The French movie classic “The Wages of Fear” — remade in 1977 as “The Sorcerer” by American director William Friedkin — was a taut thriller about a team of toughs transporting a payload of volatile nitroglycerine to a remote location in South America. They meet with hazards along the way: a rope bridge hanging by a thread over a flood-swollen river, a boulder blocking a twisted mountain path, and a stretch of road so pot-holed it’s called “The Washboard.”
The connection to your business’ approach to data security might not seem readily apparent, but if you have sensitive personal information on your network or in your files, there’s an analogy to draw. Just as your driving habits would change if you were behind the wheel with a trunk full of nitro, so must you adjust your company’s practices, given the sensitivity of the information in your possession.
That’s one of the principles illustrated in the FTC’s settlement with Ceridian Corporation. Ceridian provides payroll processing and other HR services to business customers. One product, Powerpay, is a web-based system small businesses can use to collect and store employee data — for example, names, addresses, email addresses, phone numbers, Social Security numbers, dates of birth, and direct deposit bank account numbers — to automate their payroll processing.
Certainly, Ceridian was aware of the sensitivity of the data involved. According to its own contracts, “When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.”
But as the FTC’s lawsuit alleges, Ceridian engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal data it collected and maintained. Specifically, the FTC charged that the company:
- stored personal information in easy-to-read text;
- created unnecessary risks by storing it indefinitely on its network without a business need;
- didn’t adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable risks, like SQL injection attacks;
- didn’t implement readily available free or low-cost defenses; and
- failed to employ reasonable measures to detect and prevent unauthorized access.
As a result, says the FTC, hackers exploited those failures by mounting an SQL injection attack on the Powerpay site and web app, making off with the personal data of close to 28,000 employees of Ceridian’s small business customers, including in some cases their Social Security numbers, bank account info, and dates of birth. To settle the case, Ceridian has agreed to put in place a comprehensive information security program, including independent third-party security audits every other year for the next 20 years.
What do savvy marketers take from the FTC’s law enforcement action?
Staying socially secure. Of course, businesses want to take care with all data in their possession, but some information — Social Security numbers, for example — up the ante when it comes to protection. Unscrambling the egg when ID thieves get a hold of, say, credit card numbers can be tough enough: reams of paperwork disputing unauthorized charges and hours on the phone straightening out accounts. But when what’s at stake are Social Security numbers, the consequences can follow victims for the rest of their lives. OK, maybe SSNs aren’t unstable nitroglycerine on a desolate mountain road, but don’t tell that to people whose lives have been turned upside down by identity theft involving their Social Security number.
Prune the low-hanging fruit. Hackers will be with us always. So our job is to make their job as hard as possible. Many of the precautions that can boost the security of your network are readily available at low or even no cost. One simple step: Contact your software vendors for patches to address new threats. Make it a recurring appointment on your calendar to check with them for updates. In addition, many programs will go ahead and install urgent security patches and other fixes if your IT staff enables the “automatic updates” feature.
CERT-ainly safer. Part of the Department of Homeland Security, US-CERT (the United States Computer Emergency Readiness Team) provides response support and defense against cyber attacks and shares information with government and industry. US-CERT’s Reading Room offers a wealth of free resources for businesses of all sizes. Not the tech type? US-CERT’s got you covered, conveniently dividing materials into non-technical categories for busy executives and technical data for IT professionals. For example, their site offers step-by-step advice on protecting your network from an SQL injection attack and other common threats.
Next: More FTC law enforcement dealing with data security