Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

archive FTC

VIEWS: 7 PAGES: 5

									FTC seal Federal Trade Commission Protecting America's Consumers

   Skip to Main Content
   ____________________   Search
     * Privacy Policy
     * Contact Us
     * Advanced Search
     * En Español

     * Home
          + About the FTC
          + Commissioners
          + Offices & Bureaus
          + Inspector General
          + Jobs
          + FOIA
          + Budget & Performance
     * News
          + About Public Affairs
          + Public Events
          + Speeches
          + Testimony
          + Webcasts
          + Blogs
          + Reporter Resources
          + Noticias en Español
     * Competition
          + About BC
          + Premerger Notification
          + Enforcement
          + Guidance
          + Advocacy Filings
          + En Español
     * Consumer Protection
          + About BCP
          + Consumer Information
          + Business Information
          + Resources
          + File a Complaint
          + Protección del Consumidor en Español
     * Economics
          + About BE
          + Research
          + Events
          + Presentations
          + Educational Materials
          + Best Practices
          + Economía en Español
     * General Counsel
          + FOIA
          + Policy Studies
          + Amicus Briefs
          + Legal Authority
            + Statutes
            + About the Office of General Counsel
     *   Actions
            + Rules
            + Documents
            + Cases (by name)
            + All Actions (by date)
            + About the Office of the Secretary
     *   Congressional
            + Newsletter
            + Senate/House Links
            + Appropriations
            + Testimony
            + About Congressional Relations
     *   Policy
            + Reports
            + Advocacy Filings
            + About Policy Planning
     *   International
            + Technical Assistance
            + Foreign Authorities
            + Cooperation Agreements
            + Consumer Protection
            + Competition
            + About Intl. Affairs

   For Release: June 18, 2003 Corrected

Guess Settles FTC Security Charges; Third FTC Case Targets False Claims
about
Information Security

Agency Alleges Security Flaws Placed Consumers' Credit Card Numbers at
Risk to
Hackers

   In the FTC's third case targeting companies that misrepresent the
security
   of consumers' personal information, designer clothing and accessory
marketer
   Guess, Incorporated has agreed to settle Federal Trade Commission
charges
   that it exposed consumers' personal information, including credit card
   numbers, to commonly known attacks by hackers, contrary to the
company's
   claims. The agency alleges that Guess didn't use reasonable or
appropriate
   measures to prevent consumer information from being accessed at its
Web
   site, Guess.com. The settlement will require that Guess implement a
   comprehensive information security program for Guess.com and its other
Web
   sites.
   "Consumers have every right to expect that a business that says it's
keeping
   personal information secure is doing exactly that," said Howard
Beales,
   Director of the FTC's Bureau of Consumer Protection. "It's not just
good
   business, it's the law," he said.

   Guess has sold Guess-brand clothing and accessories online at
www.guess.com
   since 1998. According to the FTC complaint, since at least October
2000,
   Guess' Web site has been vulnerable to commonly known attacks such as
   "Structured Query Language (SQL) injection attacks" and other web-
based
   application attacks. Guess' online statements reassured consumers that
their
   personal information would be secure and protected. The company's
claims
   included "This site has security measures in place to protect the
loss,
   misuse, and alteration of information under our control" and "All of
your
   personal information, including your credit card information and sign-
in
   password, are stored in an unreadable, encrypted format at all times."
In
   fact, according to the FTC, the personal information was not stored in
an
   unreadable, encrypted format at all times and Guess' security measures
   failed to protect against SQL and other commonly known attacks. In
February
   2002, a vistor to the Web site, using an SQL injection attack, was
able to
   read in clear text credit card numbers stored in Guess' databases,
according
   to the FTC.

   To assist businesses in addressing these and other common
vulnerabilities,
   the FTC has developed a fact sheet for business, "Security Check:
Reducing
   Risks to your Computer Systems." Although computer systems aren't a
   company's only responsibility related to information security, they
are an
   important one. With new vulnerabilities announced almost weekly, many
   business may feel overwhelmed trying to keep current. "Guidance is
available
   from leading security professionals who put together consensus lists
of
   vulnerabilities and defenses so that every organization, regardless of
its
   resources or expertise in information security, can take basic steps
to
   reduce the risks," according to the publication. The publication
points to
   two web sites that can be of help: One identifies the 20 most critical
   Internet Security vulnerabilities at www.sans.org/top20; the other
   identifies the 10 most critical Web application security
vulnerabilities at
   www.owasp.org.

   The Guess settlement prohibits the company from misrepresenting the
extent
   to which it maintains and protects the security of personal
information
   collected from or about consumers. It also requires that Guess
establish and
   maintain a comprehensive information security program. In addition,
Guess
   must have its security program certified as meeting or exceeding the
   standards in the consent order by an independent professional within a
year,
   and every other year thereafter.

     The Commission vote to accept the proposed consent agreement was 5-0.
An
     announcement regarding the agreement will be published in the Federal
     Register shortly. The agreement will be subject to public comment for
30
   days, until July 18, after which the Commission will decide whether to
make
   it final. Comments should be addressed to the FTC, Office of the
Secretary,
   600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.

     NOTE: A consent agreement is for settlement purposes only and does not
     constitute an admission of a law violation. When the Commission issues
a
   consent order on a final basis, it carries the force of law with
respect to
   future actions. Each violation of such an order may result in a civil
   penalty of up to $11,000.

   Copies of the complaint and consent agreeement are available from the
FTC's
   Web site at http://www.ftc.gov and also from the FTC's Consumer
Response
   Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C.
20580. The
   FTC works for the consumer to prevent fraudulent, deceptive, and
unfair
   business practices in the marketplace and to provide information to
help
   consumers spot, stop, and avoid them. To file a complaint, or to get
free
   information on any of 150 consumer topics, call toll-free, 1-877-FTC-
HELP
   (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The
FTC
   enters Internet, telemarketing, identity theft, and other fraud-
related
   complaints into Consumer Sentinel, a secure, online database available
to
   hundreds of civil and criminal law enforcement agencies in the U.S.
and
   abroad.

   Media Contact:
          Claudia Bourne Farrell
          Office of Public Affairs
          202-326-2181

   Staff Contact:
          Jessica Rich
          Bureau of Consumer Protection
          202-326-2148



   (FTC File No. 022-3260)

Related Documents:

   File No. 022 3260
   In the Matter of Guess?, Inc., and Guess.com, Inc.

   Security Check: Reducing Risks to your Computer Systems

     *   About Us
     *   Contact Us
     *   Jobs
     *   Recovery Act
     *   No FEAR Act Data
     *   Performance and Accountability Report
     *   FOIA
     *   Site Map

     *   Website Policies
     *   Accessibility
     *   Privacy Policy
     *   Browser Plug-ins
     *   Related Sites
     *   USA.gov
     *   For FTC Staff

   Last Modified: Tuesday, November 4, 2008

								
To top