- Companies that release customer data as a result of security mistakes could find themselves in the cross hairs of the US Federal Trade Commission, especially if that release points to poor security practices.
The FTC has only brought one case against a company for releasing customer data, but chairman Timothy Muris expects more action against companies.
The FTC took its first security-related action earlier this year, in a landmark settlement reached with Eli Lilly and Co in Indianapolis after it released nearly 700 customer addresses collected through its Prozac.com website. The release of names, included in an email, was called inadvertent, but the FTC nonetheless faulted the pharmaceutical firm for its security and training practices.
"I expect Lilly is not the case we will bring," Muris said at the Networked Economy Summit sponsored by George Mason University.
Prior to the Lilly case, the FTC's enforcement actions had been focused on willful disclosures of information. But in the Lilly case, the FTC held the company to its privacy promise that pledged security. If a company makes such a promise, it should have reasonable security procedures in place, says Muris.
According to Muris, when security breaches occur, the FTC will investigate and try to answer two questions: Did the company have a system in place that was appropriate for the sensitivity of the information? And did it follow its own procedures?
Under the settlement announced in January, Eli Lilly was required to make changes to its information security practices as well as conduct an annual review.
One motive for the growing FTC interest in security is identity theft.
The FTC averages 3000 calls per week from people in need of help because of such theft. But Chris Hoofnagle, legislative counsel at the Electronic Privacy Information Centre (EPIC) in Washington, says any emphasis on security may do more to legitimize invasive privacy practices by data profilers and others.
"A pioneering or more progressive approach is to pursue businesses that are collecting data without an individual's consent," he says.
Also at the conference was former New York City Mayor Rudolph Giuliani, who credited the city's Y2k planning with helping it handle the aftermath of the September 11 terrorist attacks last year.
New York spent some $280 million on Y2k repairs, money Giuliani says he "used to resent" because of the amount needed for what was essentially remedial work.
But when the city's emergency command centre was destroyed in the collapse of one of the adjoining World Trade Centre buildings, the city was able to quickly rebuild that center, in part, because it had made duplicates of all the systems in case of a Y2k-related systems failure.
That, he says, "made me feel better."