US cracks down on customer data leaks

Companies that release customer data as a result of lax security could find themselves on the wrong side of the Federal Trade...

Companies that release customer data as a result of lax security could find themselves on the wrong side of the Federal Trade Commission, especially if poor security practices come to light.

The FTC has, so far, only brought one case against a company for releasing customer data, but chairman Timothy Muris said that he expected to take more action against companies.

The FTC took its first security-related action earlier this year, in a landmark settlement reached with drug company Eli Lilly and after it released nearly 700 customer addresses collected through its Web site.

The release of names, included in an e-mail, was described as "inadvertent", but the FTC nonetheless faulted the pharmaceutical firm for its security and training practices.

The FTC's enforcement actions had, previously, focused on wilful disclosures of information. But in the Lilly case, the FTC held the company to its privacy promise that pledged security. If a company makes such a promise, it should have reasonable security procedures in place, said Muris.

According to Muris, when security breaches occur, the FTC will investigate and try to answer two questions: Did the company have a system in place that was appropriate for the sensitivity of the information? And did it follow its own procedures?

Under the settlement announced in January, Eli Lilly was required to make changes to its information security practices as well as conduct an annual review.

One motive for the growing FTC interest in security is identity theft.

The FTC averages 3,000 calls per week from people in need of help because of such theft. But Chris Hoofnagle, legislative counsel at the Electronic Privacy Information Center (EPIC) in Washington, said any emphasis on security may do more to legitimise invasive privacy practices by data profilers and others.

"A pioneering or more progressive approach is to pursue businesses that are collecting data without an individual's consent," he said.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.