The Federal Trade Commission settled its lawsuit with ValueClick and in doing so, smacked ValueClick upside the proverbial head by imposing some heavy fines for spamming activities. Of particular interest is the part of the final settlement agreement that makes it clear that ValueClick violated its own privacy policy in a number of ways.

ValueClick’s privacy policy promised encryption of client data and the implementation of reasonable security measures. From reading the settlement agreement, together with the original complaint, it appears that ValueClick was found to have failed on both counts – they did not provide encryption for data and they did not provide what was deemed as “reasonable security,” specifically by failing to fix vulnerabilities that allowed SQL injection attacks.

ValueClick’s failure with security issues seems fairly straightforward. But the encryption issue merits a little bit more discussion. Encryption is a specific security precaution that may or may not have made sense in light of the company’s risk profile. In fact, ValueClick may have protected data in another way that was perfectly adequate from a security perspective. But even if they properly came to the conclusion that encryption was not necessary to protect client data, no one at the company went back to change the privacy policy.

Let’s be honest, website privacy policies are often crafted by webmasters – and frequently they are “borrowing” language from another website to generate the content. However, the FTC has repeatedly stated that the commission views these policy statements as binding contracts or commitments by the recipient of data to its website visitors. The ValueClick case is not the first nor will it be the last such enforcement action that the FTC will bring in this area. (For a listing of the other cases and settlements, go to http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html)

The ValueClick settlement is a reminder that these privacy policies need to be coordinated with the company’s Information Security program. If you don’t coordinate, you run the risk of promising security assurances to clients or visitors that may or may not be part of the security program you have implemented. This lack of consistency creates the potential for claims that your company is misrepresenting its handling of personal information – even if you have a solid information security program in place.

This entry was posted on Thursday, March 20th, 2008 at 3:26 pm and is filed under General.