Published on November 4th, 2022 📆 | 5775 Views ⚑
0Authorities crack down on companies for lax cybersecurity
The Federal Trade Commission has been penalizing companies for poor cybersecurity for more than 20 years, but some businesses still havenât gotten the message.
The FTC recently issued consent orders against two U.S. companies, alcohol delivery service Drizly and education technology provider Chegg, accusing both of âlaxâ cybersecurity practices. The FTC took its first cybersecurity enforcement action in 2000, and itâs brought more than 80 such cases since then against companies such as BJâs Wholesale Club, Uber, and Zoom.
FTC CHAIRWOMAN KHAN REJECTS CORPORATE ESG CONCESSIONS IN ANTITRUST ENFORCEMENT
The latest actions by the FTC show that companies still arenât getting it, and with the FTC typically prohibited from fining companies for poor security, the penalties arenât working, said Nigel Houghton, a veteran cybersecurity professional who is now director of marketplace and ecosystem development at cybersecurity provider ThreatQuotient.
âIf the penalties were strong enough, it wouldnât keep happening,â Houghton said. âThis is basic security hygiene. If the FTC has to tell you what measures you should be taking, then maybe you shouldnât be allowed to do business online until you have everything squared away.â
Houghton called for just that. âIt will take measures such as taking away a companyâs ability to conduct business online until all measures are complied with to really make companies more serious about cybersecurity,â he said.
Drizly, owned by Uber, âfailed to use appropriate information security practicesâ to protect consumer data, resulting in a 2020 breach that affected 2.5 million customers, the FTC said in its complaint. The company promised customers that it used âstandard security practices such as encryption and firewalls to protect the information we collect from you.â
However, according to the FTC, Drizly didnât require unique and complex passwords, didnât implement multifactor authentication to access source code and customer databases, and didnât monitor and terminate employee and contractor access to source code once they no longer needed it.
Among several other problems, Drizly also didnât monitor for unauthorized attempts to transfer or remove customer data, the FTC added.
As a result, the FTC entered into a consent order with Drizly in late October. The order, similar to others issued by the FTC in the past, requires Drizly to delete all customer information not being used in connection with providing products or services and requires the company to tell customers what information it retains and how long it keeps it. In addition, the FTC will require the company to set up an extensive cybersecurity program, with monitoring in effect for 20 years.
A Drizly spokeswoman issued a one-sentence statement when asked about the FTC action: âWe take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us.â
In Cheggâs case, the FTC accused it of poor cybersecurity practices that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses, and passwords. In some cases, studentsâ sexual orientation and disabilities and parentsâ income information were also leaked.
Chegg failed to fix problems with its data security despite experiencing four security breaches since 2017, the FTC alleged. Like Drizly, Chegg did not require employees to use multifactor authentication measures to log into its third-party databases. It also allowed employees and contractors to use a single login to access those databases, and it failed to monitor its network and databases for threats.
Chegg also stored personal data on its cloud storage databases in plain text and used outdated or weak encryption to protect user passwords before 2018, the FTC said. The FTC announced a consent order with Chegg on Oct. 31, a week after Drizlyâs consent order was announced.
A Chegg spokeswoman said data privacy is a âtop priorityâ there. The company worked with the FTC to find a âmutually agreeable outcomeâ and will comply with the mandates in the order, she added. She noted that the FTC did not fine the company.
Neither company was fined because the FTC doesnât have congressional authority in most cases to fine companies for lax cybersecurity. The FTC can seek fines if companies later violate the consent orders. In August, the FTC announced it was exploring new rules to crack down on commercial surveillance and lax cybersecurity.
Policies requiring strong passwords and multifactor authentication arenât new ideas, noted Darren James, head of internal IT at Specops Software, a provider of password security and authentication solutions. These protections âshould be paramount for any company with an online business,â he said.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
If Drizlyâs breach had been subject to the European Unionâs General Data Protection Regulation, it might face large fines or criminal proceedings, he noted.
However, the FTCâs power to enforce cybersecurity protections is very limited, he said, although the Biden administration seems to be âtoughening its stance on breaches,â James added. âIn the current geopolitical climate and the rapid advances in our dependency on the online world, cybersecurity and privacy certainly need more attention from governments and businesses.â
Gloss