The Federal Trade Commission (FTC) has required Guess to implement a comprehensive information security programme for all of its web sites, although the company appears to have escaped any financial penalty.
"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection, when announcing the settlement on Wednesday. "It's not just good business, it's the law," he said.
Guess has sold Guess-brand clothing and accessories at Guess.com since 1998. According to the FTC complaint, since at least October 2000, the web site has been vulnerable to commonly known attacks such as "Structured Query Language (SQL) injection attacks".
The company's on-line statements reassured consumers that their personal information would be secure and protected. In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and the security measures failed to protect against SQL and other commonly known attacks.
According to the FTC, in February 2002 a visitor to the web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess's databases.
In terms of the settlement, Guess must not misrepresent the extent to which it maintains and protects the security of personal information collected from or about consumers. Guess must also establish and maintain a comprehensive information security program and have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within a year, and every other year thereafter.
The settlement does not constitute an admission of guilt or liability, nor is it actually final. It is subject to public comment until 18th July, after which the FTC will make a final decision.
The FTC has published a fact sheet for business entitled "Security Check: Reducing Risks to your Computer Systems". This is available for download at: www.ftc.gov/opa/2003/06/guess_securitycheck.pdf