In the strongest sign yet that the government will, if it must, regulate corporate security, the US Federal Trade Commission (FTC) is cracking down on companies with lax security on their websites.
In its third such case, the FTC recently settled with clothing and accessory company Guess. Customer data was stolen from the Guess website, despite company claims that the personal data was "stored in an unreadable, encrypted format at all times." The FTC argued that a February SQL injection attack, in which credit card numbers were compromised, proved this claim was false. Instead of going through legislation, Guess chose to sign a consent agreement.
The settlement's terms require the company to create a comprehensive security program and to undergo an independent security audit every two years that meets or exceeds the security levels outlined in the FTC's consent agreement.
These security standards are not wildly outrageous. The FTC has published infosecurity guidelines for companies to follow. The guidelines, though broad, are the first step. Two of the key points in the FTC's existing guidelines stipulate that companies must protect against the 20 most common Internet vulnerabilities, as published by SANS, and the 10 most common application vulnerabilities, as published by the Open Web Application Security Project. There's no telling what company the FTC will target next, or when--which might be the point. The FTC is hoping the mere threat of a press release with your company's name on it will compel you to act.
For a look at the FTC security guidelines, go to www.ftc.gov/bcp/conline/pubs/buspubs/security.htm.