FTC vows to keep closer tabs on privacy breaches

RESTON, Va. -- Companies that release customer data as a result of security mistakes could find themselves in the cross hairs of the Federal Trade Commission, especially if such a release points to poor security practices.

The agency has brought only one case against a company for releasing customer data, but FTC Chairman Timothy Muris said today that he expects more action against companies.

The FTC took its first security-related action earlier this year in a landmark settlement reached with Eli Lilly and Co. in Indianapolis after it released nearly 700 customer addresses collected through its Prozac.com Web site. The release of names, which were included in an e-mail, was called inadvertent, but the FTC nonetheless faulted the pharmaceutical firm for its security and training practices (see story).

"I expect Lilly is not the case we will bring," Muris said today at the Networked Economy Summit, sponsored by George Mason University.

Prior to the Lilly case, the FTC's enforcement actions had been focused on willful disclosures of information. But in the Lilly case, the FTC held the company to its privacy promise that pledged security. If a company makes such a promise, it should have reasonable security procedures in place, said Muris.

According to Muris, when security breaches occur, the FTC will investigate and try to answer two questions: Did the company have a system in place that was appropriate for the sensitivity of the information? And did it follow its own procedures?

Under the settlement announced in January, Eli Lilly was required to make changes to its information security practices as well as conduct an annual review.

One motive for the growing FTC interest in security is identity theft.

The FTC averages 3,000 calls per week from people in need of help because of such theft. But Chris Hoofnagle, legislative counsel at the Electronic Privacy Information Center (EPIC) in Washington, said any emphasis on security may do more to legitimize invasive privacy practices by data profilers and others.

"A pioneering or more progressive approach is to pursue businesses that are collecting data without an individual's consent," he said.

Also at the conference was former New York City Mayor Rudolph Giuliani, who credited the city's Y2k planning with helping it handle the aftermath of the Sept. 11 terrorist attacks last year.

New York spent some $280 million on Y2k repairs, which Giuliani said he "used to resent" because of the amount of money needed for what was essentially remedial work.

But when the city's emergency command center was destroyed in the collapse of one of the adjoining World Trade Center buildings, the city was able to quickly rebuild the center, in part, because it had made duplicates of all the systems in case of a Y2k-related systems failure.

That, he said, "made me feel better."

Copyright © 2002 IDG Communications, Inc.

Shop Tech Products at Amazon