The FTC has delayed its "Red Flags Rule" yet again. The Red Flags Rule basically requires companies to keep their eyes open for identify theft. It was supposed to go into effect on May 1st but has now been bumped until August 1st, 2009.
These regulations have caused a stir amongst businesses because they apply to almost any entity that grants credit. For a small business, the maintenance of an identify theft program could prove to be yet another expensive regulatory requirement. But the Reds Flags Rule also emphasizes the fact that a program needs to be "appropriate for your company...size and potential risks of identify theft" (the size exemption is also one of the major stipulations in the similarly delayed Massachusetts data security law). Which is a bit of a strange formulation - why do small businesses get a pass on security? After all, shouldn't a business be required to be have the necessary staff on board to operate securely?
But small or not, in its current formulation the Red Flags Rules affects millions of businesses - basically any company that in some way or another extends credit to consumers. Even with the considerable outreach the FTC has done on this issue, I can't imagine that this rule is on the radar of even a fraction of all these businesses. But those businesses seem to have a while until they really need to pay attention - a panel I attended at the recent RSA conference had a few folks from the FTC who were basically saying that actual enforcement is still a ways off. And undoubtedly it is the largest companies who will be looked at first.
Identity theft (a term which is often misused as a euphemism for companies granting credit too easily) is a much more prevalent problem in the US than in most of continental Europe. In many European countries, there is no way to get any meaningful credit without physically presenting documents like a passport or national identity card. And while those can be forged as well, this significantly raises the criminality bar and the associated penalties. So identity theft is essentially a trade-off; credit is either easily obtainable with a high rate of identity theft, or credit is a hassle to obtain with a low rate of identity theft.
The US has had very easy to obtain credit in recent years, and the ubiquity of e-commerce has only exacerbated this problem. But the pendulum is starting to swing in favor of tightening regulation of credit following last year's financial meltdown. The Red Flags Rule may ultimately prove less effective at reducing identity theft than other regulations that have been implemented to protect consumers. Most notably forty seven states now have security freeze laws. These laws basically allow consumers to set up a password so that any access to their credit report requires them to first "unlock" the report with this password.
Because these laws require people to pro-actively go out and place a freeze, there has not been widespread adoption (I can't find a reference right now but I remember reading a while back that there were only several tens of thousands of credit freezes in all of New York State as of a year ago). Some people have been scared off by stories of delays in lifting freezes and having mortgage applications denied as a result. This inconvenience factor figured very prominently in the business opposition to the original freeze laws - without the ability to quickly approve car financing, a sale might fall through.
The argument against credit freezes reminds me of the Simpsons episode where an excited Homer walks into a gun store to buy a rifle. When he discovers there is a 5 day waiting period he exclaims "But I'm mad now!". Slowing down access to credit is probably the only effective means to actually reduce identity theft, but carries with it other economic costs.
Showing posts with label FTC. Show all posts
Showing posts with label FTC. Show all posts
Wednesday, May 6, 2009
Wednesday, February 11, 2009
FTC Investigates the Geeks
Geeks.com (which sounds like a dating site for programmers but is actually an online discounter of computer equipment) got hit by the US Federal Trade Commission last week. (For international readers the FTC is a US government agency primarily concerned with consumer protection).
The complaint and settlement make for a brief and interesting read. The FTC doesn't seem to think much of Geeks.com's security, but takes even less kindly to their apparent misrepresentation of the security measures they do have in place. Note to CISOs - make sure you know what the marketing department is saying about your security to the outside world. And make sure that your security policy actually reflects what's going on in your organizaiton. As any lawyer will tell you, it is better to have no policy in place than a policy you haven't actually implemented.
Getting hit by the FTC is no fun. The settlement will force Geeks.com to subject itself to ongoing audits for many years to come. The overall cost of this action are enormous - hiring outside counsel to deal with the FTC, the bureaucratic overhead of maintaining all the newly required paperwork, and so forth.
I have posted in the past on justifying security spending. A joe-average data breach seems to have lost its shock value and in some instances may even, ironically, provide leser known companies with some brand recognition. But FTC actions like the one against Geeks.com carry real costs, imposing huge administrative burdens and damaging the brand, if not in the eyes of consumers then at least in the eyes of investors. (The New York Law Journal has a good overview of the overall costs of FTC investigation).
Is a post-breach investigation by the FTC something that companies should be worried about? A back of the napkin calculation shows that the answer is probably not. There were hundreds of public data breaches last year, and yet scanning the FTC website for actions in 2008 shows that there only a few dozen investigations of any kind in any given month, and very few of those were information security related.
It doesn't take a genius to predict that greater regulation is forthcoming as a result of the new administration and the collosal failure of current institutions like the SEC to prevent Madoff-like frauds. This will affect not only the financial accounting but also seeming unrelated areas like information security. Although the current risk of investigation by the FTC is very low, security is about an overall narrative that can be used to address a wide range of upcoming regulations.
One final noteworthy point about the FTC judgment. It specifically lists SQL injection as a form of attack that Geeks.com should have taken measures to prevent. This is part of an ongoing development in requiring companies to take reasonable steps to prevent well-known attacks. PCI references (an albeit outdated version of) the OWASP Top 10, but there have been few cases I know of in which a specific technical vulnerability is mentioned in an FTC action. I suspect we will be seeing more of this in the future.
The complaint and settlement make for a brief and interesting read. The FTC doesn't seem to think much of Geeks.com's security, but takes even less kindly to their apparent misrepresentation of the security measures they do have in place. Note to CISOs - make sure you know what the marketing department is saying about your security to the outside world. And make sure that your security policy actually reflects what's going on in your organizaiton. As any lawyer will tell you, it is better to have no policy in place than a policy you haven't actually implemented.
Getting hit by the FTC is no fun. The settlement will force Geeks.com to subject itself to ongoing audits for many years to come. The overall cost of this action are enormous - hiring outside counsel to deal with the FTC, the bureaucratic overhead of maintaining all the newly required paperwork, and so forth.
I have posted in the past on justifying security spending. A joe-average data breach seems to have lost its shock value and in some instances may even, ironically, provide leser known companies with some brand recognition. But FTC actions like the one against Geeks.com carry real costs, imposing huge administrative burdens and damaging the brand, if not in the eyes of consumers then at least in the eyes of investors. (The New York Law Journal has a good overview of the overall costs of FTC investigation).
Is a post-breach investigation by the FTC something that companies should be worried about? A back of the napkin calculation shows that the answer is probably not. There were hundreds of public data breaches last year, and yet scanning the FTC website for actions in 2008 shows that there only a few dozen investigations of any kind in any given month, and very few of those were information security related.
It doesn't take a genius to predict that greater regulation is forthcoming as a result of the new administration and the collosal failure of current institutions like the SEC to prevent Madoff-like frauds. This will affect not only the financial accounting but also seeming unrelated areas like information security. Although the current risk of investigation by the FTC is very low, security is about an overall narrative that can be used to address a wide range of upcoming regulations.
One final noteworthy point about the FTC judgment. It specifically lists SQL injection as a form of attack that Geeks.com should have taken measures to prevent. This is part of an ongoing development in requiring companies to take reasonable steps to prevent well-known attacks. PCI references (an albeit outdated version of) the OWASP Top 10, but there have been few cases I know of in which a specific technical vulnerability is mentioned in an FTC action. I suspect we will be seeing more of this in the future.
Subscribe to:
Posts (Atom)