The Federal Trade Commission (FTC) continues its crackdown on website data security breaches.  On February 9, 2009, the FTC announced a proposed settlement with a consumer electronics company over charges of a data security breach that revealed customers’ personal information to hackers.  In the Matter of Genica Corporation, a corporation, and, also doing business as Computer Geeks Discount Outlet and, a corporation.
The FTC complaint alleges that Genica Corporation and its subsidiary (also doing business as Computer Geeks Discount Outlet and (collectively, collected personal information from customers including names, addresses, emails and credit card numbers, etc., and until at least December 2007 routinely stored this personal information in unencrypted text on their corporate computer network.  Moreover, the complaint alleges, failed to assess both whether their website and network were vulnerable to common or reasonably foreseeable data security attacks, and did not implement simple and relatively inexpensive protections against these attacks.  Despite such inactions, the FTC contends that violated federal law by falsely stating in their privacy policy that they did take appropriate measures:  “We use secure technology, privacy protection controls, and restrictions on employee access in order to safeguard your information.  We use state of the art technology (e.g., Secure Socket Layer, or SSL) encryption to keep customer personal information  as secure as possible…” 
From at least January 2007 – June 2007, the FTC alleges, hackers exploited the security vulnerabilities by using Structured Query Language (SQL) injection attacks to export the personal information of hundreds of consumers, which did not become aware of until December 2007.
The proposed settlement requires to take several actions:  (1) not to represent misrepresent the extent to which maintains and protects the privacy, confidentiality or integrity of any consumer personal information, (2) establish, implement and maintain a comprehensive information security program reasonably designed to protect the security, confidentiality and integrity of consumer personal information, (3) obtain a data security audit every other year for 10 years, and (4) to provide ongoing reports for the FTC to monitor compliance. 
The proposed complaint and consent agreement is subject to public comment for 30 days continuing through March 9, 2009, at which time the FTC will decide whether it will make it final.  The FTC Complaint is not a finding or ruling that actually violated the law, and the Consent Order is for settlement purposes only and do not necessarily constitute an admission by the defendant of violation of any law.