Life is good, Inc., and Life is good Retail, Inc.; Analysis of Proposed Consent Order to Aid Public Comment, 4231-4233 [E8-1168]
Download as PDF
<![CDATA[
jlentini on PROD1PC65 with NOTICES
Federal Register / Vol. 73, No. 16 / Thursday, January 24, 2008 / Notices
natural progesterone. According to the
Commission’s complaint, the
respondents represented that Eternal
Woman Progesterone Cream and ProGest Body Cream: (1) were effective in
preventing, treating, or curing
osteoporosis; (2) were effective in
preventing or reducing the risk of
estrogen-inducted endometrial (uterine)
cancer; and (3) did not increase the
user’s risk of developing breast cancer
and/or were effective in preventing or
reducing the user’s risk of developing
breast cancer. The complaint alleged
that the respondents failed to have
substantiation for these claims. The
proposed consent order contains
provisions designed to prevent the
respondents from engaging in similar
acts and practices in the future.
Part I of the proposed order requires
the respondents to have competent and
reliable scientific evidence
substantiating claims that any
progesterone product or any other
dietary supplement, food, drug, device
or health-related service or program is
effective in preventing, treating, or
curing osteoporosis, in preventing or
reducing the risk of estrogen-induced
endometrial cancer or breast cancer, or
in the mitigation, treatment, prevention,
or cure of any disease, illness, or health
condition; that it does not increase the
user’s risk of developing breast cancer,
is safe for human use, or has no side
effects; or about its health benefits,
performance, efficacy, safety, or side
effects.
Part II of the proposed order prevents
the respondents from misrepresenting
the existence, contents, validity, results,
conclusions, or interpretations of any
test, study, or research.
Part III of the proposed order provides
that the order does not prohibit the
respondents from making
representations for any drug that are
permitted in labeling for the drug under
any tentative final or final Food and
Drug Administration (‘‘FDA’’) standard
or under any new drug application
approved by the FDA; representations
for any medical device that are
permitted in labeling under any new
medical device application approved by
the FDA; and representations for any
product that are specifically permitted
in labeling for that product by
regulations issued by the FDA under the
Nutrition Labeling and Education Act of
1990.
Parts IV through VIII require the
respondents to keep copies of relevant
advertisements and materials
substantiating claims made in the
advertisements; to provide copies of the
order to certain of their personnel; to
notify the Commission of changes in
VerDate Aug<31>2005
20:35 Jan 23, 2008
Jkt 214001
corporate structure and changes in
employment that might affect
compliance obligations under the order;
and to file compliance reports with the
Commission. Part IX provides that the
order will terminate after twenty (20)
years under certain circumstances.
The purpose of this analysis is to
facilitate public comment on the
proposed order. It is not intended to
constitute an official interpretation of
the agreement and proposed order or to
modify in any way their terms.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E8–1169 Filed 1–23–08: 8:45 am]
[BILLING CODE 6750–01–S]
FEDERAL TRADE COMMISSION
[File No. 072 3046]
Life is good, Inc., and Life is good
Retail, Inc.; Analysis of Proposed
Consent Order to Aid Public Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
SUMMARY: The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before February 19, 2008.
ADDRESSES: Interested parties are
invited to submit written comments.
Comments should refer to ‘‘Life is good,
File No. 072 3046,’’ to facilitate the
organization of comments. A comment
filed in paper form should include this
reference both in the text and on the
envelope, and should be mailed or
delivered to the following address:
Federal Trade Commission/Office of the
Secretary, Room 135-H, 600
Pennsylvania Avenue, NW.,
Washington, D.C. 20580. Comments
containing confidential material must be
filed in paper form, must be clearly
labeled ‘‘Confidential,’’ and must
comply with Commission Rule 4.9(c).
16 CFR 4.9(c) (2005).1 The FTC is
1 The comment must be accompanied by an
explicit request for confidential treatment,
including the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record.
The request will be granted or denied by the
Commission’s General Counsel, consistent with
PO 00000
Frm 00060
Fmt 4703
Sfmt 4703
4231
requesting that any comment filed in
paper form be sent by courier or
overnight service, if possible, because
U.S. postal mail in the Washington area
and at the Commission is subject to
delay due to heightened security
precautions. Comments that do not
contain any nonpublic information may
instead be filed in electronic form as
part of or as an attachment to email
messages directed to the following email
box: consentagreement@ftc.gov.
