Software maker in data leak makes deal with feds

Under a settlement with the Federal Trade Commission announced on Thursday, Pasadena, Calif.-headquartered Guidance Software must put into place a "comprehensive information-security program" and undergo audits by independent, third-party security professionals once every two years for the next decade.

The intrusion into Guidance's servers, discovered last December, unmasked the names, addresses and credit card details of about 3,800 customers, the company said at the time. Guidance executives said they had notified all of its approximately 9,500 customers about the attack and called on the U.S. Secret Service to conduct an investigation. The company, one of the world's top providers of forensic software, counts government and law enforcement personnel and security researchers among its clientele. A handful of these reported suspicious credit card charges after the breach.

The FTC charged in a complaint that Guidance had fallen short in protecting the integrity of its systems. The regulators said that, among other things, it had failed to do an adequate assessment of its network's vulnerability to "commonly known or reasonably foreseeable Web-based attacks" and to employ "simple, low-cost and readily available defenses" against such scourges.

The agency said in a statement that the case marked its 14th attempt at "challenging faulty data-security practices by companies that handle sensitive consumer information."

In a January settlement, data broker ChoicePoint agreed to cough up $10 million in civil penalties, the largest civil fine in the agency's history, and to give $5 million to customers affected by a massive security breach. According to the FTC, the incident, revealed in February 2005, ultimately exposed the financial data of 163,000 people in its database and sparked at least 800 cases of identity theft.