Companies that release customer data as a result of lax security
could find themselves on the wrong side of the Federal Trade
Commission, especially if poor security practices come to
light.
The FTC has, so far, only brought one case against a company for
releasing customer data, but chairman Timothy Muris said that he
expected to take more action against companies.
The FTC took its first security-related action earlier this year,
in a landmark settlement reached with drug company Eli Lilly and
after it released nearly 700 customer addresses collected through
its prozac.com Web site.
The release of names, included in an e-mail, was described as
"inadvertent", but the FTC nonetheless faulted the pharmaceutical
firm for its security and training practices.
The FTC's enforcement actions had, previously, focused on wilful
disclosures of information. But in the Lilly case, the FTC held the
company to its privacy promise that pledged security. If a company
makes such a promise, it should have reasonable security procedures
in place, said Muris.
According to Muris, when security breaches occur, the FTC will
investigate and try to answer two questions: Did the company have a
system in place that was appropriate for the sensitivity of the
information? And did it follow its own procedures?
Under the settlement announced in January, Eli Lilly was required
to make changes to its information security practices as well as
conduct an annual review.
One motive for the growing FTC interest in security is identity
theft.
The FTC averages 3,000 calls per week from people in need of help
because of such theft. But Chris Hoofnagle, legislative counsel at
the Electronic Privacy Information Center (EPIC) in Washington,
said any emphasis on security may do more to legitimise invasive
privacy practices by data profilers and others.
"A pioneering or more progressive approach is to pursue businesses
that are collecting data without an individual's consent," he said.