December 14, 2019

December 13, 2019

Subscribe to Latest Legal News and Analysis

December 12, 2019

Subscribe to Latest Legal News and Analysis

December 11, 2019

Subscribe to Latest Legal News and Analysis

FTC and Software Company Reach Security Settlement Over Unfair Practices

The FTC recently settled with Infotrax Systems, L.C. a technology company providing software to the direct sales industry. The settlement followed a breach suffered by the company, and involved allegations the company had failed to use reasonable security. According to the FTC, for almost two years, a hacker accessed InfroTrax’s server unnoticed at least seventeen times. The data accessed included social security numbers and payment card information. It also included unencrypted user IDs and passwords. Infotrax learned of the incident from an alert that one of its servers had reached maximum storage capacity.

The FTC alleged that the company had failed to use reasonable, low-cost and readily available security practices. Some of the security missteps included failure to conduct code review of its software and adequately segment its network. FTC also noted a failure to delete personal information no longer needed. These failures, the FTC argued, led directly to a breach the company suffered which resulted in at least 280 reports of alleged fraud being suffered by impacted individuals. The company has, mirroring other FTC settlements, agreed to submit to 20 years’ worth of third-party audits and other certifications. These include testing and monitoring safeguards, only using vendors who can protect information, and contractually binding vendors to protect information.

Putting it into practicethis settlement provides insight into the FTC’s view of “reasonable” security practices, and the steps it believes companies should take to protect information. This includes regular testing and monitoring, and working with vendors who can provide appropriate information protection.  

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and external practitioners alike.”

She is known as an industry leader in the privacy and data security space and is consistently recognized by Leading Lawyers Network, Chambers and The Legal 500, and leading publications and organizations for her work in this area of law. Liisa was recently recognized as the 2017 Data Protection Lawyer of the Year - USA by Global 100, the 2017 U.S. Data Protection Lawyer of the Year by Finance Monthly, and the “Best in Data Security Law Services” at Corporate LiveWire’s 2017 Global Awards.

312-499-6335