Authorities crack down on companies for lax cybersecurity

The Federal Trade Commission has been penalizing companies for poor cybersecurity for more than 20 years, but some businesses still haven’t gotten the message.

The FTC recently issued consent orders against two U.S. companies, alcohol delivery service Drizly and education technology provider Chegg, accusing both of “lax” cybersecurity practices. The FTC took its first cybersecurity enforcement action in 2000, and it’s brought more than 80 such cases since then against companies such as BJ’s Wholesale Club, Uber, and Zoom.

FTC CHAIRWOMAN KHAN REJECTS CORPORATE ESG CONCESSIONS IN ANTITRUST ENFORCEMENT

The latest actions by the FTC show that companies still aren’t getting it, and with the FTC typically prohibited from fining companies for poor security, the penalties aren’t working, said Nigel Houghton, a veteran cybersecurity professional who is now director of marketplace and ecosystem development at cybersecurity provider ThreatQuotient.

“If the penalties were strong enough, it wouldn’t keep happening,” Houghton said. “This is basic security hygiene. If the FTC has to tell you what measures you should be taking, then maybe you shouldn’t be allowed to do business online until you have everything squared away.”

Houghton called for just that. “It will take measures such as taking away a company’s ability to conduct business online until all measures are complied with to really make companies more serious about cybersecurity,” he said.

Drizly, owned by Uber, “failed to use appropriate information security practices” to protect consumer data, resulting in a 2020 breach that affected 2.5 million customers, the FTC said in its complaint. The company promised customers that it used “standard security practices such as encryption and firewalls to protect the information we collect from you.”

However, according to the FTC, Drizly didn’t require unique and complex passwords, didn’t implement multifactor authentication to access source code and customer databases, and didn’t monitor and terminate employee and contractor access to source code once they no longer needed it.

Among several other problems, Drizly also didn’t monitor for unauthorized attempts to transfer or remove customer data, the FTC added.

As a result, the FTC entered into a consent order with Drizly in late October. The order, similar to others issued by the FTC in the past, requires Drizly to delete all customer information not being used in connection with providing products or services and requires the company to tell customers what information it retains and how long it keeps it. In addition, the FTC will require the company to set up an extensive cybersecurity program, with monitoring in effect for 20 years.

A Drizly spokeswoman issued a one-sentence statement when asked about the FTC action: “We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us.”

In Chegg’s case, the FTC accused it of poor cybersecurity practices that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses, and passwords. In some cases, students’ sexual orientation and disabilities and parents’ income information were also leaked.

Chegg failed to fix problems with its data security despite experiencing four security breaches since 2017, the FTC alleged. Like Drizly, Chegg did not require employees to use multifactor authentication measures to log into its third-party databases. It also allowed employees and contractors to use a single login to access those databases, and it failed to monitor its network and databases for threats.

Chegg also stored personal data on its cloud storage databases in plain text and used outdated or weak encryption to protect user passwords before 2018, the FTC said. The FTC announced a consent order with Chegg on Oct. 31, a week after Drizly’s consent order was announced.

A Chegg spokeswoman said data privacy is a “top priority” there. The company worked with the FTC to find a “mutually agreeable outcome” and will comply with the mandates in the order, she added. She noted that the FTC did not fine the company.

Neither company was fined because the FTC doesn’t have congressional authority in most cases to fine companies for lax cybersecurity. The FTC can seek fines if companies later violate the consent orders. In August, the FTC announced it was exploring new rules to crack down on commercial surveillance and lax cybersecurity.

Policies requiring strong passwords and multifactor authentication aren’t new ideas, noted Darren James, head of internal IT at Specops Software, a provider of password security and authentication solutions. These protections “should be paramount for any company with an online business,” he said.

CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER

If Drizly’s breach had been subject to the European Union’s General Data Protection Regulation, it might face large fines or criminal proceedings, he noted.

However, the FTC’s power to enforce cybersecurity protections is very limited, he said, although the Biden administration seems to be “toughening its stance on breaches,” James added. “In the current geopolitical climate and the rapid advances in our dependency on the online world, cybersecurity and privacy certainly need more attention from governments and businesses.”

Comments are closed.