In it’s first move against a social networking site the US Federal Trade Commission published a press release yesterday announcing a settlement over privacy violations on Twitter. In the release the FTC used very strong language making its intentions to protect the privacy of Americans very clear.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. Hallelujah! As is clear in the Twitter case, information protection takes on many aspects which require not only that you put administrative pages behind a password gate, but also that the access control measures are actually effective.
One incident that lead to this investigation occurred early last year when a malicious hacker named Hacker Croll guessed administrative passwords on Twitter and proceeded to compromise accounts belonging to President Obama and Britney Spears. He also gained access to Paypal, iTunes, and sensitive financial documents belonging to Twitter and their staff members. The fact that Twitter employees used the same passwords for administrative accounts on the service as they did for personal surfing only compounded the problem.
The FTC has barred Twitter from making misleading statements to their users regarding privacy and security until 2030 and will require independent audits of their IT security and control procedures every other year through 2020.
The FTC also announced yesterday the acceptance of a settlement agreement with US entertainment chain Dave and Buster’s. Dave and Buster’s were one of the victim companies in the credit card thefts primarily associated with TJX corporation. Alberto Gonzales was convicted of the crime and sentenced to 20 years plus one day, but the FTC felt that Dave and Buster’s had not met their obligations to protect their customer information and had responsibility as well.
Like Twitter the commission is requiring Dave and Buster’s to submit to independent audits every other year until 2020. I suppose they are letting them off slightly easier in not requiring them to change their messaging to customers of the establishment like they had done with Twitter. The most damning part of the information released by the FTC was that Dave and Buster’s had not used “readily available security measures” to protect consumer information. This included not using encryption on their WiFi networks and using these networks to transport credit card data. Over 130,000 cards were compromised as a result of this attack.
I preach this all too often, but simply using a minimum amount of security to demonstrate that you tried to protect customer information is not enough. I am pleased to see the FTC taking strong actions and making very clear statements as to their expectations for the protection of American’s privacy, security and identity.
Is your company performing regular security audits? Now might be an excellent time to review your policies regarding sensitive information.