in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Breach Costs: Standard Breach Notification Bylines Deceptive Acts Or Practices?

Data Protection Involves More Than Digital Tools Like Disk Encryption Software

A couple of months back, I observed that a pretty-standard clause used by Rite Aid Pharmacies had caused them trouble with the FTC.  Actually, it's unfair to say that, since Rite Aid erred to begin with: employees dumped sensitive documents, knowing fully (or, at least, they should have known) that proper data security ought to have been practiced, such as using a shredder.

The FTC pretty much called Rite Aid on the practice:

Rite Aid made claims such as, "Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy." The FTC alleged that the claim was deceptive and that Rite Aid's security practices were unfair.[My emphasis]

Today, I was doing some reading and found out that the above was not the first time the FTC took to task a company for claiming that they had good data security practices.

ChoicePoint: Deceptive Acts or Practices in or Affecting Commerce in Violation of Section 5(a) of the Federal Trade Commission Act

If you read this complaint by the FTC, on page 11 (paragraphs 31 and 32), the FTC notes that ChoicePoint "has not implemented reasonable and appropriate measures under the circumstances to maintain and protect the confidentiality and security of consumers' personal information," which contrasts with ChoicePoint's public claims (documented in paragraphs 27 through 29, inclusive, of the complaint).

This all relates, of course, to ChoicePoint's 2005 data breach, where information on 145,000 was sold to identity thieves who set up shell companies and provided forged documents to "buy" (or, if  you prefer, steal) data.  It was the data breach that pretty much prompted other states to sit up and take notice, and possibly to adopt their own data breach notification laws.

In ChoicePoint's case, the inclusion of the "deceptive acts" feels as, if not an afterthought, at least as a trifling issue to the major problem of identity thieves successfully poaching information for over 145,000 people.

In the Rite Aid case, the "deception" feels more prominent in the FTC's case against the pharma chain.

Now that I've found two of them, I'm pretty sure there must be other cases where the FTC has brought suit against companies that claimed to protect confidential data.

While I'm not a lawyer, I guess this just means you really have to pay attention to what you're promising or implying.  I mean, "Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously" is considered to be deceptive practice because actions didn't match up with words?

That claim, about taking its responsibilities seriously, is a fairly standard byline in pretty much all data breach notification letters I've read to date.  More importantly, a significant number of breaches I have read involve situations where I'd seriously consider whether the company, just like ChoicePoint and Rite Aid, took data security seriously: instances where a laptop is lost because of a break-in to a car, lost at the airport, etc.

In a tiny number of those situations, the computers were protected with laptop encryption like AlertBoot or similar data protection tools.  In the bulk of the cases, there was no data security.

Perhaps it's too much to ask, or too much to expect, the FTC go after such companies.  Unless it involves a "Fortune 500 company" and the situation is covered in nationwide media.


Related Articles and Sites:
http://www.ftc.gov/os/caselist/choicepoint/0523069complaint.pdf

 
<Previous Next>

Email Encryption Software: ASU Staff And Faculty In Breach

Disk Encryption Software: Not Used in CUNY Breach Affecting 7,000

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.