The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

FTC Settles with Online Retailer for Failure to Safeguard Consumer Information

Leave a comment

This past January, the FTC settled with Life is good, Inc., a retail apparel and accessories outfit that operates the web site,, for making deceptive claims regarding the privacy and security of consumer information it collected and stored through its website in violation of federal law, including the FTC Act.  According to the FTC’s complaint, the web site’s privacy policy claimed, "We are committed to maintaining our customers’ privacy. We collect and store information you share with us – name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you."  
The FTC alleged that Life is good did not in practice provide sufficient safeguards for the sensitive consumer information that it collected and stored through its web site (which included credit card numbers, credit card expiration dates and credit card security codes).  Life is good’s alleged failures and inadequacies specifically included, among other things, indefinitely storing credit card information, credit card security codes and other consumer information in clear readable text on its network without a business need, failing to assess and monitor the vulnerability of its networks and systems to commonly known and reasonably foreseeable attacks (such as SQL injection attacks), failing to implement low cost, readily available security defenses to such attacks, and failing to employ reasonable measures to detect unauthorized access to consumer information. 
As a result, the FTC claimed that the web site fell victim to SQL injection attacks exposing the sensitive information of thousands of its customers to hackers. 
The settlement agreement between the parties prohibits Life is good from making further deceptive claims about its privacy and security practices, and requires, among other things, that the retailer implement and maintain a data security and privacy program to protect the sensitive information it collects from consumers.  To see the FTC’s Press Release on this matter, click here.
More and more, companies are being held accountable for the statements and promises of safety and security that they make on their websites and in their privacy policies.  In September of 2007, the New York Attorney General announced investigations into online social networking site, Facebook, stating that "Facebook’s promise of a safe website is not consistent with its performance in policing its site and responding to complaints."  According to the AG’s Press Release, while Facebook made various claims and "reassuring statements" on its website regarding the site’s safety controls and response to complaints, undercover investigations revealed that the company was slow (and at times unresponsive) to complaints filed regarding inappropriate content or communications on the site. 
Also, the new set of privacy rules recently adopted by MySpace pursuant to an agreement with 49 state Attorneys General, the goal of which is to help foster online safety and security on social networking sites and online in general, included an agreement on the part of MySpace to better implement procedures for managing and responding to consumer complaints.

Author: ABA Antitrust

Learn more about the ABA Section of Antitrust Law:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s