FTC - Twitter Settlement re: Password Security Requirements
Twitter Settles Charges that it Failed to Protect Consumers' Personal Information; Company Will Establish Independently Audited Information Security Program
Beyond Twitter, this is what should get your attention:
How this applies to you ...
"According to the FTC's complaint, Twitter was vulnerable to these attacks because it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:
* requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
* prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
* suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
* providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
* restricting access to administrative controls to employees whose jobs required it; and
* imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses."
Assume you sell a product and collect email addresses. But someone hacks your site, grabs the addresses, and starts sending spam.
You now have a laundry list of issues from the FTC to evaluate whether you took reasonable actions to safeguard your customer's personal information.
This happens. I once started receiving spam from Guru #1, and was told a client list had been improperly accessed by a contractor. Similar response from Guru #2 about receiving spam - it wasn't him - it was due to a hacker.
What this also means is that you should be vigilant to maintain the latest updated software. For example: run a forum - make sure you're updated to the latest software version.
In a separate statement by David Vladeck, director of the FTC's Bureau of Consumer Protection, "When a company promises consumers that their personal information is secure, it must live up to that promise."
For example, when you promise that a person's email address will remain private, this isn't just lip service. If email is compromised, then it isn't just a privacy issue anymore.
The FTC can also position this as fraud, as you promised something without taking action to back-up that promise.
** Follow Me On Twitter, Por Favor. I Auto-Follow. Thx! **