A Utah-based technology company [InfoTrax Systems, L.C. that provides operational services to multi-level marketers] has agreed to implement a comprehensive data security program to settle Federal Trade Commission [FTC] allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.
InfoTrax stored personal information from approximately 11.8 million consumers, yet failed to implement ‘low-cost, and readily available security protections’ including:
- Inventory and delete personal information is no longer needed;
- conduct code review of its software and testing of its network;
- detect malicious file uploads;
- adequately segment its network; and
- implement cybersecurity safeguards to detect unusual activity on its network.
The customer data collected included Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.
Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.
The FTC gave 3 insights that other company can glean from the case
- Readily available security tools can reduce risks.
- Inventory the data in your possession and securely dispose of it when there’s no longer a need to maintain it.
- Consider the impact security failures have on clients and customers.
Unless or until InfoTrax implements a conforming information security program, InfoTrax and InfoTrax’s former CEO is prohibited from collecting, selling, sharing, or storing personal information per the FTC settlement. This includes; assessing and documenting internal and external security risks;
implementing safeguards to protect personal information from cybersecurity risks; and
- assessing and documenting internal and external
- implementing safeguards to protect personal information from cybersecurity risks; and
- testing and monitoring the effectiveness of those safeguards.
The FTC settlement requires InfoTrax to obtain third-party assessments of its information security program every two years.