The Federal Trade Commission announced on January 17, 2008 that it has agreed in principle to a consent order with Life is good, Inc. and Life is good Retail, Inc. (collectively “Life is good”) resolving allegations that the apparel company collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies. The consent order against Life is good, among other things, prohibits future deceptive privacy and security claims and requires the company to implement a comprehensive information security program that includes biennial audits by an independent security professional for the next twenty years.
- properly evaluate the vulnerability of their computer systems to commonly known or reasonably foreseeable attacks, including SQL injection attacks;
- implement simple, free or low-cost, and readily available defenses to such attacks;
- employ readily available security measures to monitor and control connections from the network to the internet; and
- employ reasonable measures to detect unauthorized access to consumer information.
According to the FTC’s complaint, these failures allowed a hacker to use SQL injection attacks to obtain credit card numbers, expiration dates and security codes for thousands of customers between June and August 2006. The FTC complaint further alleged that Life is good’s failure to take reasonable and appropriate measures to protect consumer information against unauthorized access contravened the company’s explicit representations to consumers.
The FTC’s proposed settlement prohibits Life is good from making deceptive claims about its privacy and security practices and policies. The settlement also requires the company to institute a comprehensive privacy and security program that includes administrative, technical and physical safeguards for consumer information. Specifically, the company is required to:
- designate at least one employee to coordinate the security program;
- identify material internal and external risks to the security and confidentiality of consumer information and evaluate the sufficiency of existing safeguards;
- design and implement reasonable safeguards to control any identified risks and regularly test the effectiveness of such safeguards;
- develop reasonable procedures for selecting and supervising service providers that handle customers’ personal information; and
- evaluate and adjust the company’s information security program based on the results of monitoring, material changes to the company’s operations, or other circumstances that may affect the program’s effectiveness.
Life is good must also retain an independent, third-party auditor to assess the company’s security program within 180 days after a final order is served and once every other year thereafter for the next twenty years. The auditor must certify that the program both meets or exceeds the requirements established by the consent order and is operating at a level that provides reasonable assurance that consumer information is being adequately protected. The proposed settlement will remain open to public comment through February 18, 2008.