Breach

America’s privacy and security enforcer

July 6, 2012

June was a big month in cyber crime for the FBI, but they are not the only enforcers looking out for your digital privacy and data protection.

June of 2012 saw some welcome successes in the struggle against those who abuse computers and networks for malicious or misguided ends. However, we were also reminded that defeating cyber crime requires not only detection and prosecution but also prevention. Let's begin with a selective recap, starting with the FBI announcement that a two-year undercover operation called “Operation Card Shop” had come to fruition.

Busting two dozen people in 13 countries for fraud involving computer crime was described by the Bureau as “the largest coordinated international law enforcement action in history directed at ‘carding' crimes—offenses in which the internet is used to traffic in and exploit the stolen credit card, bank account, and other personal identification information of hundreds of thousands of victims globally.”

The operation involved a fake website called CarderProfit.com created by the FBI and described as a “veritable eBay for thieves.” Criminals used the site to buy and sell stolen credit card information without knowing they were being watched. Federal officials say this elaborate sting prevented potential losses of more than $200 million.

Other FBI cyber crime-fighting successes in June include the arrest of a Pennsylvania man on charges of hacking into a variety of companies and government agencies and selling stolen access credentials. There were guilty pleas in one high profile case as two members of the LulzSec hacking collective, Ryan Cleary and Jake Davis, pled guilty to various cyber crimes in a UK court, and in another headline-grabbing case a serious recommended punishment was filed concerning a man from Jacksonville, Fla., who hacked into celebrity email accounts. Perhaps the fear of five years in jail and paying a six-figure restitution will help deter folks from invading other people's digital space.

In light of these news items it might seem strange to turn the spotlight on the Federal Trade Commission (FTC) as a force for good in the realm of information security. Indeed, many corporate executives might be more confused than concerned to get a message from reception saying, "There's someone from the FTC here to see you."  Compare that to the instant elevation of blood pressure produced by these words: "There's someone from the FBI here to see you." However, the FTC has been laying down the law pretty aggressively when it comes to corporate information security practices and postures.

On the same day that the FBI announced the rounding up of those credit card hackers, the FTC announced it was suing Wyndham Hotels for allegedly failing to secure the financial information of its guests. Wyndham operates 7,200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries—Wyndham Hotel Group, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Management—are alleged to have “misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury.”

The suit is based on three different security breaches: the 2008 exposure of half a million credit card accounts belonging to Wyndham guests; the 2009 theft of another 50,000 card numbers; and a 2010 breach involving 69,000 accounts. Apparently Wyndham is not clear about how the FTC regards this type of security breach, telling SC Magazine that “the company has yet to learn of any fraud that resulted from the breaches.” In its complaint, the FTC alleges Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' information. If you've been following the FTC's privacy and security actions over the last decade you will know that losses suffered by consumers are not material to the charge that security practices are unfair and deceptive and violate the FTC Act. 

Ten years ago it was Microsoft that came under fire from the FTC which alleged false security and privacy promises pertaining to Microsoft's Passport Single Sign-In, Passport Wallet, and Kids Passport. The case was settled by Microsoft agreeing to implement and maintain a comprehensive information security program. In addition, Microsoft agreed to have its security program “certified as meeting or exceeding the standards in the consent order by an independent professional every two years.”

 

Since then the FTC has taken seriously the words uttered by Chairman Timothy J. Muris when he announced the 2002 settlement with the world's largest software company:

“Good security is fundamental to protecting consumer privacy. Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business, it's the law. Even absent known security breaches, we will not wait to act.”

In the decade since then a wide range of companies have been hit with FTC privacy settlements, including social network giant Facebook, search giant Google, pharmacy giant CVS Caremark, and media giant Disney. These settlements subject the plaintiff to decades of scrutiny that amounts to probation, during which any additional violations carry accelerated penalties. In some cases, there are multi-million dollar fines as well, like $5 million for CVS and $3 million for Disney. Which brings us back to June of 2012 when the FTC hit data broker Spokeo with an $800,000 fine for its data handling and advertising practices.

Spokeo's business model has been described as “spookeo” because it revolves around collecting personal information about individuals from various sources, including social networks, and merging the data to build dossiers that include name, address, age, email address, hobbies, photos, ethnicity, religion, and participation on social networking sites. (If you have not tried this, just Google “spokeo” using your own first and last name, and if you find yourself in the results be warned they can be scarily detailed yet wildly inaccurate.)

Clearly, the FTC takes its enforcement mandate seriously and the agency has pioneered the policing of companies on matters of privacy and data security, starting with two landmark cases with which I was professionally involved: Eli Lily's Prozac moment and Microsoft's false Passport promises. While many Americans bemoan our country's lack of a formal “right to privacy” the track record of FTC as enforcer is something of a consolation.

The FTC's track record may even explain one more computer security event that took place in June, Apple's removal from its website of several security-related statements including, “a Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers” and “Safeguard your data. By doing nothing.” Sadly, this year's Flashback infection of Macs and other Mac malware have made “doing nothing” a riskier option for Mac users than it was a few years ago.

Now, it is merely speculation on my part, but I'm guessing someone very smart in Cupertino saw the FTC's writing on the wall when it came to positioning their product as categorically safer than the competition. Believing you have a more secure product is one thing, putting that forward as a reason people should choose your product is quite another, especially when you might have to prove your claims to a team of FTC investigators.

prestitial ad