In LifeLock, the FTC alleged that the company “failed to establish and maintain a comprehensive information security program…” as required by a 2010 order. Lifelock settled the case for over $100M, despite the fact that the company claimed it had a clean bill of health from a reputable third party PCI assessor, and according to Commissioner Olhausen, LifeLock suffered no breach. Much of LifeLock was sealed, and so the case is a bit of a puzzle–how could it be the case that a company that receives a clean PCI-DSS assessment could also fail to establish a security program?
I hear we’re going to learn more specific details on the case soon, but in the meantime, the FTC just released to me LifeLock’s initial (2010) assessment. It contains a comical “public version” which is completely redacted and a largely unredacted “non-public” version.
More to come soon, but bear in mind that the FTC gave Wynhdam a kind of safe harbor if the company obtains a clean PCI assessment. If other respondents ask for similar treatment, these assessments are going to become more important than ever.