- Forrester Councils
- Councils Overview
- log in
Posted by Jonathan Penn on June 24, 2010
Organizations continue to face risk for security breaches. Normally, we talk about the risk of security breaches being fines and other costs around loss of PII, per California Senate Bill 1386 and similar laws in 45-or-so other states.
The FTC specifically identified these practices (among others) that constituted insufficient care:
I wonder how many companies – especially private ones, like Twitter – can claim to satisfy all these requirements.
As a result of the FTC investigation and settlement, Twitter is "barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers." It also "must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years" and is "barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information” (does that mean that everyone else is allowed to mislead consumers about this??).
The oversight framework is a familiar MO for FTC to take on this. It is not dissimilar from the settlements several years ago with Eli Lilly (FTC File No. 012 3214) and Guess, Inc. (FTC File No. 022 3260).
This trend in expanded scope for breach liability is growing, and organizations should brace themselves and prepare for increased oversight and exposure to liability as it pertains to private (but not personally identifiable) information. CISOs need to work more closely with Chief Privacy Officers (anyone with a social network or any kind of Web 2.0 presence, however modest, should really have one) and with the head of enterprise risk (which spans physical security, information security, compliance, legal, insurance, and privacy).