On its website, Life is Good, Inc. claimed:
“We are committed to maintaining our customers’ privacy. We collect and store information you share with us – name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and used to tailor our communications with you.”
The FTC charged, however, that contrary to the above highlighted language, Life is Good “failed to provide reasonable and appropriate security for the sensitive consumer information stored on its network.”
Specifically, the FTC alleged that customer credit card information was stored “indefinitely, in clear, readable text” on Life is Good’s network, along with credit card security codes; that Life is Good had failed to implement certain low-cost and readily available measures to protect against SQL and similar attacks; and that Life is Good failed to take measures to monitor its network and detect unauthorized access. Consequently, according to the FTC, a hacker was able to use SQL injection attacks to access Life is Good’s network and steal the credit card information of thousands of customers.
The consent decree requires Life is Good to establish a data security program which includes administrative, technical and physical safeguards similar to those outlined in the FTC’s Safeguards Rule, which applies to companies covered by the Gramm-Leach-Bliley Act. The security program must be specifically tailored to the retailer’s size and the sensitivity of the data it handles. Specifically, the FTC requires that Life is Good:
- Dedicate one or more employees to the coordination of a security program;
- Identify internal and external risks to information security and assess the safeguards now in place;
- Establish safeguards to protect against the risks identified in the assessment, and the means to monitor their effectiveness;
- Evaluate and adjust the security program as necessary to reflect the results of monitoring, material changes to the company’s structure or operations, and “other circumstances that may impact the effectiveness” of the security program;
- Develop reasonable steps to retain service providers capable of adequately protecting customer information they receive from Life is Good, and require those service providers by contract to implement and maintain safeguards; and
- Maintain its books and records in a way that facilitates FTC monitoring of its compliance with the consent decree.
In addition, Life is Good faces the burdensome and costly requirement of obtaining an independent, third-party auditor to review and assess its security measures once every two years for the next twenty years.
At a minimum, any company that handles sensitive customer data should have in place safeguards at the three levels cited by the FTC: administrative, technical and physical. Employees should be trained in the secure handling of consumer information. Appropriate network systems and software for information processing, storage, transmission and disposal should be in place. In addition, companies should install systems or mechanisms for detecting intrusions and responding to attacks. These measures may be reasonably tailored to the size of the company and the sensitivity of the data it handles, but they should represent the full spectrum of protections the FTC will expect from any company which handles private customer information, whether the company makes claims to protect its customers effectively or not.