FTC Working to Protect Consumers and Businesses From Information Security Breaches

Government agencies, private industry, and consumers must work vigilantly together to safeguard information security and help create a “culture of security,” according to Federal Trade Commission testimony. Addressing the House Commerce, Trade, and Consumer Protection Subcommittee, FTC Commissioner Orson Swindle today discussed the importance of preventing information security breaches, explaining recent FTC actions against organizations believed to be committing privacy violations. He also discussed the FTC’s accomplishments in consumer education and its involvement in domestic and international cyber security initiatives.

“Today, maintaining the security of our computer-driven information systems is essential to every aspect of our lives,” Swindle said. He noted that consumers rely on computers at home and at work, with technology advancing on a daily basis. At the same time, this technology can create serious vulnerabilities that can threaten both the security of the information stored and the viability of the systems themselves.

The testimony explains that security breaches can occur for different reasons, specifying that the FTC’s cases have been based on deception. “The companies that have been subject to enforcement actions have made explicit or implicit promises that they would take appropriate steps to protect sensitive information obtained from consumers,” Swindle said. “Their security measures, however, proved to be inadequate; their promises, therefore, deceptive.” He stated that the FTC’s cases involving security breaches illustrate several important principles:

• Security procedures should be reasonable and appropriate under the circumstances. What is reasonable for a particular company will vary based, among other things, upon its size and complexity, the nature of its business, and the sensitivity of the information it collects.
  
  
• Not all security breaches are violations of FTC law. The FTC recognizes that security breaches sometimes can happen even when a company has taken every reasonable precaution.
  
  
• Some law violations can occur without a known breach of security. Because appropriate information security practices are necessary to protect consumers’ privacy, companies cannot simply wait for a breach to occur before they take action, particularly when they make explicit promises to consumers.
  
  
• Good security is an ongoing process of assessing risks and vulnerabilities. The risks companies and consumers confront change over time. “Hackers and thieves will adapt to whatever measures are in place, and new technologies likely will have new vulnerabilities waiting to be discovered,” Swindle said. Companies must assess risks they face on an ongoing basis and make constant adjustments to reduce those risks.

The testimony also discusses the Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions under the FTC’s jurisdiction to develop and implement appropriate safeguards – including a written information security plan – to protect customer information. Each financial institution must: designate one or more employees to coordinate the safeguards; identify and assess the risks to customer information in each relevant area of operation; design, implement, and regularly monitor a safeguards program; hire appropriate service providers and contract with them to implement safeguards; and evaluate and adjust the program in light of relevant circumstances. The testimony noted that the FTC has issued guidance to businesses to help them understand the Rule’s requirements.

The testimony further explains the FTC’s broad educational campaign for consumers and businesses, primarily the FTC Web site www.ftc.gov/infosecurity, featuring “Dewie the e-Turtle” – the FTC’s information security mascot. The FTC also has hosted numerous workshops, produced a video news release, distributed Dewie postcards to college campuses nationwide, and coordinated the information security-themed 2003 National Consumer Protection Week with a consortium of public- and private-sector organizations.

Finally, the testimony discusses the FTC’s active international role in promoting cyber security, including helping to revise the Organization for Economic Cooperation and Development’s (OECD) “Guidelines for the Security of Information Systems and Networks,” which contains nine principles for establishing a “culture of security.” Commissioner Swindle headed the U.S. Delegation to the Experts Group that reviewed and revised existing OECD principles after the September 11, 2001 terrorist attacks. The FTC also is involved in work undertaken by the Asian Pacific Economic Cooperation forum, the United Nations, the TransAtlantic Business and Consumer Dialogues, the Global Business Dialogue on Electronic Commerce, and bilateral government partners in Asia and the European Union.

Swindle emphasized that developing a “culture of security” is a daunting task. “The FTC and other government agencies have a role to play, but the government cannot do this alone, nor should it try,” he said. The testimony states that the FTC is working with consumer groups, businesses, trade associations, and educators, and encouraging its global partners to do the same.

“Maintaining good security practices is a critical step in preventing these breaches and the resulting harms, which can range from major nuisance to major destruction,” Swindle said. “The critical lesson in this information-based economy is that we are all in this together.”

The Commission vote to approve the testimony was 5-0.

Copies of the testimony are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.