I woke up this morning and was encouraged to see the FTC continue on its efforts to monitor the technology safeguards of companies in at least a consistent and security-risk minded approach. Now, while I am not a fan of unnecessary regulations and always feel a healthy bit of regular evaluation and expiration is necessary, it is suitable for companies that clearly do not abide by best practices are more closely supervised. This ruling by the FTC is consistent with that which was ruled for ChoicePoint in Georgia.
An interesting point is the scope of the required audit (physical safeguards through digital) and basic controls referenced under PCI. Specifically the FTC charged that TJX:
- “Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
- Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
- Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
- Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
- Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.” Press Release by FTC
The additional news, and expected given PCI DSS policies, on the release was that the company would undergo regular future audits separate from the government audit that will extend for 20 years.
Catch the full press release here, the Choicepoint ruling here, and the WSJ article here.
Please post any other articles that expand on this… or your thoughts if the FTC is the right body to do this type of monitoring, as it has been a twist on their established authority.