Check Your Privacy Policies And Implement Data Security Programs

Technical Glitches May Be No Excuse For Privacy Breaches

Two recent cases involving inadvertent disclosures of personally identifiable consumer information further underscore the importance of implementing security programs to protect personally identifiable information and ensuring that your company’s statements about privacy and security are an accurate reflection of your practices. As these cases attest, technical glitches and security design flaws may still form the basis of a Federal Trade Commission (FTC) or state attorney general enforcement action.

It is noteworthy that neither of these cases appears to involve the disclosure of credit card data or other data that is typically deemed to be sensitive (for instance, other financial data or health data). Moreover, a review of the settlements also confirms that, in the eyes of consumer protection agencies, the Gramm-Leach-Bliley (GLB) financial privacy safeguards have become the de facto standards for information security for all industries, not only "financial institutions." Companies not covered by GLB should nevertheless look to these rules as a guide in assessing information security issues. As summarized below, these rules essentially require companies to implement internal controls to ensure the security and confidentiality of customer information.

These cases also highlight the need to routinely evaluate not only your security practices, but also the statements in your privacy or security policies and elsewhere on your Web site (for instance, in FAQs, on check-out pages, or in e-mail confirmations or safe shopping guarantees). Statements about security need to accurately reflect a company’s practices.

TowerRecords.com

The FTC’s settlement with Tower Records¹ stems from charges that a security flaw in the Tower Records Web site exposed the personal information of Tower customers in violation of the Web site’s privacy policy. Although the FTC did not fine Tower, the online record store will be required to implement an appropriate security program and to conduct, through a third-party security professional, biennial audits of its Web site security for the next 10 years.

In addition, Tower is barred from misrepresenting the extent to which it maintains and protects the privacy, confidentiality, or security of personal information collected from or about consumers. Tower’s privacy policy made claims such as, "We use state-of-the-art technology to safeguard your personal information" and "Your TowerRecords.com Account information is password protected. You and only you have access to this information."

According to the FTC, however, when Tower redesigned its site, it introduced a security vulnerability that allowed Web users to access Tower’s order history records and view certain personal information about other Tower customers, such as their names, billing and shipping addresses, e-mail addresses, telephone numbers, and their past Tower purchases.²

The FTC charged that "the security flaw was easy to prevent and fix, but that Tower failed to implement appropriate checks and controls in the process of writing and revising its Web applications; adopt and implement policies and procedures to test the security of its Web site; and provide appropriate training and oversight for its employees." In settling the charges against Tower, the FTC noted: "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities."

Barnes & Noble.com

Ironically, the New York state attorney general’s enforcement action against Barnes & Noble.com stems from the site’s efforts to avoid the use of "cookies" (information files that a Web browser places on a user’s computer hard drive). According to the attorney general’s office, however, Barnes & Noble.com’s storage of certain user information in the Web page URL resulted in certain situations (such as a consumer forwarding or posting a Web page link) in which "the consumer information in the URL was inadvertently posted or forwarded to third parties." Credit card numbers were not divulged, but sensitive customer information, including names, billing addresses, and account information, was inadvertently disclosed.

On April 29, 2004, New York State Attorney General Elliott Spitzer announced that Barnes & Noble had agreed to pay a fine of $60,000 for this design flaw in the Barnes & Noble Web site.³ In addition to paying the substantial fine for disclosing personal consumer information, Barnes & Noble agreed to implement a security program to protect personal information; establish management oversight and employee training programs; and hire an external auditor to monitor compliance with the security program.

The Barnes & Noble agreement comes on the heels of Victoria’s Secret’s settlemen⁴ with the New York state attorney general in October 2003, whereby the intimate apparel retailer agreed to take steps to increase the security of its Web site and offer refunds to New Yorkers whose names, addresses, and order details may have been seen by other customers due to a software glitch. This disclosure of information had sharply contradicted Victoria’s Secret’s published privacy policy, which stated, "Any information you provide to us at this site when you establish or update an account, enter a contest, shop online or request information . . . is maintained in private files on our secure web server and internal system . . ." The fact that the company violated that policy was key in the attorney general’s decision to require Victoria’s Secret to pay $50,000 to the State of New York in costs and penalties.

Information Security Programs

These and other recent security cases⁵ highlight the need to implement an information security program. As these cases demonstrate, information security programs should be evaluated with the following four steps in mind.

1. Accountability. Companies should designate an employee or employees to coordinate and be accountable for the information security program.
2. Risk Assessment. Companies should identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation, including (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failure.
3. Reasonable Safeguards. Companies should design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
4. Continued Evaluation and Adjustment. Companies should evaluate and adjust their information security programs in light of the results of testing and monitoring, any material changes to their operations or business arrangements, or any other circumstances that the companies know or have reason to know may have a material impact on their information security programs.

This article is intended to provide information on recent legal developments. It should not be construed as legal advice or legal opinion on specific facts. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.