Legal Brief: Take Heed: FTC Enforcement in Guidance Case

The FTC recently took action against Guidance Software stemming from the company's loss of thousands of customer records stolen through an insecure e-commerce site. The attack and the resulting theft of personal information seem almost banal, given the frequency of massive personal-data breaches. Despite this deluge, the FTC can pursue only a tiny subset of the companies involved. Unfortunately for Guidance, it became the FTC's 14th data-security case. So, how does the FTC choose who to file suit against, and what do the case results mean?

No one outside the FTC knows for sure what attracted it to the Guidance case, but the situation was dripping with irony: Guidance's flagship product, EnCase, has long been the de facto standard for computer forensic investigations among both private and law-enforcement investigators. One marvels at the sheer audacity of hacking the leading forensics software company. For the FTC, however, such musings quickly evolved into a formal case following the compromise that lasted nearly four months at the end of 2005--perhaps a second factor in the FTC's decision to bring the case. Third, the level of security controls was unforgivably low. And finally, Guidance was preparing for an IPO, which has only recently been completed. As if an open investigation by a federal agency weren't enough to focus a company's attention, the need to woo investors and analysts in the lead-up to an IPO guaranteed the FTC an advantageous bargaining position.

Judging by this and past FTC data-security cases, it's safe to say that if the breach involves massive numbers of people and/or a nationally recognized brand name, enforcement is more likely. Rather than trying to figure out if you're a potential target, better to shore up your infosec program surrounding the personally identifiable information (PII) you store.

Although the FTC obviously intends to address a specific case, it is also speaking to the entire industry. By implication, these series of settlement agreements help illuminate what the commission considers acceptable levels of security control.

So how did Guidance's e-commerce site get hacked? According to the FTC's complaint, the system stored both PII and administrative user credential data in unencrypted cleartext, failed to implement vulnerability-assessment procedures and implemented no IDSs. The entry vector was a SQL injection attack, "reasonably foreseeable," according to the FTC, which suggests organizations can't plead ignorance of Web application flaws. The situation qualifies as a security pro's worst nightmare. High level execs' eyes may still glaze over at mention of esoteric-sounding attacks like SQL injection. But the fact that the FTC considers defenses against such attacks to be on par with rudimentary security controls will likely change blasé responses to budget requests for mitigating these security risks.Another theme runs through the Guidance settlement: Information security requires a systematic approach. Some past FTC enforcement actions (Guess.com, for example) have focused on a single, catastrophic security failure, such as unencrypted PII. But the Guidance complaint sets forth a series of failures, outlined above, suggesting that the commission has increased its expectations for privacy-related data security programs. Specifically, it demands implementation of a broad spectrum of controls, including vulnerability-assessment procedures, encryption, database security, log aggregation and monitoring, and intrusion detection.

Here's the bottom line: The comprehensive nature of these regulatory demands should help drive the approach you take to securing the PII you maintain.

Click here for more information about the Guidance case.

Patrick R. Mueller Is completing his law degree and a master' degree in public affairs at the University Of Wisconsin-Madison, specializing in privacy and data security law and policy. He was previously a senior analyst for security consultancy Neohapsis. Write to him at [email protected].