Aftermath of privacy breakdown: Manufacturer under FTC's eyes for 10 years
Guidance, an American forensic company, made headlines in December 2005 by falling victim to a server break-in that allowed the names, addresses and credit card information for roughly 3,800 customers to be copied. The company is now being given a second chance – but only with a very tight leash from the U.S. Federal Trade Commission (FTC), which is ordering it to implement improved security measures.
The intruders achieved access to the data through an SQL injection vulnerability. In the FTC's view, Guidance neglected to undertake sufficient protective measures for its customers' data. That kind of vulnerability was well known, as were mechanisms for guarding against it. The company should also have been prepared for attacks through web applications. Aggravating the agency's findings in this case was the fact that Guidance claimed awareness of its responsibilities for the security of client data on its website – but nevertheless stored that data in unencrypted form.
As penance, Guidance, which makes the forensics software Encase, must implement a comprehensive cybersecurity program, submitting the results of its efforts for independent security auditing for the next ten years. With that, the FTC closed its 14th privacy violation case by US companies. The situation is quite different in the UK, where companies regularly consider it unnecessary to inform their customers about attacks. The US state of California, by contrast, has much more strict guidelines. The Security Breach Information Act compels companies to report intrusions into their systems if personally identifiable data was processed there.
Quite a different approach is being considered to induce the EU Commission at least to oblige network operators and ISPs to report to regulators about attacks against their systems; the regulatory bodies would then decide whether to pass that information on to the public.