The FTC has entered into a consent order with a sole proprietor for a failure to implement reasonable protections of personal information.
At issue were the following statements, which the FTC held to be deceptive/misleading:
- “[We] utilize the latest security and encryption techniques to ensure the security of your account information.”
- “We understand clearly that you and your information are one of our most important assets.”
In actuality – the website did not implement:
- penetration testing
- IDPS or other techniques to detect anomalous activity
- TLS encryption
- valid SSL certificate
- effective access controls
The FTC also found a number of unfair practices including:
- maintaining information in cleartext
- allowing employees to store credentials in cleartext
Consent order requirements include:
- implement a comprehensive written information security plan
- appoint a person in charge of personal information
- undergo an biennial, external, third party audit
- supervise third party providers
- conduct regular risk assessments