Monday, February 7, 2011

Your Data Is Only as Secure as the Systems of Your Authorized Users

Your systems are secure.  Your firewall is state of the art and comprehensive.  You’ve implemented continuously updated antivirus protection and system monitoring.  Your communications with your web and data hosting services are encrypted and their systems are secure.  You’ve made sure all employee, customer and vendor access is encrypted.  You train your employees to guard against human engineering.

If you’re in the business of providing information, you may be leaking sensitive data like a sieve.

How?  A settlement announced by the Federal Trade Commission last week is an important reminder that your data is only as secure as the system of your least secure authorized user.

The FTC settled charges against SettlementOnewhich provides its customers with credit reports combining data from the three major consumer credit reporting agencies, together with its parent, Sackett National Holdings.  The complaint alleges that that SettlementOne allowed its users to access reports by entering a username and password, but did little or nothing to make sure that the user’s systems were themselves secure.  As a result, the complaint alleges that hackers gained access to SettlementOne’s data by hacking into its users’ badly protected systems.  The FTC also claims that SettlementOne did nothing to address the problem, even after it learned of breaches, other than barring some (but not all) of the affected users.

The settlement requires SettlementOne to do what the FTC says it should have been doing in the first place:  Coming up with a security plan that takes into account the possibility of user insecurity and then implementing it, both by reviewing user systems and by monitoring its own systems for unusual access patterns.  That said, the settlement requires SettlementOne to subject itself to outside audits every two years for twenty (!) years.  It also makes SettlementOne vulnerable to much worse consequences if the FTC discovers future violations.

It’s worth mentioning that because SettlementOne is a “financial institution” (a very broad definition that covers any business a federal bank holding company is permitted to do), it had somewhat more privacy duties than most businesses under the Gramm-Leach-Bliley Act.  That said, the FTC’s complaint was also based on Section 5 of the FTC Act, which applies to everyone.

It’s also worth mentioning that this is a real risk.  It won’t go away if you ignore it and you shouldn’t need to FTC or a plaintiffs’ lawyer to bring it to your attention.

If you have a customer-facing web service that provides access to personal information of any kind, it’s worth reviewing this complaint and the settlement.  It’s not a bad list of things you should consider in coming up with a plan to deal with the issue.  Of course, you can scale back some of what the FTC imposed on SettlementOne if the information you’re providing isn’t as sensitive as social security and back account numbers. But figure out something that is likely to work.  Site visits or detailed reviews of customer security procedures are overkill in most situations.  At very least, however, you should think about ways to monitor access patterns for unusual activity.  Another minimum is to make sure that if and when a customer-based breach occurs, you have and carry out a policy to figure out what happened and to ditch the customer if you aren't satisfied that it has fixed the problem.

All of this will take some time and trouble, but it will secure your business.  Your plan will also almost certainly be better than the one the FTC or a plaintiffs’ lawyer would impose on you.