The FTC has entered into a consent order with a sole proprietor for a failure to implement reasonable protections of personal information.

At issue were the following statements, which the FTC held to be deceptive/misleading:

  • “[We] utilize the latest security and encryption techniques to ensure the security of your account information.”
  • “We understand clearly that you and your information are one of our most important assets.”

In actuality – the website did not implement:

  • penetration testing
  • IDPS or other techniques to detect anomalous activity
  • TLS encryption
  •  valid SSL certificate
  • effective access controls

The FTC also found a number of unfair practices including:

  • maintaining information in cleartext
  • allowing employees to store credentials in cleartext

Consent order requirements include:

  • implement a comprehensive written information security plan
  • appoint a person in charge of personal information
  • undergo an biennial, external, third party audit
  • supervise third party providers
  • conduct regular risk assessments

Read the full decision.