An apparel company that collected sensitive consumer information and pledged to keep it secure has agreed to settle Federal Trade Commission charges that its security claims were deceptive and violated federal law. The order against Life is good, Inc. and Life is good Retail, Inc. bars deceptive claims about privacy and security policies and requires that the companies implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.
Life is good designs and sells retail apparel and accessories and operates the Web site, www.lifeisgood.com. According to the FTC’s complaint, through its Web site, Life is good has collected sensitive consumer information, including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes. Its privacy policy claimed, “We are committed to maintaining our customers’ privacy. We collect and store information you share with us – name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you.” Contrary to these claims, the FTC alleges that Life is good failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network. Specifically, the FTC charged that the company:
The FTC alleges that, as a result of these failures, a hacker was able to use SQL injection attacks on Life is good’s Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers.
The settlement bars Life is good from making deceptive claims about its privacy and security policies. It requires the company to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from consumers. The program must contain administrative, technical, and physical safeguards appropriate to Life is good’s size, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, Life is good must:
The settlement requires Life is good to retain an independent, third-party security auditor to assess its security program on a biennial basis for the next 20 years. The auditor will be required to certify that Life is good’s security program meets or exceeds the requirements of the FTC’s order and is operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected.
The settlement also contains bookkeeping and record keeping provisions to allow the agency to monitor compliance with its order.
The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through February 19, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://ftc.gov/bcp/consumer.shtm.
WASHINGTON—The Office of the Comptroller of the Currency (OCC) today released enforcement actions taken against…
WASHINGTON – Today, as part of the 30th anniversary celebration of the Community Development Financial…
Treasury imposes sanctions on dozens of Russian banks, securities registrars, and finance officials; OFAC issues…
WASHINGTON—Acting Comptroller Michael J. Hsu today testified on the state of the federal banking system…
As Prepared for Delivery Thank you very much for the opportunity to be here today, and…
As Prepared for Delivery Good afternoon. I’d like to start by thanking our panelists today for…