When do your corporate security practices warrant FTC monitoring? When you fail to maintain the minimum levels of system protection and customer’s private data happens to drip from your porous applications.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” says David Vladeck, head of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.
“Patrons of social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure,” he says.
(courtesy of Byron Acohido’s The Last Watchdog blog)
This follows the news that Twitter has agreed to settle with the FTC after charges of failing to safeguard their customers personal information. The net result? Twitter must establish a comprehensive security program and will be subject to government monitoring for the next 10 years.
Personally I’ve got to wonder whether other organizations are going to come under similar levels of examination from the FTC in the near future. Take for example the recent disclosure of personal iPad customer data via flaws in a key online management application – AT&T iPad Breaches Are About App Security, Not Mobile Devices, Experts Say.
Their are of course a couple of obvious questions here:
- What is the minimum level of security required for protecting a customer’s personal data?
- What constitutes a Comprehensive Security Program?
These two cases (Twitter and AT&T) share a number of similarities – poor application logic, weak security implementations, and ease of compromise. While “minimum” security levels can be interpreted in many different ways, since there’s no agreed or definitive manual that organizations can use, I’d be inclined to offer a couple nuggets of security advice.
- Don’t be the “lowest hanging fruit” in your business sector. Look around. For example, if all the buildings around yours have 9′ high barbed wire fences and bars on their first floor windows, it’s more than likely a great idea to invest minimally in the same level of security. Similarly, when it comes to corporate security make sure you have a functional defense in depth system of interlocking (and overlapping) protection and detection technologies – and know how to use them!
- Make sure you’re testing your own defenses! At a minimum, you need to run the standard suites of automated vulnerability scanning and probing tools – both at the network and application levels. Any newly-minted CISSP graduate will know whats required in order to achieve this basic level.
But that really is a minimum level of security proficiency. It doesn’t offer you much more protection than the equivalent of ensuring that you’re keeping your shoelaces tied up so that you don’t trip over them (like any mother tells her kids). Obviously, you should be aiming to raise your security awareness beyond this (e.g. “don’t run with scissors”) – especially if you’re required to pursue a “Comprehensive” security program.
– Gunter Ollmann, VP Security