The FTC alleged that Life is good did not in practice provide sufficient safeguards for the sensitive consumer information that it collected and stored through its web site (which included credit card numbers, credit card expiration dates and credit card security codes). Life is good’s alleged failures and inadequacies specifically included, among other things, indefinitely storing credit card information, credit card security codes and other consumer information in clear readable text on its network without a business need, failing to assess and monitor the vulnerability of its networks and systems to commonly known and reasonably foreseeable attacks (such as SQL injection attacks), failing to implement low cost, readily available security defenses to such attacks, and failing to employ reasonable measures to detect unauthorized access to consumer information.
As a result, the FTC claimed that the web site fell victim to SQL injection attacks exposing the sensitive information of thousands of its customers to hackers.
The settlement agreement between the parties prohibits Life is good from making further deceptive claims about its privacy and security practices, and requires, among other things, that the retailer implement and maintain a data security and privacy program to protect the sensitive information it collects from consumers. To see the FTC’s Press Release on this matter, click here.
More and more, companies are being held accountable for the statements and promises of safety and security that they make on their websites and in their privacy policies. In September of 2007, the New York Attorney General announced investigations into online social networking site, Facebook, stating that "Facebook’s promise of a safe website is not consistent with its performance in policing its site and responding to complaints." According to the AG’s Press Release, while Facebook made various claims and "reassuring statements" on its website regarding the site’s safety controls and response to complaints, undercover investigations revealed that the company was slow (and at times unresponsive) to complaints filed regarding inappropriate content or communications on the site.
Also, the new set of privacy rules recently adopted by MySpace pursuant to an agreement with 49 state Attorneys General, the goal of which is to help foster online safety and security on social networking sites and online in general, included an agreement on the part of MySpace to better implement procedures for managing and responding to consumer complaints.