The FTC Act and other laws the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. All timely and responsive
public comments, whether filed in
paper or electronic form, will be
considered by the Commission, and will
be available to the public on the FTC
website, to the extent practicable, at
www.ftc.gov. As a matter of discretion,
the FTC makes every effort to remove
home contact information for
individuals from the public comments it
receives before placing those comments
on the FTC website. More information,
including routine uses permitted by the
Privacy Act, may be found in the FTC’s
privacy policy, at https://www.ftc.gov/
ftc/privacy.htm.
FOR FURTHER INFORMATION CONTACT:
Jessica Rich, FTC Bureau of Consumer
Protection, 600 Pennsylvania Avenue,
NW., Washington, D.C. 20580, (202)
326-2252.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 of the Commission
Rules of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for January 17, 2008), on
the World Wide Web, at https://
www.ftc.gov/os/2008/01/index.htm. A
paper copy can be obtained from the
FTC Public Reference Room, Room 130H, 600 Pennsylvania Avenue, NW.,
Washington, D.C. 20580, either in
person or by calling (202) 326-2222.
Public comments are invited, and may
be filed with the Commission in either
paper or electronic form. All comments
applicable law and the public interest. See
Commission Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\24JAN1.SGM
24JAN1
4232
Federal Register / Vol. 73, No. 16 / Thursday, January 24, 2008 / Notices
jlentini on PROD1PC65 with NOTICES
should be filed as prescribed in the
ADDRESSES section above, and must be
received on or before the date specified
in the DATES section.
Analysis of Agreement Containing
Consent Order to Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from Life is good,
Inc. and Life is good Retail, Inc.
(collectively, ‘‘Life is good’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Life is good designs and distributes
retail apparel and accessories and
operates a retail website at
www.lifeisgood.com. In selling its
products, Life is good routinely has
collected sensitive information from
consumers, including name, address, email address, phone number, credit card
number, credit card expiration date, and
credit card security code (hereinafter
‘‘consumer information’’). Life is good
has collected this consumer information
through its website and telephone
orders and stored it on a network
computer accessible through the
website. This matter concerns alleged
false or misleading representations Life
is good made about the security it
provided for this information.
The Commission’s proposed
complaint alleges that Life is good
represented that it implemented
reasonable and appropriate security
measures to protect the privacy and
confidentiality of sensitive consumer
information. The complaint alleges this
representation was false because Life is
good engaged in a number of practices
that, taken together, failed to provide
reasonable and appropriate security for
the sensitive consumer information
stored on its computer network. In
particular, Life is good: (1) created
unnecessary risks to credit card
information by storing it indefinitely in
clear, readable text on its network
without a business need, and by storing
credit card security codes; (2) failed to
assess adequately the vulnerability of its
web application and corporate computer
network to certain commonly known or
reasonably foreseeable attacks, such
SQL injection attacks; (3) failed to
implement simple, free or low-cost, and
readily available defenses to SQL and
VerDate Aug<31>2005
20:35 Jan 23, 2008
Jkt 214001
related types of attacks; (4) failed to use
readily available security measures to
monitor and control connections from
the network to the internet; and (5)
failed to employ sufficient measures to
detect unauthorized access to credit
card information.
The complaint further alleges that
between June and August 2006, a hacker
exploited Life is good’s failures by using
SQL injection attacks on Life is good’s
website and web application and
exporting to the hacker’s browser
consumer information for thousands of
customers, including credit card
numbers, expiration dates, and security
codes.
The proposed order applies to
personal information Life is good
collects from or about consumers. It
contains provisions designed to prevent
Life is good from engaging in the future
in practices similar to those alleged in
the complaint.
Part I of the proposed order prohibits
Life is good, in connection with the
collection of personally identifiable
information from or about consumers, in
or affecting commerce, from
misrepresenting the extent to which it
maintains and protects the privacy,
confidentiality, or integrity of such
information.
Part II of the proposed order requires
Life is good to establish and maintain a
comprehensive information security
program in writing that is reasonably
designed to protect the security,
confidentiality, and integrity of personal
information collected from or about
consumers. The security program must
contain administrative, technical, and
physical safeguards appropriate to Life
is good’s size and complexity, the
nature and scope of its activities, and
the sensitivity of the personal
information collected from or about
consumers. Specifically, the order
requires Life is good to:
1. Designate an employee or
employees to coordinate and be
accountable for the information security
program.
