The site—www.lifeisgood.com—collected a wide range of information from its consumer customers, including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes. It also put a statement on its site that said, "All information is kept in a secure file and is used to tailor our communications with you."
The government said the promise was misleading. "Contrary to these claims, the FTC alleges that Life is good failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network," the FTC said in a statement.
The FTC said the site "unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network and by storing credit security card codes." The site also "failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks," the government organization said.
Much of this, though, would have likely gone on undetected had it not been for a cyber thief launching a successful SQL injection attack on the site, grabbing lots of that consumer data.
The government's punishment was that the site has to pay for a third-party independent security audit every other year for 20 years.
The settlement—approved by the FTC 5-0—"also contains bookkeeping and record keeping provisions to allow the agency to monitor compliance with its order," the FTC said.
The problem with the FTC's proposed settlement is that there is no substantial punishment element to it. The settlement simply lists some of the things every site should be doing anyway. According to the particulars made in this statement, LifeIsGood.com is suffering no pain because it was caught.
For example, consider this every-other-year audit requirement. Because the site accepts credit cards, the site should already be subject to PCI compliance. PCI rules would have the site underdoing a security compliance assessment once a year already. If the site wants to be PCI compliant, then, the FTC requirement would be irrelevant.
Technically, we are talking about two very different kinds of probes. The PCI probe is an assessment, which is typically more of a question process, while the FTC probe would be an SAS 70 Type II probe, which is a true audit.
As a practical matter, though, the differences are necessarily that pronounced. There is a huge variation between how different assessors handle PCI reviews and some are almost as demanding as a full SAS 70 Type II audit. If the assessor and the bank and the credit card agree, they can pretty much make a PCI compliance hurdle be as high as they want.
This is especially true given the fact that any discovered breach such as this will trigger a PCI rule that will subject any sized retailer—even a Level 4—to the most stringent demands of a Level 1 assessment.
PCI compliance consultant David Mertz, of Compliance Security Partners LLC, argues that the FTC fine is indeed a huge punishment because of the much higher fees that third-party assessors and auditors will charge for it, dollars that he estimated at between $10,000 and $25,000 for a PCI third-party assessment and between $75,000 and $250,000 for an FTC-level audit.
Another PCI compliance consultant, Dave Taylor, who is also president of the PCI Vendor Alliance, sees it differently. "The reason is due to probability, not severity of the audit," Taylor said. "FTC enforcement actions are rare. BJ Wholesale, etc. The sins of the merchant have to be pretty blatant and someone has to complain to the feds to get the ball rolling. So, few merchants do thing specifically to avoid FTC actions. PCI remains much more certain as an annual event driven by an ongoing relationship with the merchant bank."
Getting back to the FTC order, their other claims are even more common sense, as opposed to punitive.
Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place." Not quite 25 years of hard labor, is it?
I have no problem with this nice guideline of what every site should be doing. But to label it a punishment and to trumpet it as such suggests that the government must think e-tailers are a stunningly gullible bunch.