By: James K. Paulick, Esq.
A recent cybersecurity and privacy enforcement by the FTC against a large online merchandise company reveals the FTC’s (Federal Trade Commission) focal points in the areas of cybersecurity and data privacy. Fortunately for everyone getting to read about the enforcement, and unfortunately for the merchandise company, a very high number of violations were noted. A review of the highlights of this enforcement is literally a peak into the FTC’s playbook to help your company devise a workable plan to reduce liability exposure. The FTC found both cybersecurity vulnerabilities as well as privacy-related issues.
On the cybersecurity side, the FTC’s findings create a roadmap of what companies should have in place to protect from data breaches. The online merchandise company, according to the FTC, lacked the following:
- No intrusion detection system in place.
- Patches not applied for well-known system vulnerabilities.
- Social security numbers stored in plain text.
- Using password-hashing algorithms that were deprecated by the NIST (National Institute of Standards and Technology) back in 2011.
- Failed to implement a process for receiving and addressing security vulnerability reports from third-party researchers, academics, or other members of the public – thereby delaying its opportunity to correct discovered vulnerabilities.
- Used obsolete versions of database and webserver software that no longer received patches.
- Poor password policies, i.e., did not require complex passwords, permitted the use of the same word or phrase for both username and password, and allowed common dictionary words.
- Lack of data retention policies and Personally Identifiable Information was stored indefinitely with no business need.
As a result of these lax security implements, a hacker exploited vulnerabilities and obtained more than 180,000 unencrypted social security numbers, millions of unencrypted names, physical addresses, security questions and answers, etc.
On the privacy side, the FTC noted the following problems:
- The company’s website stated, at the point of collection, that their collection of customers’ email addresses is only for “order notification and receipt” when in fact the submission of one’s email would result in receiving marketing information.
- The same email form submission contained a checkbox to “opt in” to deals and promotions, i.e. marketing, but even if you left it unchecked, the individual would still receive marketing material.
- The company took months to notify individuals that their personal information had been breached, and many individuals had their accounts stolen, and because of the lax policies on the use of complex passwords and outdated hashing techniques, the encrypted passwords that were released in the breach were able to be decrypted.
The FTC charged them with:
- Data Security Misrepresentations
- Response to Data Security Incident Misrepresentations
- Unfair Data Security Practices
- Data Collection and Use Misrepresentation
- Misrepresentation Relating to Privacy Shield Frameworks
- Misrepresentation Relating to Deletion of Consumer Data
- Unfair Withholding of Payable Commissions After Security Breach.
Particularly, their promises to abide by the principles in the Privacy Shield Framework, their failure to delete data when they received requests from individuals requesting data/account deletion, and their failure to maintain adequate security protections. As the FTC has done in the past, it found an “unfair act or practice” by failing to employ “reasonable data security measures to protect personal information”. This is an important reminder that despite what your company states in its written policies, if you don’t have reasonable security measures to protect personal data, the FTC will consider such practices to be unfair or deceptive if you have a data breach. If your company’s officers ever wonder why your information security officer is requiring complex passwords, encryption and multi-factor authentication, this enforcement case exemplifies this need. If complex passwords were used with modern hashing, it is likely that the encrypted passwords that were breached could not have been decrypted. If multi-factor authentication was employed, even if the passwords were decrypted, it is unlikely that the nefarious actors could have logged in. Finally, if this data had been encrypted at rest, and only individuals with proper authority and access could decrypt the data, it would have been far more difficult for the hackers to have gained anything useful from the breach.
For more information or assistance with reviewing data privacy and cybersecurity policies, please contact James K. Paulick. Jim co-leads the Data Privacy & Cybersecurity Group, part of Leech Tishman’s Corporate Practice Group. He is also the co-host of Leech Tishman’s Data Privacy LawTalk Podcast. He can be reached at 412.261.1600 or firstname.lastname@example.org.
Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman
Leech Tishman’s Twitter: https://twitter.com/LeechTishman
Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman
Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, construction, energy & natural resources, healthcare, and hospitality industries. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota, and Washington, D.C.