2. Identify material internal and
external risks to the security,
confidentiality, and integrity of personal
information that could result in the
unauthorized disclosure, misuse, loss,
alteration, destruction, or other
compromise of such information, and
assess the sufficiency of any safeguards
in place to control these risks.
3. Design and implement reasonable
safeguards to control the risks identified
through risk assessment, and regularly
test or monitor the effectiveness of the
safeguards’ key controls, systems, and
procedures.
PO 00000
Frm 00061
Fmt 4703
Sfmt 4703
4. Develop and use reasonable steps to
retain service providers capable of
appropriately safeguarding personal
information they receive from
respondents, require service providers
by contract to implement and maintain
appropriate safeguards, and monitor
their safeguarding of personal
information.
5. Evaluate and adjust its information
security program in light of the results
of the testing and monitoring, any
material changes to its operations or
business arrangements, or any other
circumstances that it knows or has
reason to know may have a material
impact on the effectiveness of their
information security program.
Part III of the proposed order requires
that Life is good obtain, covering the
first 180 days after the order is served,
and on a biennial basis thereafter for
twenty (20) years, an assessment and
report from a qualified, objective,
independent third-party professional,
certifying, among other things, that (1)
it has in place a security program that
provides protections that meet or exceed
the protections required by Part II of the
proposed order; and (2) its security
program is operating with sufficient
effectiveness to provide reasonable
assurance that the security,
confidentiality, and integrity of
consumers’ personal information is
protected.
Parts IV through VII of the proposed
order are reporting and compliance
provisions. Part IV requires Life is good
to retain documents relating to their
compliance with the order. For most
records, the order required that the
documents be retained for a five-year
period. For the third-party assessments
and supporting documents, Life is good
must retain the documents for a period
of three years after the date that each
assessment is prepared. Part V requires
dissemination of the order now and in
the future to persons with
responsibilities relating to the subject
matter of the order. Part VI ensures
notification to the FTC of changes in
corporate status. Part VII mandates that
Life is good submit an initial
compliance report to the FTC, and make
available to the FTC subsequent reports.
Part VIII is a provision ‘‘sunsetting’’ the
order after twenty (20) years, with
certain exceptions.
The purpose of the analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the proposed
order or to modify its terms in any way.
E:\FR\FM\24JAN1.SGM
24JAN1
4233
Federal Register / Vol. 73, No. 16 / Thursday, January 24, 2008 / Notices
burden to the Regulatory Secretariat
(VIR), General Services Administration,
Room 4035, 1800 F Street, NW.,
Washington, DC 20405. Please cite OMB
Control No. 3090–0197, GSAR Provision
552.237–70, Qualifications of Offerors,
in all correspondence.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E8–1168 Filed 1–23–08: 8:45 am]
[BILLING CODE 6750–01–S]
GENERAL SERVICES
ADMINISTRATION
SUPPLEMENTARY INFORMATION:
A. Purpose
[OMB Control No. 3090–0197]
General Services Administration
Acquisition Regulation;Information
Collection; GSAR Provision 552.237–
70, Qualifications of Offerors
Office of the Chief Acquisition
Officer, GSA.
ACTION: Notice of request for comments
regarding a renewal to an existing OMB
clearance.
AGENCY:
SUMMARY: Under the provisions of the
Paperwork Reduction Act of 1995 (44
U.S.C. Chapter 35), the General Services
Administration will be submitting to the
Office of Management and Budget
(OMB) a request to review and approve
a renewal of a currently approved
information collection requirement
regarding the qualifications of offerors.
The clearance currently expires on April
30, 2008.
Public comments are particularly
invited on: Whether this collection of
information is necessary and whether it
will have practical utility; whether our
estimate of the public burden of this
collection of information is accurate,
and based on valid assumptions and
methodology; ways to enhance the
quality, utility, and clarity of the
information to be collected.
DATES: Submit comments on or before:
March 24, 2008.
FOR FURTHER INFORMATION CONTACT: Mr.
Michael Jackson, Contract Policy
Division, GSA, (202) 208–4949.
ADDRESSES: Submit comments regarding
this burden estimate or any other aspect
of this collection of information,
including suggestions for reducing this
The General Services Administration
(GSA) has various mission
responsibilities related to the
acquisition and provision of service
contracts. These mission responsibilities
generate requirements that are realized
through the solicitation and award of
contracts for building services.
