FTC Approves Final Guidance Settlement

April 3, 2007

Roy Mark, internetnews.com


Guidance Software's settlement with the Federal Trade Commission (FTC) became official today, almost five months after the Pasadena, Calif.-based computer forensics specialist admitted it did not adequately protect customer data.

Victimized by a December 2005 data breach and theft of 4,000 credit card numbers, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.

The company also will be subject to standard record keeping and reporting provisions to allow FTC monitoring.

The breach of its customer data was particularly embarrassing for Guidance, which provides software that tracks down and collects information on data breaches.

Law enforcement agencies, government investigators and Fortune 1000 companies use Guidance's software to track down and investigate digital break-ins, as well as perform network and software audits.

According to the FTC complaint, the intruders hit Guidance with a structured query language (SQL) injection attack that installed common hacking programs on the company's network. The company did not discover the breach until three months after the attack.

"Until Dec. 7, 2005, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive personal information stored on its corporate network," the FTC said in the complaint.

The FTC complaint states that Guidance's privacy policy included such statements as "[Guidance] takes every precaution to protect our users' information" and "your information is protected both online and offline." Guidance also claimed users' information was protected "with the best encryption software in the industry .- SSL."

Although Guidance did use SSL (define) encryption, the FTC complaint pointed out the company stored its data in clear, readable text. In addition, the FTC said Guidance did not use readily available security measures to monitor and limit access to its network.

The FTC said Guidance's failure to adhere to its own privacy policy constituted a deceptive trade act.

main page ATTRITION feedback