Guidance settles FTC security breach charges

Share this content:

Guidance Software Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data contradicted security promises made on its Web site and violated federal law.

According to the FTC, Guidance data-security failure allowed hackers to access sensitive credit card information for thousands of consumers.

The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.

Pasadena, CA-based Guidance sells software and related training, materials, and services customers use to investigate and respond to computer breaches and other security incidents. This is the FTC's 14th case challenging faulty data-security practices by companies that handle sensitive consumer information.

According to the FTC complaint, Guidance failed to implement simple, inexpensive and readily available security measures to protect consumers' data. In contrast to claims about data security made on Guidance's Web site, the company created unnecessary risks to credit card information by permanently storing it in clear readable text.

In addition, the complaint alleges that Guidance failed to protect the information by:

  • Failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;
  • Failing to implement simple, low-cost, and readily available defenses to such attacks;
  • Storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;
  • Failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and
  • Failing to employ measures to detect unauthorized access to consumers' credit card information.

The settlement bars misrepresentations about security measures in the future and requires Guidance to establish and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards.

The settlement also requires Guidance to obtain an audit from a qualified, independent, third party professional to assure that its security program meets the standards of the order every two years for the next 10 years.

The company also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.

Loading links....
close

Next Article in Marketing Strategy

Sign up to our newsletters

Company of the Week

Since 1985, Melissa Data has helped thousands of companies clean, correct and complete contact data to better target and communicate with their customers. We offer a full spectrum of data quality solutions, including global address, phone, email, and name validation, identify verification - available for batch or real-time processes, in the Cloud or on-premise. Our service bureau provides dedupe, email/phone append and geographic/demographic append services for better targeting and insight. For direct mailers, Melissa Data offers easy-to-use address management/postal software, list hygiene services and 100s of specialty mailing lists - all with competitive pricing and excellent customer service.

Find out more here »

DMN's Career Center

Check out hundreds of exciting professional opportunities available on DMN's Career Center.  
Explore careers in digital marketing, sales, eCommerce, marketing communications, IT, data strategies, and much more. And don't forget to update your resume so employers can contact you privately about job opportunities.

>>Click Here