's settlement of security infraction charged from the Federal Trade Commission in June is the third such decision of its kind that puts the FTC squarely in a position to require companies with Web sites that collect any consumer information falling under the purview of the Gramm-Leach Bliley Act to take specific steps to secure that information.

The FTC complaint stated that was vulnerable to attacks directed at Web applications, attacks such as SQL injection attempts, at the same time that the site was publishing information online assuring consumers that their information was protected. Also, personal information was not kept encrypted at all times as was claiming, according to the FTC complaint.

"If you make a claim about information important to consumers, such as security, and it is false, it could be a violation of the Federal Trade Commission Act, a legal violation," says Jessica Rich, assistant director of financial practices, Bureau of Consumer Protection of the FTC. "The case involved a misrepresentation, so it was a legal problem."

The FTC's first settlement of a Web site security breach was reached with Eli Lilly and Co. in January 2002. Privacy was violated in that case when a Lilly employee created a new program to access certain subscribers email address, then sent them an email message that included all of the recipients' email addresses in the "To" field, thereby disclosing to each subscriber the email address of all the other subscribers.

The second FTC security settlement was reached in August of 2002 with Microsoft, which the FTC complained made false representations on its Web site on the security of information related to its Passport services for single sign on and express purchasing. Microsoft was found not to be employing reasonable and appropriate measures to secure personal information, and was found to be collecting sign-in history for each user when it was claiming not to be doing that.

A new FTC Safeguards Rule that became effective in May 2003 implements security provisions of the GLBA, and requires that any company engaging in a wide range of financial activities to implement an information security program. The program requires that the company designate an employee to be responsible for security, identify foreseeable risks, design and implement safeguards, select and retain service providers capable of maintaining the safeguards, and continue to evaluate the program.

"We are not in a position to micromanage, so we encourage companies to take reasonable and appropriate steps," says Rich. "We are not looking to pick companies apart. We know there is no such thing as perfect security."

The FTC conducts its own investigations, using experts and receives information about potential breaches from a variety of sources.