In 2006, the Federal Trade Commission took the following
companies to task for their lax information security:
Violation: Did not: to assess vulnerability to known
Web-based attacks; to implement simple defenses; to monitor and
limit access from the corporate network to the Internet; to
detect unauthorized access to consumers’ credit card
Nations Title Agency
Violation: Did not: assess risk of stored sensitive
data; deploy reasonable security training policies and
procedures; deploy simple security defenses to common website
attacks; monitor for unauthorized access to sensitive data;
properly oversee third parties processing sensitive data.
Violation: Collected, used and disclosed personal
information of children under the age of 13 without first
obtaining parents’ consent.
Violation: Did not: adequately assess network
vulnerability; deploy security defenses; use strong passwords;
use intrusion detection apps; conduct security
Violation: Did not have reasonable procedures to screen
prospective subscribers; turned over consumers’ sensitive
personal information to subscribers whose applications raised
obvious red flags.
Other FTC actions from 2002 to 2005 included the following
data security citations:
Violation: Lax security allowed
hackers to steal credit card and checking account information
of more than 1.4 million customers.
BJ’s Wholesale Club
Violation: Failed to encrypt personal data sent via
Internet; stored personal data after no longer needing it; used
common default passwords for access to files containing
personal information; did not deploy technologies to secure
wireless connections, detect intrusions or to conduct security
Violation: Did not use reasonable security for
customer data, falsely claimed that it encrypted data submitted
Vision I Properties
Violation: Rented to third-party marketers personal
information gathered from clients’ customers,
contradicting merchant privacy policies.
Violation: Failed to deploy simple defenses to protect
sensitive consumer data and to encrypt data as it claimed on
Violation: Rented consumers’ data in
Violation: Failed to use appropriate checks and
controls when revising Web applications, adopt policies to test
website security and provide training for employees.
Violation: Did not encrypt stored personal data (as it
claimed) or protect against website against commonly known
Violation: Made the following false claims: that it
uses reasonable security to protect consumers’ personal
data collected through its Passport and Passport Wallet
services, that it provided more security with Passport Wallet
for Web purchases than without, that it did not collect
personally identifiable data, and that it provided parental
control over what information participating websites could
collect from children.
Violation: Disclosed e-mail addresses of subscribers
to an e-mail medication reminder service in violation of claims
the company protected private data.