Last week the Federal Trade Commission (FTC) announced that they had entered into a $100 Million Settlement with LifeLock to settle charges that it had violated a 2010 Court Order.
At first blush one would think that this case has no applicability to the ARM industry. LifeLock isn’t a credit grantor. Lifelock isn’t a debt collector. But, in the words of ESPN’s College Football Analyst, Lee Corso: “Not so fast my friend!” Sometimes all is not what it seems.
Per the press release from the FTC:
The Commission initiated a contempt proceeding on July 21, 2015 following an extensive investigation. We determined there was reason to believe that LifeLock had violated the Commission’s 2010 order by, among other things:
…failing to maintain reasonable security measures to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers
OK, that got line my attention. But then, further into the statement the FTC writes:
This case, like many others, demonstrates that a company must maintain adequate safeguards to protect sensitive consumer information like that at issue here. Certifications alone will not suffice to meet those obligations, if we find evidence of security failures that put consumer information at risk. (Emphasis added.)
FTC Commissioner Maureen K. Ohlhausen disapproved of the settlement. She filed a dissenting statement. In that dissent, she cites LifeLock’s representations in its annual financial disclosures that it purportedly complied with the Payment Card Industry Data Security Standard (“PCI DSS”) and the alleged lack of evidence that LifeLock suffered a breach affecting subscriber information.
The FTC statement responded to Commissioner Ohlhausen’s dissent with the following:
The injunctive relief we obtained in the Wyndham case, cited by Commissioner Ohlhausen, itself corroborates our longstanding view that PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections. ………. In short, the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.
So, after all of that, let’s go back to our headline for today’s blog: Does the FTC LifeLock Settlement Have Applicability to the ARM Industry?
Every ARM firm doing work for sophisticated clients has to deal with security issues and security certifications that may be required by those clients (i.e., PCI DSS, SOC 1, SOC 2, BITS, ISO 27002, FISMA, etc.). The impact of LifeLock to the ARM Industry may be around what defines a vendor as being “secure.” It appears that the FTC is saying you can’t just rely on a certification.
But, what else is required?
Here is your guidance from the FTC: “The reasonableness of security will depend on the facts and circumstances of each case.”
There you have it. Clear as mud.
Bloggers note: A special thanks goes out to David Mertz at Global Debt Registry for suggesting we take a closer look at the LifeLock case.