Over the past several years identity theft and financial fraud have
evolved into some of the fastest growing crimes in the world.
According to two studies conducted in 2003 by Gartner Research and
Harris Interactive, approximately 7 million people became victims of
identity theft from 2002 through 2003. It is likely that every person
reading this article has either been a victim of identity theft or
knows someone who has. In the past 24 months, my own credit cards were
included in the theft of data when a merchant was compromised and
someone attempted to steal my identity by other means. Since I work in
information security and specialize in regulatory compliance, I
consider this a particularly relevant example of how prevalent this
type of theft is becoming.
In an effort to reduce the threat to personally identifiable
information, both industry and government have taken steps to mandate a
baseline of protection that must surround sensitive data. Legislation
such as the Gramm-Leach-Bliley Act requires companies to perform risk
analyses and to enact protections that are commensurate with the
identified risks. Similarly, the card associations have required that
companies accepting credit card payments meet a minimum standard of
information security for the protection of credit card data.
The Federal Trade Commission (FTC) has made the protection of consumer
data a cornerstone of its mission. The FTC is charged with enforcing
the Safeguards and Privacy Rules of the Gramm-Leach-Bliley Act (GLBA).
The Safeguards Rule of the GLBA requires that companies that are
“significantly engaged” in providing financial products or services to
develop a written information security plan that describes how they
protect customer data. The Privacy Rule further requires that
companies engaged in financial services inform their customers of
company’s policy for collecting, using, and sharing information. Over
the past year, several well-known companies have been fined and
penalized for operating in a manner that is inconsistent with their own
The FTC is also responsible for enforcing the Federal Trade Commission
Act (FTCA). The FTCA §5A charges the FTC with the prevention “unfair
methods of competition in or affecting commerce and unfair or deceptive
acts or practices in or affecting commerce.” While the GLBA focuses
narrowly on the institutions that are involved with the provision of
financial services and products, the FTCA is much broader, allowing the
FTC jurisdiction over any person, partnership, or corporation. The FTC
can act, “Whenever the Commission shall have reason to believe that any
such person, partnership, or corporation has been or is using any
unfair method of competition or unfair or deceptive act or practice in
or affecting commerce, and if it shall appear to the Commission that a
proceeding by it in respect thereof would be to the interest of the
public” In these terms, the FTC has determined that publishing a
privacy or safeguard statement that is inconsistent with the company’s
actual practices amounts to unfair or deceptive trade practices.
Personally Identifiable Information, or “PII”, can be defined as any
information that identifies or can be used to identify, contact, or
locate the person to whom such information pertains. This includes
information that is used in a way that is specific to an individual,
including linking it with identifiable information from other sources,
or from which other personally identifiable information can easily be
derived, including, but not limited to, name, address, phone number,
fax number, email address, financial profiles, social security number,
and credit card information. For the readers of this article, it is
important to note that personally identifiable information includes,
but is not limited to credit card information.
While companies are not generally mandated by the FTC to publish
privacy or security policies online, companies in certain industries or
segments may be required to publish such policies. Examples may include
financial services companies or those who target children under the age
of 13. While it may not be specifically mandated for all companies to
publish privacy and security policies, the FTC strongly encourages
business to post their policies online. In fact, the FTC has
recommended legislation to congress that would require all companies to
post such notices online.
Understanding the above, it becomes clear that the challenge arises
when companies post privacy notices (whether mandated or not) to
reassure their customers of the company’s efforts to protect their PII.
Again, privacy and security policies that are posted on websites must
accurately reflect the company’s actual privacy and security practices
or it may be considered as deceptive trade practices by the FTC. The
privacy policies inform the website visitor of what information will be
collected (name, address, etc.) how collected information will be used.
For example, the website may notify visitors that information
collected may be sold to a third party, or it may indicate that no
information will be shared outside the company.
In the past two years alone, several large retailers have been fined by
the FTC for violating their own security or privacy policies. These
companies were required to pay fines and in some cases must now submit
periodic reports on the state of their information security programs.
Even state-level actors have become involved in ensuring companies do
not act in a manner inconsistent with their own published policies.
The New York Attorney General took action against another large
retailer and online merchant for publishing a security statement
despite the fact that the company’s e-commerce site was vulnerable to
known exploits. These cases are all public record and can be found on
either the FTC’s or New York State Attorney General’s website.
The potential liability exists when companies cannot establish with
certainty that they are operating in a manner that is consistent with
their published policies, thus leaving them vulnerable to fines or
other penalties under the FTC’s enforcement of the Privacy or Safeguard
Rules of the GLBA or the FTCA §5A. Many companies publish statements
within their privacy policies that guarantee the safety of credit card
and other personal information that may be collected. In some cases,
though, the companies cannot verify that the statement is accurate. In
the cases mentioned above, such statements were published on the site
despite the fact that they were vulnerable to commonly exploited SQL
injection types of attacks. For example, Company A may publish the
following within its Privacy Statement:
“We offer secure web pages to collect certain kinds of user information
and we store certain kinds of data in encrypted form. We follow
reasonable technical and management practices to help protect the
confidentiality, security and integrity of data stored on our system.
While no computer system is completely secure, we believe the measures
implemented by our web site reduce the likelihood of security problems
to a level appropriate to the type of data involved.”
If that company is then compromised using a well-known, common exploit
such as SQL injection, the FTC may find that the company was involved
in deceptive practices for not protecting against a common
vulnerability despite the statement that they follow “…reasonable
technical and management practices…”
The companies targeted by the FTC may not have been attempting to
deceive their customers, but because they were unaware of their own
vulnerabilities, they were guilty of not adhering to their own
published policies. Had the companies been aware of the
vulnerabilities, they could have taken steps to correct them, and
therefore been compliant with their own policies.
wImplications for Companies in Payment Services
Since the publication of the Visa CISP, MasterCard SDP, and Discover
DISC programs, most companies have been focused on achieving compliance
with the card associations’ requirements.
Unfortunately, complying with the card associations’ requirements does
not ensure compliance with the FTCA §5A. As stated previously, the
FTCA pertains to all personally identifiable information including, but
not limited to, credit card information. As the card associations’
requirements only focus on the protection of cardholder data, and
specifically account numbers, many companies may achieve compliance
with the card association’s requirements while not adequately
protecting other PII such as names and addresses. Indeed many
companies may be lured into a false sense of security through
compliance with the card associations’ requirements and may mistakenly
assume that they are not in violation of FTCA §5A or other relevant
regulations such as SB1386, or the GLBA, if applicable.
As industry and government continue to take a more active role in the
regulation and protection of PII, it is important for companies to
establish a practice of proactively identifying new requirements and
laws that may pertain to their particular industry or segment.
Understanding that this is a difficult and resource intensive task, it
is likely a more palatable option to leverage the existing expertise of
information security companies. When looking for information security
companies to help your company secure its critical information and
systems, it is a good idea to select a company that specializes in
regulatory compliance and has experience helping companies achieve
compliance with card association requirements, government regulations
and similar mandatory security programs.