Organisations continue to face risk for security breaches. Normally, we talk about the risk of security breaches being fines and other costs around loss of PII, per California Senate Bill 1386 and similar laws in 45-or-so other states.
What’s interesting about Twitter's settlement today with the FTC is that it had to do with a breach of information that is not protected under these kinds of laws.
Of course, having someone crack into Barak Obama’s account on your service is certainly going to raise the profile of the incident. (So why isn’t the FTC looking into the breach of Sarah Palin’s Yahoo! Mail account? Where’s the right-wing/tea-party outrage?)
The FTC specifically identified these practices (among others) that constituted insufficient care:
- Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
- Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
- Providing an administrative login webpage that is made known only to authorised persons and is separate from the login page for users (that seems to disqualify the use of SSO for those administrative accounts)
- Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
- Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
I wonder how many companies - especially private ones, like Twitter - can claim to satisfy all these requirements.
As a result of the FTC investigation and settlement, Twitter is "barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorised access to information and honor the privacy choices made by consumers."
It also "must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years" and is "barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information” (does that mean that everyone else is allowed to mislead consumers about this??).
The oversight framework is a familiar MO for FTC to take on this. It is not dissimilar from the settlements several years ago with Eli Lily (FTC File No. 012 3214) and Guess, Inc. (FTC File No. 022 3260).
This trend in expanded scope for breach liability is growing, and organisations should brace themselves and prepare for increased oversight and exposure to liability as it pertains to private (but not personally identifiable) information.
CISOs need to work more closely with Chief Privacy Officers (anyone with a social network or any kind of Web 2.0 presence, however modest, should really have one) and with the head of enterprise risk (which spans physical security, information security, compliance, legal, insurance, and privacy).