IPcentral Weblog
  The DACA Blog

Friday, February 24, 2006

FTC Gets Busy on CardSystems
(previous | next)

A credit card authorization company fails to protect the records of individual card holders, and a data breach leads to millions of dollars in fraudulent charges. A nightmare scenario for sure, and a real one. But CardSystems (now part of Solidus Networks and operating as Pay by Touch Solutions) yesterday agreed to a multi-million dollar settlement with the FTC. It also agreed to be audited every other year by a third-party security professional for the next 20 years. (See FTC release, actual settlement and AP story by Jennifer Kerr.) So what does this all mean?

Well, it's good for all consumers that CardSystems' successor will be closely monitored and will have a strong financial incentive to be more careful in the future. But what of other companies handling our data? Can we trust those?

In our interconnected economy, we have to trust those, and we do, every time we make a purchase with a debit or credit card, every time we buy something online, every time we accept instant credit. One could choose to operate solely with cash and a mayonnaise jar under the bed, but it would be a pretty limiting existence. (And how do you stop someone from breaking in and stealing your jar?)

So if we accept that our information is being held by all sorts of folks of which we know absolutely nothing, how do we know we can trust them? We have to think about what motivates them; profit. Is it profitable, if you're a credit-card authorizer, to suffer a huge data breach? The FTC settlement costs money, but so does the hit to your credibility with your customers; that's the nightmare Solidus Networks is having to clean up right now. I'm sure they're marketing the fact that they will be having these independent security audits to potential business partners, pointing out that their competitors likely aren't under the same scrutiny.

I'm sure it's tempting at times for C-level executives (CEOs, COOs, etc.) to ignore the CIO and decide that investing in security doesn't demonstrate a clear return on investment. But think how little CardSystems would have had to pay to secure its data; the FTC said the company "did not implement simple, low-cost, and readily available defenses to such attacks." I'm sure it regrets not making those investments now. This is something CIOs can point to in making a persuasive case for security spending, and the VP of sales and marketing might like to add that to her pitch.

CardSystems shows market pressure doesn't always work. But the FTC was able to use existing law to make a difference here, and set an example in the market to others. And look -- none of this had to wait for Congress to pass a new law.

For more on the role of government and industry in data security, see a recent paper I wrote with Orson Swindle titled "Managing Information and its Security: The Role of Policymakers, the Private Sector and Consumers." PFF will be addressing this issue in more detail in its all-day Internet Security Summit on May 10.

posted by Patrick Ross @ 11:22 AM | E-commerce , Privacy , The FTC

Share |

Link to this Entry | Printer-Friendly

Post a Comment:

Blog Main
RSS Feed  
Recent Posts
  EFF-PFF Amicus Brief in Schwarzenegger v. EMA Supreme Court Videogame Violence Case
New OECD Study Finds That Improved IPR Protections Benefit Developing Countries
Hubris, Cowardice, File-sharing, and TechDirt
iPhones, DRM, and Doom-Mongers
"Rogue Archivist" Carl Malamud On How to Fix Gov2.0
Coping with Information Overload: Thoughts on Hamlet's BlackBerry by William Powers
How Many Times Has Michael "Dr. Doom" Copps Forecast an Internet Apocalypse?
Google / Verizon Proposal May Be Important Compromise, But Regulatory Trajectory Concerns Many
Two Schools of Internet Pessimism
GAO: Wireless Prices Plummeting; Public Knowledge: We Must Regulate!
Archives by Month
  September 2010
August 2010
July 2010
June 2010
  - (see all)
Archives by Topic
  - A La Carte
- Add category
- Advertising & Marketing
- Antitrust & Competition Policy
- Appleplectics
- Books & Book Reviews
- Broadband
- Cable
- Campaign Finance Law
- Capitalism
- Capitol Hill
- China
- Commons
- Communications
- Copyright
- Cutting the Video Cord
- Cyber-Security
- Digital Americas
- Digital Europe
- Digital Europe 2006
- Digital TV
- E-commerce
- e-Government & Transparency
- Economics
- Education
- Electricity
- Energy
- Events
- Exaflood
- Free Speech
- Gambling
- General
- Generic Rant
- Global Innovation
- Googlephobia
- Googlephobia
- Human Capital
- Innovation
- Intermediary Deputization & Section 230
- Internet
- Internet Governance
- Internet TV
- Interoperability
- IP
- Local Franchising
- Mass Media
- Media Regulation
- Monetary Policy
- Municipal Ownership
- Net Neutrality
- Neutrality
- Non-PFF Podcasts
- Ongoing Series
- Online Safety & Parental Controls
- Open Source
- PFF Podcasts
- Philosophy / Cyber-Libertarianism
- Privacy
- Privacy Solutions
- Regulation
- Search
- Security
- Software
- Space
- Spectrum
- Sports
- State Policy
- Supreme Court
- Taxes
- The FCC
- The FTC
- The News Frontier
- Think Tanks
- Trade
- Trademark
- Universal Service
- Video Games & Virtual Worlds
- VoIP
- What We're Reading
- Wireless
- Wireline
Archives by Author
PFF Blogosphere Archives
We welcome comments by email - look for a link to the author's email address in the byline of each post. Please let us know if we may publish your remarks.

The Progress & Freedom Foundation