27 march 2008

A recent order was obtained by the US Federal Trade Commission (FTC) against an online retailer who had failed to safeguard consumer information (including credit card details). The FTC pursued  the claim on the basis that the retailer’s privacy policy was misleading and deceptive by claiming that the information was secure when it was not.

This complaint relied on the provisions of US law that are equivalent to the Trade Practices Act provisions regarding misleading and deceptive conduct.

The consent orders obtained impose significant and long term obligations on the online retailer including carrying out recurring security audits.

Could it happen here?  Given the breadth of the terms “misleading and deceptive” and the wide powers of the Australian Competition and Consumer Commissions (ACCC).

Facts

In the US case, an online retailer, Life is good Inc., had a privacy policy in place on its website since at least October 2005 that stated:

“We are committed to maintaining our customer’s privacy.  We collect and store information you share with us – name, address, credit card and phone numbers – along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you”.

Between June and August 2006, a hacker, using SQL injection attacks, exported from the Life is good’s website the credit card details of thousands of customers.

The FTC’s claim against Life is good was based on the fact that the privacy policy was false and misleading because Life is good failed to provide “reasonable and appropriate” security for the customer information stored on its network. Specific security failures were identified as including:

• storing the information in clear, readable text;
• storing information indefinitely on the network without a business need and storing credit card security codes;
• failing to adequately assess the vulnerability of their web application to reasonably foreseeable attacks such as the SQL injection attacks used by the hacker;
• failing to implement simple, free or low cost and readily available defences to such attacks;
• failing to use readily available security measures to monitor and control connections from the network to the internet; and
• failing to employ reasonable measures to detect unauthorised access to consumer information.

The FTC order

The consent order requires Life is good to establish and maintain a comprehensive security program to protect personal information it collects from consumers.  The order requires Life is good to undertake specific measures including:

• designating an employee to coordinate its information security program;
• identifing existing risks;
• designing and implementing safeguards to control risks; and
• evaluating and adjusting the information security program to reflect the results of monitoring.

In addition, Life is good is required to retain an independent third party security auditor to assess its security program on a biennial basis for the next 20 years. The FTC will monitor Life is good’s compliance over this period.

The Australian regulatory landscape

The ACCC has wide powers to enforce the Trade Practices Act for the benefit of consumers and the wider market place. Historically, the ACCC has pursued businesses engaging in misleading and deceptive conduct to the detriment of consumers.

The ACCC would have power to seek an enforceable undertaking from a business such as Life is good to implement a compliance program to prevent future breaches along similar lines to those obtained by the FTC.The US does not have uniform federal privacy legislation, but a number of state enacted regimes which deal with data breach notification and other aspects.  Australia has a federal regime in the Privacy Act 1988 (Cth), butthat would not preclude the ACCC from enforcing the consumer protection aspects of misleading and deceptive conduct in relation to privacy.

The Privacy Act is currently under review by the government and it may be that reforms will give the Office of the Privacy Commissioner strong powers to act in a similar way to the way in which the FTC has acted.  However, it may be that the ACCC simply retains it ability to enforce breaches of the Trade Practices Act irrespective of whether those breaches involve areas that are subject to additional regulatory oversight.

What steps should I take?

The key issue in the Life is good case is that what the company said about its security processes was not what was actually undertaken by the company. A number of privacy policies were developed in Australia in the early 1990s when the National Privacy Principles were introduced and may not have been reviewed since that time in any substantive way.

This case points out that systems managers need to ensure that what is actually undertaken accords with what is being stated in public documents. It is also important that an employee within the organisation has responsibility for maintaining security of personal information as part of their job description. Failure to allocate responsibility could lead to the sorts of problems encountered in the Life is good case.

The other key issue is to look at corporate information retention policies. The significant risk that Life is good undertook was storing information indefinitely on its network.  This included the credit card details and credit card security codes. If you collect this sort of sensitive information you should ensure there is a procedure for deleting sensitive elements at least on a regular basis.

disclaimer