Compliance Made Easy: 
Federal Trade
Commission Act §5A:
What you don’t know can hurt you

by Chris Mark

   Over the past several years identity theft and financial fraud have evolved into some of the fastest growing crimes in the world. According to two studies conducted in 2003 by Gartner Research and Harris Interactive, approximately 7 million people became victims of identity theft from 2002 through 2003. It is likely that every person reading this article has either been a victim of identity theft or knows someone who has. In the past 24 months, my own credit cards were included in the theft of data when a merchant was compromised and someone attempted to steal my identity by other means. Since I work in information security and specialize in regulatory compliance, I consider this a particularly relevant example of how prevalent this type of theft is becoming.
   In an effort to reduce the threat to personally identifiable information, both industry and government have taken steps to mandate a baseline of protection that must surround sensitive data. Legislation such as the Gramm-Leach-Bliley Act requires companies to perform risk analyses and to enact protections that are commensurate with the identified risks. Similarly, the card associations have required that companies accepting credit card payments meet a minimum standard of information security for the protection of credit card data.
   The Federal Trade Commission (FTC) has made the protection of consumer data a cornerstone of its mission. The FTC is charged with enforcing the Safeguards and Privacy Rules of the Gramm-Leach-Bliley Act (GLBA). The Safeguards Rule of the GLBA requires that companies that are “significantly engaged” in providing financial products or services to develop a written information security plan that describes how they protect customer data. The Privacy Rule further requires that companies engaged in financial services inform their customers of company’s policy for collecting, using, and sharing information. Over the past year, several well-known companies have been fined and penalized for operating in a manner that is inconsistent with their own published policies.
   The FTC is also responsible for enforcing the Federal Trade Commission Act (FTCA). The FTCA §5A charges the FTC with the prevention “unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” While the GLBA focuses narrowly on the institutions that are involved with the provision of financial services and products, the FTCA is much broader, allowing the FTC jurisdiction over any person, partnership, or corporation. The FTC can act, “Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public” In these terms, the FTC has determined that publishing a privacy or safeguard statement that is inconsistent with the company’s actual practices amounts to unfair or deceptive trade practices.
   Personally Identifiable Information, or “PII”, can be defined as any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. This includes information that is used in a way that is specific to an individual, including linking it with identifiable information from other sources, or from which other personally identifiable information can easily be derived, including, but not limited to, name, address, phone number, fax number, email address, financial profiles, social security number, and credit card information. For the readers of this article, it is important to note that personally identifiable information includes, but is not limited to credit card information.
   While companies are not generally mandated by the FTC to publish privacy or security policies online, companies in certain industries or segments may be required to publish such policies. Examples may include financial services companies or those who target children under the age of 13. While it may not be specifically mandated for all companies to publish privacy and security policies, the FTC strongly encourages business to post their policies online. In fact, the FTC has recommended legislation to congress that would require all companies to post such notices online.
   Understanding the above, it becomes clear that the challenge arises when companies post privacy notices (whether mandated or not) to reassure their customers of the company’s efforts to protect their PII. Again, privacy and security policies that are posted on websites must accurately reflect the company’s actual privacy and security practices or it may be considered as deceptive trade practices by the FTC. The privacy policies inform the website visitor of what information will be collected (name, address, etc.) how collected information will be used. For example, the website may notify visitors that information collected may be sold to a third party, or it may indicate that no information will be shared outside the company.
    In the past two years alone, several large retailers have been fined by the FTC for violating their own security or privacy policies. These companies were required to pay fines and in some cases must now submit periodic reports on the state of their information security programs. Even state-level actors have become involved in ensuring companies do not act in a manner inconsistent with their own published policies. The New York Attorney General took action against another large retailer and online merchant for publishing a security statement despite the fact that the company’s e-commerce site was vulnerable to known exploits. These cases are all public record and can be found on either the FTC’s or New York State Attorney General’s website.
    The potential liability exists when companies cannot establish with certainty that they are operating in a manner that is consistent with their published policies, thus leaving them vulnerable to fines or other penalties under the FTC’s enforcement of the Privacy or Safeguard Rules of the GLBA or the FTCA §5A. Many companies publish statements within their privacy policies that guarantee the safety of credit card and other personal information that may be collected. In some cases, though, the companies cannot verify that the statement is accurate. In the cases mentioned above, such statements were published on the site despite the fact that they were vulnerable to commonly exploited SQL injection types of attacks. For example, Company A may publish the following within its Privacy Statement:
    “We offer secure web pages to collect certain kinds of user information and we store certain kinds of data in encrypted form. We follow reasonable technical and management practices to help protect the confidentiality, security and integrity of data stored on our system. While no computer system is completely secure, we believe the measures implemented by our web site reduce the likelihood of security problems to a level appropriate to the type of data involved.”
    If that company is then compromised using a well-known, common exploit such as SQL injection, the FTC may find that the company was involved in deceptive practices for not protecting against a common vulnerability despite the statement that they follow “…reasonable technical and management practices…”
    The companies targeted by the FTC may not have been attempting to deceive their customers, but because they were unaware of their own vulnerabilities, they were guilty of not adhering to their own published policies. Had the companies been aware of the vulnerabilities, they could have taken steps to correct them, and therefore been compliant with their own policies.

                   wImplications for Companies in Payment Services


    Since the publication of the Visa CISP, MasterCard SDP, and Discover DISC programs, most companies have been focused on achieving compliance with the card associations’ requirements. Unfortunately, complying with the card associations’ requirements does not ensure compliance with the FTCA §5A. As stated previously, the FTCA pertains to all personally identifiable information including, but not limited to, credit card information. As the card associations’ requirements only focus on the protection of cardholder data, and specifically account numbers, many companies may achieve compliance with the card association’s requirements while not adequately protecting other PII such as names and addresses. Indeed many companies may be lured into a false sense of security through compliance with the card associations’ requirements and may mistakenly assume that they are not in violation of FTCA §5A or other relevant regulations such as SB1386, or the GLBA, if applicable.
    As industry and government continue to take a more active role in the regulation and protection of PII, it is important for companies to establish a practice of proactively identifying new requirements and laws that may pertain to their particular industry or segment. Understanding that this is a difficult and resource intensive task, it is likely a more palatable option to leverage the existing expertise of information security companies. When looking for information security companies to help your company secure its critical information and systems, it is a good idea to select a company that specializes in regulatory compliance and has experience helping companies achieve compliance with card association requirements, government regulations and similar mandatory security programs.