The IT Law Wiki

In re Guidance Software

32,068pages on
this wiki
Add New Page
Add New Page Talk0

Citation Edit

In re Guidance Software, File No. 062 3057 (FTC Nov. 16, 2006).

FTC Complaint Edit

Guidance Software, Inc. sells software and related training, materials, and services customers use to investigate and respond to computer breaches and other security incidents.

The FTC prepared a complaint (which was never filed) that alleged that Guidance failed to implement simple, inexpensive and readily available security measures to protect consumers’ data. In contrast to claims about data security made on Guidance’s website, the Commission alleged that the company created unnecessary risks to consumers' credit card information by permanently storing it in clear readable text.

In addition, the complaint alleged that Guidance failed to protect the information by:

  • failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable web-based attacks, such as structured query language (SQL) injection attacks;
  • failing to implement simple, low-cost, and readily available defenses to such attacks;
  • failing to employ measures to detect unauthorized access to consumers’ credit card information.

The Complaint alleged that Guidance’s data security failure allowed hackers to access sensitive credit card information for thousands of consumers.

Consent Order Edit

Guidance agreed to settle the allegations in the complaint and agreed to a Consent Order, which was approved by the Commission on April 3, 2007.

The Consent Order bars Guidance from making misrepresentations about its security measures and requires Guidance to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires Guidance to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order. The company also agreed to standard record keeping and reporting provisions to allow the FTC to monitor compliance.

Also on Fandom

Random Wiki