the tech type?  US-CERT’s got you covered, conveniently dividing materials into non-technical categories for busy executives and technical data for IT professionals.  For example, their site offers step-by-step advice on protecting your network from an SQL injection attack and other common threats.

Next:  More FTC law enforcement dealing with data security
 

Tags:

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

More from the Business Blog

Get Business Blog updates

 
Return to top