If you're tempted to become a neo-Luddite and forswear all use of Internet technology, rest assured that even that won't help. No matter how they get your data, companies privy to sensitive information can still put you at risk - a point illustrated Tuesday by the Federal Trade Commission's latest cases against two companies accused of lax practices.
The FTC, which has brought more than 30 such cases since 2003, accused Ceridian Corp. of storing sensitive data on its servers "in clear, readable text" rather than in encrypted form, and maintaining data indefinitely without legitimate need. It said the other company, Lookout Services Inc., failed to protect data behind user names and passwords, enabling a Web visitor to view the Social Security numbers of about 37,000 consumers.
Neither company paid any penalties or admitted wrongdoing. Both agreed to beef up security and submit to outside security audits every other year. And both of their cases, along with Sony's mea culpas, help illustrate two fundamental points made repeatedly by data-security experts.
One is that companies that handle sensitive data need to take basic steps to protect it, and to constantly guard against new vulnerabilities. It's a cat-and-mouse game, and the mice are always honing their skills.
The other is that technology users can't count on businesses to protect their data - even if the businesses do everything right.
"Unfortunately, the hackers are always one step ahead, and it doesn't mean that the company has done anything wrong," says Kristen J. Mathews, a partner at New York's Proskauer law firm and head of its privacy and data-security group. "Sometimes, it's impossible to be 100 percent secure."
