FTC Consent Agreement over Data Breach Cover Up

Recently the Federal Trade Commission (FTC) filed an administrative complaint against an online customized merchandise platform, alleging that it failed to secure consumers’ sensitive personal data and then covered up the breach.  According to the complaint, a hacker accessed millions of email addresses and passwords; millions of names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.  Moreover, the FTC alleged that the company failed to properly investigate the breach and failed to implement reasonable security measures to protect sensitive information, including storing Social Security numbers in plain text and using inadequately encrypted passwords. 

The FTC’s proposed order would require both the current and prior owner to implement comprehensive information security programs to address the problems that led to the data breaches.  Changes under these programs would include replacing inadequate authentication measures with multi-factor authentication methods, minimizing the amount of data collected and retained, encrypting Social Security numbers, and having a third party assess their information security programs and providing the FTC with a redacted copy for public disclosure.  Further, the current owner would be required to notify customers whose personal information was accessed and provide specific information on how customers can protect themselves, while the former owner would be required to pay some $500,000 in redress to victims of the data breaches.