Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2003 >  June 2003 >  Guess warned by FTC over consumer data security

Guess warned by FTC over consumer data security

OUT-LAW News, 20/06/2003

Guess Inc. has settled charges that the US fashion company exposed customer data, including credit card numbers, by failing to secure its web site against commonly known attacks by hackers – despite assuring users that their details would be protected.

The Federal Trade Commission (FTC) has required Guess to implement a comprehensive information security programme for all of its web sites, although the company appears to have escaped any financial penalty.

"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection, when announcing the settlement on Wednesday. "It's not just good business, it's the law," he said.

Guess has sold Guess-brand clothing and accessories at Guess.com since 1998. According to the FTC complaint, since at least October 2000, the web site has been vulnerable to commonly known attacks such as "Structured Query Language (SQL) injection attacks".

The company's on-line statements reassured consumers that their personal information would be secure and protected. In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and the security measures failed to protect against SQL and other commonly known attacks.

According to the FTC, in February 2002 a visitor to the web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess's databases.

In terms of the settlement, Guess must not misrepresent the extent to which it maintains and protects the security of personal information collected from or about consumers. Guess must also establish and maintain a comprehensive information security program and have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within a year, and every other year thereafter.

The settlement does not constitute an admission of guilt or liability, nor is it actually final. It is subject to public comment until 18th July, after which the FTC will make a final decision.

The FTC has published a fact sheet for business entitled "Security Check: Reducing Risks to your Computer Systems". This is available for download at: www.ftc.gov/opa/2003/06/guess_securitycheck.pdf

 

 

OUT-LAW Recommends

Data Protection training
We offer training courses on Data Protection and Freedom of Information laws

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.