The FTC has been active in going after companies that do not provide adequate data security. Today, they announced that Compete, Inc. had settled charges involving unfair or deceptive practices associated with collecting and sharing personal information of users. Of interest here, however, are the charges in the complaint that relate to data security:
Compete’s Data Security Practices
16. In addition to the representations made about the collection of data, Compete made statements about the security of user data such as the following:
We take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information. These measures include internal reviews of our data collection, storage and processing practices and security practices.
See General Compete Privacy Policy, Exhibit 5.
17. Respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for consumer information collected and transmitted by Compete. Among other things, respondent:
a. created unnecessary risks of unauthorized access to consumer information by transmitting sensitive information from secure web pages, such as financial account numbers and security codes, in clear readable text over the Internet;
b. failed to design and implement reasonable information safeguards to control the risks to customer information; and
c. failed to use readily available, low-cost measures to assess and address the risk that the data collection software would collect sensitive consumer information that it was not authorized to collect.
18. These security failures resulted in the creation of unnecessary risk to consumers’ personal information. Compete transmitted the information it gathered – including sensitive information – over the Internet in clear readable text. Tools for capturing data in transit over unsecured wireless networks, such as those often provided in coffee shops and other public spaces, are commonly available, making such clear-text data vulnerable to interception. The misuse of such information, particularly financial account information and Social Security numbers, can facilitate identity theft and related consumer harms.
19. After flaws in Compete’s data collection practices were revealed publicly in January 2010, Compete upgraded its filters, added new algorithms to screen out information such as credit card numbers, and began encrypting data in transit.
The settlement doesn’t require any admission of guilt, but it is encouraging to see the FTC continue to protect consumers from the risk of ID theft by insisting on adequate security.