The Federal Trade Commission (FTC) continues its crackdown on website data security breaches. On February 9, 2009, the FTC announced a proposed settlement with a consumer electronics company over charges of a data security breach that revealed customers’ personal information to hackers. In the Matter of Genica Corporation, a corporation, and Compgeeks.com, also doing business as Computer Geeks Discount Outlet and Geeks.com, a corporation.
From at least January 2007 – June 2007, the FTC alleges, hackers exploited the security vulnerabilities by using Structured Query Language (SQL) injection attacks to export the personal information of hundreds of consumers, which Geeks.com did not become aware of until December 2007.
The proposed settlement requires Geeks.com to take several actions: (1) not to represent misrepresent the extent to which Geeks.com maintains and protects the privacy, confidentiality or integrity of any consumer personal information, (2) establish, implement and maintain a comprehensive information security program reasonably designed to protect the security, confidentiality and integrity of consumer personal information, (3) obtain a data security audit every other year for 10 years, and (4) to provide ongoing reports for the FTC to monitor compliance.
The proposed complaint and consent agreement is subject to public comment for 30 days continuing through March 9, 2009, at which time the FTC will decide whether it will make it final. The FTC Complaint is not a finding or ruling that Geeks.com actually violated the law, and the Consent Order is for settlement purposes only and do not necessarily constitute an admission by the defendant of violation of any law.