in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: RockYou Settles With FTC For $250,000 And 20 Years Oversight

RockYou, the developer of social games, has settled with the Federal Trade Commission in order to put its 2010 data breach behind it.  If you'll recall, RockYou had one of the largest data breaches in history when the information of over 30 million users was stolen in December 2009.  The use of data encryption like AlertBoot would have been advisable, or even the simple act of hashing the information.  But, RockYou had stored the information in plaintext form.

The incident allowed an analysis of commonly used passwords.  The company eventually got embroiled in litigation and again reached a notable juncture when the lawsuit wasn't quashed by the courts (generally, data breach litigation doesn't proceed due to the lack of cognizable harm to the "victims").

An Odd Settlement? Not Really

According to computerworld.com, the settlement with the FTC is for violating COPAA, the Children's Online Privacy Protection Act.  Essentially, RockYou is admitting that it collected information on children under thirteen years of age without complying with FTC rules.  When you consider that 32 million people were affected by the breach, it sounds a little odd that the FTC went after the company for not obtaining parents' permissions.  I'm not the only one to notice that:

Rob Rachwald, director of security strategy at Imperva, said that it is somewhat odd that that RockYou was fined for violating COPAA requirements but not for a breach that let hackers access more than 30 million passwords. [computerworld.com]

Of course, once you've been covering data breaches as long as I have, it appears to be only natural.  As far as I know, there aren't too many laws that will financially penalize a company that experienced a data breach.  There are some, such as HIPAA, but it covers medical organizations ("HIPAA covered-entities").

However, such examples are more of an exception than a rule.  I figure it's because, like it or not, companies that experience a malicious data breach are also victims.  This is the reason why, to date, it's been impossible to sue a company for a data breach and win.

So, this is probably what happened: the FTC weighed the odds in the RockYou case and found that the only charges it can really stick to it is COPAA.

FTC Warns About "Deceptive Claims"

Computerworld.com had this to say about the FTC settlement (my emphasis):

The proposed settlement also requires RockYou to maintain a formal data security program and prohibits it from making 'deceptive claims' about its privacy and security practices....

The case against RockYou is part of a broad effort by the FTC to ensure that companies live up to their security promises, the agency said in a statement....

To date, the FTC has brought legal action against about 36 organizations for failing to protect consumer data despite each company's claims of having measures in place to protect personal data.

I can attest to that.  I've already covered at least two such cases: RiteAid and Twitter.

In a sense, RockYou's settlement with the FTC covers a different aspect of "'deceptive claims' about its privacy and security practices."  The two FTC settlements I mentioned were brought forth for not protecting information.  In the RiteAid case, for example, the company was found tossing patient documents into a dumpster without shredding them.  Twitter fell to a dictionary-attack.

In light of this, one again wonders, "why COPAA?"  It's not as if the FTC had never filed charges against a company for lousy security.

Regardless, the message is clear: if you or your company is claiming that you engage in data security and privacy, you've got to put up or shut up.  This means ensuring that data is protected (such as with the use of encryption software), certainly, but it also means abiding by any privacy laws that are in effect.

Which is a no-brainer, if you ask me.


Related Articles and Sites:
http://www.computerworld.com/s/article/9225600/RockYou_settles_FTC_charges_related_to_2009_breach
http://nakedsecurity.sophos.com/2012/03/28/games-developer-rockyou-fined-250k-for-not-securely-storing-customer-data/

<Previous Next>

Disk Encryption Software: University of Victoria Data Breach Is Part Of An Epidemic

Data Security: Global Payments Breach Prompting Other Processors To Take Action?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.