Post by Karthik Reddy and Laura Wishingrad
Ceridian Case
On June 8, 2011, the Federal Trade Commission issued a complaint against Ceridian Corporation, a company that operates “Powerpay,” a web-based payroll processing service for small businesses. Despite claiming on its website and in contracts with clients that Ceridian had a comprehensive security program in place to protect the data of its customers, in December 2009, hackers used a SQL injection attack on the Powerpay web application and network. The hackers were able to access and export the personal information (including social security numbers, bank account numbers, and dates of birth) of 27,673 individuals.
The FTC affirms that Ceridian did not apply adequate means to protect the customer sensitive information. According to the FTC, Ceridian: (1) stored personal information in a clear, readable text, (2) stored this information indefinitely, and without a business need, (3) did not adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as SQL, (4) did not implement defenses to these attacks, and (5) failed to employ reasonable measures to detect and prevent unauthorized access to personal information.
The Consent Order
Following the data security breach at Ceridian, the FTC investigated the possible reasons as mentioned above. It then drafted a consent order which applies to personal information that Ceridian collects from the consumers with provisions that can prevent Ceridian from practices that can lead to future data breaches.
The FTC wanted Ceridian to implement a program which was in consistent with its larger idea of creating a general program which it wants every company collecting information under FTC jurisdiction to follow. The commission provided its order in seven parts. However, the first three parts are of great interest to us. The first part of the order prohibits Ceridian from misrepresentation of the personal data collected from consumers. For example, Ceridian claimed it maintained “Worry-free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” In reality the said security measures were not taken by Ceridian and even those that were implemented were inadequate. FTC in its order has asked Ceridian to stop such misleading claims about privacy, confidentiality and security of data.
The second part of the order states that Ceridian and all related subsidiaries shall establish, implement and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of consumer’s information. Going further, the FTC ordered that as a part of the program, Ceridian identify the risks, and implement reasonable safeguards to control such risks. The interesting part here is the FTC set certain minimum areas in which risks have to be identified thereby setting the minimum standards.This ensures that the well know threats are avoided by identifying the known risk and thereby defining the “reasonably designed” information security program.
In part three of the order, the FTC has ordered Ceridian Corporation to obtain regular reports from a qualified, objective and independent third party professional such as a CISSP, CISA or SANS professionals. However the FTC also provides a provision in this order saying this part may not apply to Ceridian Stored Value solutions to the extent they are not involved in the marketing or sales of products related to payroll, taxes or human resources. The FTC also ensured that the quality of the assessment is maintained by defining what an assessment shall contain on a broad level and having these assessments provided to the Commission on a regular basis. This order is in accordance with the FTC’s principle that businesses should know with whom they are sharing the sensitive information to avoid data theft.
FTC Guidelines for a Cyber Security Bill
Since 2001, the FTC brought 34 cases against businesses that allegedly failed to provide protection to consumers’ personal information. The FTC recognizes that there is a need for establishing a generalized federal regulatory framework for data protection and security. This is also an area of focus for the European Commission and the European Parliament. On July 19, 2011, Commissioner of the FTC, Julie Brill, spoke to the Practicing Law Institute’s 12th annual Privacy and Data Security Law Institute in Chicago about the stands the FTC is taking regarding privacy and data security.
The model that has been used for privacy and data security in the past is what the FTC calls “notice and choice.” In this model, the website or application provides the customer with an endless number of pages of privacy gibberish, often which is incomprehensible to the average customer. Additionally, data security cases have always led to quantifiable harm to customers. The frameworks that have been put in place do not provide sufficient incentive for companies to develop systems that will prevent harm.
In response to this analysis, in 2009, the FTC launched an initiative known as privacy “rethink.” This initiative is centered around three main concepts. The first has been called “Privacy by Design.” That is, companies will “build privacy and security protections into new products.” In doing so, they should consider that the level of privacy and security protection should be proportional to the sensitivity of the information collected. Furthermore, companies should determine whether the information they collect is in fact needed for business and purposes and how long it will be retaining this information. The second concept is to provide customers with simplified privacy policies that are easy to understand. Finally, the FTC requires greater transparency around data collection, use, and retention.