An apparel company that collected sensitive consumer information and pledged to keep it secure has agreed to settle Federal Trade Commission charges that its security claims were deceptive and violated federal law. The order against Life is good, Inc. and Life is good Retail, Inc. bars deceptive claims about privacy and security policies and requires that the companies implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.
Life is good designs and sells retail apparel and accessories and operates the Web site, www.lifeisgood.com. According to the FTC’s complaint, through its Web site, Life is good has collected sensitive consumer information, including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes. Its privacy policy claimed, “We are committed to maintaining our customers’ privacy. We collect and store information you share with us – name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you.” Contrary to these claims, the FTC alleges that Life is good failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network. Specifically, the FTC charged that the company:
- unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit security card codes;
- failed to assess adequately the vulnerability of its Web site and corporate computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks;
- failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks; failed to use readily available security measures to monitor and control connections from the network to the Internet; and
- failed to employ reasonable measures to detect unauthorized access to credit card information.
The FTC alleges that, as a result of these failures, a hacker was able to use SQL injection attacks on Life is good’s Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers.
The settlement bars Life is good from making deceptive claims about its privacy and security policies. It requires the company to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from consumers. The program must contain administrative, technical, and physical safeguards appropriate to Life is good’s size, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, Life is good must:
- Designate an employee or employees to coordinate the information security program.
- Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.
- Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness.
- Develop reasonable steps to select and oversee service providers that handle the personal information of Life is good customers.
- Evaluate and adjust its information-security program to reflect the results of monitoring, any material changes to the company’s operations, or other circumstances that may impact the effectiveness of its security program.
The settlement requires Life is good to retain an independent, third-party security auditor to assess its security program on a biennial basis for the next 20 years. The auditor will be required to certify that Life is good’s security program meets or exceeds the requirements of the FTC’s order and is operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected.
The settlement also contains bookkeeping and record keeping provisions to allow the agency to monitor compliance with its order.
The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through February 19, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://ftc.gov/bcp/consumer.shtm.