The Feds are well aware of the need to employ Encryption-at-Rest technology: Time to act!
On January 8, 2018, Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection held a conference call to explain a federal ruling against VTech Electronics Limited and its U.S. subsidiary for failure to comply with the U.S. Children’s Online Privacy Protection Act (COPPA). In its complaint, the FTC alleged that VTech failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices. The FTC also alleged that VTech failed to use reasonable and appropriate data security measures to protect personal information it collected.
COPPA requires companies that collect online personal information from children under the age of 13 to follow steps to protect children’s information, including clearly disclosing to parents the information it collects, revealing how the information will be used, and seeking verifiable parental consent. Companies must employ reasonable measures to protect the confidentiality, security and integrity of children’s personal information they collect.
“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.”
VTech failed to protect 768,000 online accounts for children. The FTC fined VTech $650,000. Doing a little math reveals the value of a child’s personal information to be 84.6 cents USD — less than a buck. Convergency LLC finds this to be an unacceptable value for anyone’s personal information, let alone a future voter.
Aside from the fine, VTech is burdened with additional costs from penance projects, likely pushing the total cost for this security incident to well over $1.25 million USD. VTech is permanently prohibited from violating COPPA and from misrepresenting its security and privacy practices as part of the proposed settlement. VTech is required to implement a comprehensive data security program, which will be subject to independent audits for 20 years. VTech will likely need to engage in marketing efforts, aka penance projects, that restore consumer confidence by reassuring parents that VTech has child safety on its mind at all times.
What should I do?
The FTC has made it clear that they understand what organizations must do to adhere to data security standards. The FTC reached a unanimous decision in finding VTech at fault in protecting children’s personal information. This is the first case of data security violations with respect to children’s personal information that the FTC has prosecuted. It will no doubt be the last.
Organizations must understand their role in maintaining data security. It is no longer acceptable to be collecting personal information or confidential information without an adequate level of encryption-at-rest. This is a glaring issue for many organizations. In our IT security assessment practice, we find that less than 23% of all cloud solutions and less than 11% of all on premise solutions employ Encryption-at-Rest technology. If there was ever a more important time to consider your at-rest encryption strategy, the time is now. Failure to comply with federal mandates will result in significant fines and additional spending for those items we call penance projects.
It is a common misunderstanding that encryption-at-rest technology affects performance by 30%. This is wild number has been touted since 2005 and grossly overstates the issue with respect to the speed of processors in the year 2018. Encryption-at-rest is no longer a value proposition weighed against performance — federal regulators understand the security technology available in today’s marketplace. As FTC Chairman Maureen K. Ohlhausen makes obvious — encryption-at-rest is a “reasonable step” to securing data.
The FTC believes that VTech had the technology available to secure personal information. VTech is believed to have chosen to ignore COPPA legislation and ran the risk of operating at undesirable levels of security. Nowhere in its ruling did the FTC cite VTech for a lack of security technology. It is evident that policies and standards are lacking at VTech. Those things will take time to develop. Fortunately, VTech will receive oversight for the next 20 years to ensure this type of incident does not repeat.
Your organization would be wise to employ encryption-at-rest technology on all personal information and confidential information. Start by assessing your environment and determining where encryption-at-rest is lacking. Develop a plan to employ encryption-at-rest technology. Often times, organizations find that they already have the technology available and they have chosen to ignore it. Still, there are times when an upgrade is required — an example is when an on premise SQL Server Standard Edition license is in use; here, this is the wrong edition of the database product as it lacks encryption-at-rest capabilities.
Some organizations may find that there are resource constraints that allow for a clear and immediate resolution. At times, these organizations will look to the professional community to help solve their problems. We advise finding a firm that can present a legitimate roadmap to security compliance.
Need help? Convergency has a team of global cyber security subject matter experts who have implemented solutions and provided professional services to improve the state of security in large, multi-regional enterprises. Call us at 312.806.2024 to accomplish your cyber security objectives.
Convergency LLC is an IT consulting and advisory firm that specializes in cloud architecture, cloud migration, cloud audit and security risk management services.
“Electronic Toy Maker VTech Settles FTC Allegations that it Violated Children’s Privacy Law and the FTC Act”
Federal Trade Commission Press Release: https://www.ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated
About the Author
Brian Nigl is the CEO and Cyber Security Practice Owner at Convergency LLC. Brian is a recognized IT life sciences veteran having supported global pharmaceutical organizations in the areas of cyber security, system architecture, application development, cloud architecture and virtualization. Brian speaks regularly at industry conferences and is published in several leading journals.