The Federal Trade Commission recently issued a Consent Decree with online retailer ‘Life is Good.’ With more and more businesses operating online and through the internet, this is a powerful signal to U.S. businesses, implying that specific minimum cybersecurity standards are required. Companies that publicly state that consumer’s personal information are protected, not only need to have security in place, but make sure they hold true to their claim. U.S. businesses should compare their IT security efforts with the FTC’s baseline security requirements to ensure compliance.
The FTC has produced a cybersecurity security program for retailers when they make representations that they protect the confidentiality of consumer information. First and foremost, the FTC required that Life is Good establish, implement and maintain a comprehensive written security program to protect the security, confidentiality and integrity of consumer information. The Security Program must contain administrative, technical and physical safeguards appropriate to the retailer’s size and complexity, the nature and scope of its activities, and the type of personal information collected.
Life is Good found themselves in the middle of a security breach, as a hacker penetrated their website, collecting consumer information. The information was later used to commit ID theft, and consumers complained to the FTC. The FTC launched an investigation into Life is Good security program, and found that they did not use effective security measures to protect consumer information. As a result, Life is Good agreed to address the many points of concern, and the parties agreed to the current consent decree.
Let us hear your thoughts: