Watch out! Your company can be slapped with fines and penalties even without a data breach. Recent litigation and notifications around the loss or misuse of corporate data are on the rise. Companies holding PCI data, PII or PHI are all high-value targets for cyber criminals, especially in the financial services, retail and hospitality industries.
In December, Lifelock, Inc. entered into a $100 million settlement with the FTC – the largest settlement of its kind. This was the second settlement for Lifelock – the first, a $12 million agreement in 2010 – penalized Lifelock for weak internal security and misrepresentations made about their identity theft service.
How did Lifelock let this happen?
In 2010, the FTC charged Lifelock with falsely claiming it protected consumers against identity theft. The FTC claimed that the fraud alerts placed on customer accounts didn’t prevent misuse with existing accounts, stop employment identity theft or prevent medical identity theft. Lifelock also advertised that “unauthorized changes to address information would be prevented…and that they would receive a call from creditors prior to opening a new account.” None of this was true.
Beyond the alleged false claims made to customers, Lifelock neglected to protect customers’ sensitive social security and credit card data. No encryption was used and systems were vulnerable to attack. Lifelock improperly oversaw its customer data — and as a result, the FTC forced it to establish a “comprehensive data security program,” which would be audited for 20 years.
Flash forward to 2014, when the FTC launched a new complaint against Lifelock because it failed to meet the terms of the 2010 settlement. Again, Lifelock failed to deliver on its promise to clients by instituting a robust internal security program to protect the very data they knew to be at risk. The current $100 million settlement will pay out $68 million to affected consumers and Lifelock’s information security program, under the Permanent Injunction to protect data from or about consumers, will continue. Lifelock claims “that there is no evidence that it ever had any of its customer data stolen.”
Fining companies based on data security weaknesses is not new to the FTC, and will likely continue. The FTC announced over 50 data-related law enforcement actions and launched its new program, “Start with Security,” in June. The recent Wyndham Worldwide decision in the Third Circuit ruled that the FTC was within its statutory rights to bring an enforcement action for data security, where the result is “unfair or deceptive acts or practices in or affecting commerce.” Wyndham had three breaches over two years resulting in over $10 million in fraudulent charges. But with so many hospitality point-of-sale (POS) breaches, is Wyndham really at fault?
In Wyndham, the FTC charged that the company stored PCI data in clear text; failed to monitor the network for malware that had been used in a prior attack on its network; had weak password/access management procedures and poor firewall/network containment configurations. Having improperly executed network security, they then “failed to employ reasonable measures to detect and prevent unauthorized access to [the] computer network or to conduct security investigations.”
Wyndham was not the first PCI breach prosecuted by the FTC. In 2006, the FTC filed similar complaints against Cardsystems Solutions, Inc. and Dave & Busters. Dave & Busters didn’t take “sufficient measures to detect and prevent unauthorized access to the network…[or] monitor and filter outbound data traffic to identify and block the export of sensitive personal information without authorization.” Recently, Hyatt Hotels International made headlines when it suffered a similar attack when “criminals used malware to infiltrate and capture sensitive customer information from its payments system, which could include credit card data, cardholder names and verification codes.”
While cyber criminals direct their attacks at financial, retail and hospitality companies, it’s increasingly the consumer that must cope with its impact. While credit card charges may not impact the card holder over the long term, identity theft can lead to more complex abuses, because criminals can apply for personal loans, access medical services accounts, or commit income tax filing fraud.
Preparation for a breach may be more important than work performed during the breach itself. Work with a certified PCI Forensic Investigator (PFI) resource with deep experience handling PCI/POS breaches. Follow best practices specifically tailored to the types of sensitive data you have and build a process to protect that data across your organization and vendor/supplier network. The NIST Cyber Framework, which is tailored by each industry group, can help organizations mature their networks into an adaptive security environment.
Be proactive and conduct a compromise assessment on your network to find weaknesses and potentially, hidden malware. Another powerful exercise, the incident readiness assessment, operationally tests your management in live breach scenarios. By performing these exercises, your organization will know if it needs a network-wide risk assessment and where monitoring technology should be inserted to prevent data loss.
Phishing and malware result in PCI, PII, PHI theft, and companies need full visibility into their network traffic, down to each user endpoint, and the intelligence to know what/when to stop data in its tracks. Taking these steps, and documenting your plans and procedures, will help to prevent litigation, fines and penalties that could carry a heavy financial burden.
-Barnaby Page, J.D.
