In 2006, the Federal Trade Commission took the following companies to task for their lax information security:
Guidance Software
Violation: Did not: to assess vulnerability to known Web-based attacks; to implement simple defenses; to monitor and limit access from the corporate network to the Internet; to detect unauthorized access to consumers’ credit card information.
Nations Title Agency
Violation: Did not: assess risk of stored sensitive data; deploy reasonable security training policies and procedures; deploy simple security defenses to common website attacks; monitor for unauthorized access to sensitive data; properly oversee third parties processing sensitive data.
Xanga.com
Violation: Collected, used and disclosed personal information of children under the age of 13 without first obtaining parents’ consent.
Cardsystems
Violation: Did not: adequately assess network vulnerability; deploy security defenses; use strong passwords; use intrusion detection apps; conduct security investigations.
ChoicePoint
Violation: Did not have reasonable procedures to screen prospective subscribers; turned over consumers’ sensitive personal information to subscribers whose applications raised obvious red flags.
Other FTC actions from 2002 to 2005 included the following data security citations:
DSW
Year: 2005
Violation: Lax security allowed hackers to steal credit card and checking account information of more than 1.4 million customers. BJ’s Wholesale Club
Year: 2005
Violation: Failed to encrypt personal data sent via Internet; stored personal data after no longer needing it; used common default passwords for access to files containing personal information; did not deploy technologies to secure wireless connections, detect intrusions or to conduct security audits. Superior Mortgage
Year: 2005
Violation: Did not use reasonable security for customer data, falsely claimed that it encrypted data submitted online. Vision I Properties
Year: 2005
Violation: Rented to third-party marketers personal information gathered from clients’ customers, contradicting merchant privacy policies. Petco
Year: 2004
Violation: Failed to deploy simple defenses to protect sensitive consumer data and to encrypt data as it claimed on its website. Gateway Learning
Year: 2004
Violation: Rented consumers’ data in violation of privacy policy. Tower Records
Year: 2004
Violation: Failed to use appropriate checks and controls when revising Web applications, adopt policies to test website security and provide training for employees. Guess
Year: 2003
Violation: Did not encrypt stored personal data (as it claimed) or protect against website against commonly known attacks. Microsoft
Year: 2002
Violation: Made the following false claims: that it uses reasonable security to protect consumers’ personal data collected through its Passport and Passport Wallet services, that it provided more security with Passport Wallet for Web purchases than without, that it did not collect personally identifiable data, and that it provided parental control over what information participating websites could collect from children. Eli Lilly
Year: 2002
Violation: Disclosed e-mail addresses of subscribers to an e-mail medication reminder service in violation of claims the company protected private data.