When Companies Violate the Rules

In 2006, the Federal Trade Commission took the following companies to task for their lax information security:

Guidance Software

Violation: Did not: to assess vulnerability to known Web-based attacks; to implement simple defenses; to monitor and limit access from the corporate network to the Internet; to detect unauthorized access to consumers’ credit card information.

Nations Title Agency

Violation: Did not: assess risk of stored sensitive data; deploy reasonable security training policies and procedures; deploy simple security defenses to common website attacks; monitor for unauthorized access to sensitive data; properly oversee third parties processing sensitive data.

Xanga.com

Violation: Collected, used and disclosed personal information of children under the age of 13 without first obtaining parents’ consent.

Cardsystems

Violation: Did not: adequately assess network vulnerability; deploy security defenses; use strong passwords; use intrusion detection apps; conduct ­security investigations.

ChoicePoint

Violation: Did not have reasonable procedures to screen prospective subscribers; turned over consumers’ sensitive personal information to subscribers whose applications raised obvious red flags.

Other FTC actions from 2002 to 2005 included the following data security citations:

DSW

Year: 2005

Violation: Lax security allowed hackers to steal credit card and checking account information of more than 1.4 million customers. BJ’s Wholesale Club

Year: 2005

Violation: Failed to encrypt personal data sent via Internet; stored personal data after no longer needing it; used common default passwords for access to files containing personal information; did not deploy technologies to secure wireless connections, detect intrusions or to conduct security audits. Superior Mortgage

Year: 2005

Violation: Did not use reasonable security for customer data, falsely claimed that it encrypted data submitted online. Vision I Properties

Year: 2005

Violation: Rented to third-party marketers personal information gathered from clients’ customers, contradicting merchant privacy policies. Petco

Year: 2004

Violation: Failed to deploy simple defenses to protect sensitive consumer data and to encrypt data as it claimed on its website. Gateway Learning

Year: 2004

Violation: Rented consumers’ data in violation of privacy policy. Tower Records

Year: 2004

Violation: Failed to use appropriate checks and controls when revising Web applications, adopt policies to test website security and provide training for employees. Guess

Year: 2003

Violation: Did not encrypt stored personal data (as it claimed) or protect against website against commonly known attacks. Microsoft

Year: 2002

Violation: Made the following false claims: that it uses reasonable security to protect consumers’ personal data collected through its Passport and Passport Wallet services, that it provided more security with Passport Wallet for Web purchases than without, that it did not collect personally identifiable data, and that it provided parental control over what information participating websites could collect from children. Eli Lilly

Year: 2002

Violation: Disclosed e-mail addresses of subscribers to an e-mail medication reminder service in violation of claims the company protected private data.