FTC Continues Education, Enforcement Efforts to Promote Information Security

Securing the nation’s information systems is a challenging task for consumers and small businesses, according to Federal Trade Commission testimony. Addressing the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, FTC Consumer Protection Bureau Director Howard Beales discussed the challenges consumers and businesses face in protecting their computer systems and the information contained in them. He also described the FTC’s efforts to address concerns about computer security through a combined approach that includes educating consumers and businesses about emerging threats and the fundamental importance of good security practices; targeted law enforcement actions; and international cooperation.

“Today, maintaining the security of our computer-driven information systems is essential,” Beales said. He noted that consumers rely on computers at home and at work, with technology advancing on a daily basis. At the same time, this technology can create serious vulnerabilities that can threaten both the security of the information stored and the viability of the systems themselves.

The testimony explains the FTC’s broad educational campaign for consumers and businesses, including several workshops held to educate the agency and the public about information security-related issues. Beales noted that the Commission had hosted a two-session workshop during May and June of 2003 to examine the challenges consumers and businesses face in securing their computers as well as the role, and limitations, of technology in meeting those challenges. The testimony also mentions a recent Commission workshop on “spyware,” software that is loaded on personal computers without users’ consent to monitor users’ computing habits.

Beales also discussed the FTC’s information security initiative, which has for several years educated consumers and businesses about information security and the precautions they can take to protect and minimize risks to personal information. The initiative’s Web site, www.ftc.gov/infosecurity, features “Dewie the e-Turtle” – the FTC’s information security mascot – and is one of the FTC’s most popular Web sites. The testimony states that the FTC staff has also worked with Congress and other government agencies and information security organizations to broaden its education campaign, and issued many consumer alerts, including several on “phishing,” a high-tech scam that uses spam to deceive consumers into disclosing sensitive personal information. The testimony further discusses the FTC’s active international role in promoting cyber security, through partnerships with the Organization for Economic Cooperation and Development (OECD), the Asian Pacific Economic Cooperation forum, the United Nations, the TransAtlantic Business and Consumer Dialogues, the Global Business Dialogue on Electronic Commerce, and bilateral government partners in Asia and the European Union.

Beales noted that, even when consumers take the necessary precautions, their personal information may be unprotected if the businesses they deal with fail to implement safeguards. Therefore, the FTC takes law enforcement action, where appropriate, against companies that misrepresent their security. The security cases brought by the FTC thus far illustrate several important principles: (1) security procedures should be appropriate under the circumstances; (2) not all security breaches are violations of FTC law; (3) there can be law violations without a known breach of security; and (4) good security is an ongoing process of assessing risks and vulnerabilities.

Finally, the testimony also discusses the Commission’s enforcement authority under the Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions under the FTC’s jurisdiction to develop and implement appropriate safeguards – including a written information security plan – to protect customer information.

“Security presents challenges for everyone in our global information-based economy, but particularly for consumers and small businesses,” Beales concluded. “The Commission is committed to continuing its work promoting security awareness and sound information practices through education, enforcement, and international cooperation.”

The Commission vote to approve the testimony was 4-0-1, with Commissioner Mozelle W. Thompson recorded as abstaining.

Copies of the testimony are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(FTC File No. P034806)