Data risk and consequences

Attorney Eric J. Sinrod says that when it comes to financial data security, the FTC's holding companies accountable for breaches.

3 min read
The current Federal Trade Commission has little tolerance for companies that fail to take appropriate security measures to protect the financial data of their customers.

Indeed, the commission just settled charges brought against CardSystems Solutions and its successor, Soldius Networks, doing business as Pay By Touch Solutions, for allegedly not taking adequate security measures to protect the sensitive information of tens of millions of people.

This security breach caused millions of dollars in fraudulent purchases, according to the FTC. The settlement will require CardSystems and Pay By Touch to institute a comprehensive information security program that will include audits by an independent security professional every other year for 20 years.

Get your data security protection measures in place when doing business or risk the wrath of the government and private litigants.

If they fail to properly protect the financial data of their customers, companies ought to expect FTC scrutiny. This is the ninth FTC case already targeting companies for security practices (or the lack thereof) that have compromised confidential financial information. The CardSystems case was the first--but hardly will be the last--brought against a credit card processor.

In terms of the background of this case, as set forth by the FTC, CardSystems provided merchants with products and services used for obtaining approval for credit and debit card purchases from banks that issued cards. CardSystems processed approximately 210 million card purchases last year alone--totaling more than $415 billion--from more than 119,000 small- and medium-size merchants.

CardSystems collected personal information from the magnetic strips of cards in processing these transactions, including the card numbers, the expiration dates and other sensitive information. CardSystems subsequently stored this information on its computer network.

Pay By Touch acquired CardSystems' assets at the end of 2005, and currently processes transactions for the same merchants as did CardServices.

The FTC alleged that CardSystems engaged in a number of practices that in combination failed to provide proper protection for sensitive consumer information. The FTC specifically charged that CardSystems created unnecessary risks in storing information, did not adequately assess the vulnerability of its computer network to commonly known attacks, did not implement low-cost and available defenses to such attacks, failed to use strong passwords to ward off hackers, did not use available security measures to limit access between its computer network and the Internet, and failed to employ adequate measures to detect unauthorized access to personal information.

In the face of these allegations, the FTC's case against CardSystems has settled. CardSystems and Pay By Touch must establish and maintain a comprehensive information security program pursuant to the settlement. This program must include administrative, technical and physical safeguards, not to mention a third-party audit every two years for 20 years.

Notwithstanding the settlement, the FTC says CardSystems still faces potential liability in the millions of dollars under bank procedures and in private litigation for the losses caused by the breaches. The message to companies is clear: Get your data security protection measures in place when doing business or risk the wrath of the government and private litigants.