Individual solicitations and resulting
contracts may impose unique
information collection and reporting
requirements on contractors not
required by regulation, but necessary to
evaluate particular program
accomplishments and measure success
in meeting program objectives.
B. Annual Reporting Burden
Respondents: 6794
Responses Per Respondent: 1
Hours Per Response: 1
Total Burden Hours: 6794
OBTAINING COPIES OF
PROPOSALS: Requesters may obtain a
copy of the information collection
documents from the General Services
Administration, Regulatory Secretariat
(VIR), 1800 F Street, NW., Room 4035,
Washington, DC 20405, telephone (202)
501–4755. Please cite OMB Control No.
3090–0197, GSAR Provision 552.237–
70, Qualifications of Offerors, in all
correspondence.
Dated: January 15, 2008.
Al Matera,
Director, Office of Acquisition Policy.
[FR Doc. E8–1144 Filed 1–23–08; 8:45 am]
BILLING CODE 6820–61–S
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Children and
Families
Submission for OMB Review;
Comment Request
Title: Application Requirements for
the Low Income Home Energy
Assistance Program (LIHEAP)
Residential Energy Assistance Challenge
Program (REACH) Model Plan.
OMB No.: New Collection.
Description: States, including the
District of Columbia, Tribes, Tribal
organizations and Territories applying
for LIHEAP REACH funds must submit
an annual application prior to receiving
Federal funds. The Human Services
Amendments of 1994 (Pub. L. 103–252)
amended the LIHEAP statute to add
Section 2607B, which established the
REACH Program. REACH was funded
for the first time in FY 1996 and is
intended to: (1) Minimize health and
safety risks that result from high energy
burdens on low-income Americans; (2)
reduce home energy vulnerability and
prevent homelessness as a result of the
inability to pay energy bills; (3) increase
the efficiency of energy usage by lowincome families, helping them achieve
energy self-sufficiency; and (4) target
energy assistance to individuals who are
most in need.
The REACH Model Plan clarifies the
information being requested and
ensures the submission of all the
information required by statute. The
form facilitates our response to
numerous queries each year concerning
the information that should be included
in the REACH application. Submission
of a REACH application and use of the
REACH Model Plan is voluntary.
Grantees have the option to use another
format.
Respondents: State Governments,
Tribal governments, Insular Areas, the
District of Columbia, and the
Commonwealth of Puerto Rico.
ANNUAL BURDEN ESTIMATES
Number of
respondents
Number of
responses per
respondent
Average
burden hours
per response
Total burden
hours
REACH Model Plan .........................................................................................
jlentini on PROD1PC65 with NOTICES
Instrument
51
1
72
3,672
Estimated Total Annual Burden
Hours: 3,672.
Additional Information: Copies of the
proposed collection may be obtained by
writing to the Administration for
Children and Families, Office of
VerDate Aug<31>2005
20:35 Jan 23, 2008
Jkt 214001
Administration, Office of Information
Services, 370 L’Enfant Promenade, SW.,
Washington, DC 20447, Attn: ACF
Reports Clearance Officer. All requests
should be identified by the title of the
PO 00000
Frm 00062
Fmt 4703
Sfmt 4703
information collection. E-mail address:
infocollection@acf.hhs.gov.
OMB Comment: OMB is required to
make a decision concerning the
collection of information between 30
and 60 days after publication of this
E:\FR\FM\24JAN1.SGM
24JAN1
]]>Agencies
[Federal Register Volume 73, Number 16 (Thursday, January 24, 2008)]
[Notices]
[Pages 4231-4233]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-1168]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 072 3046]
Life is good, Inc., and Life is good Retail, Inc.; Analysis of
Proposed Consent Order to Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before February 19, 2008.
ADDRESSES: Interested parties are invited to submit written comments.
Comments should refer to ``Life is good, File No. 072 3046,'' to
facilitate the organization of comments. A comment filed in paper form
should include this reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission/Office of the Secretary, Room 135-H, 600 Pennsylvania
Avenue, NW., Washington, D.C. 20580. Comments containing confidential
material must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with Commission Rule 4.9(c). 16 CFR
4.9(c) (2005).\1\ The FTC is requesting that any comment filed in paper
form be sent by courier or overnight service, if possible, because U.S.
postal mail in the Washington area and at the Commission is subject to
delay due to heightened security precautions. Comments that do not
contain any nonpublic information may instead be filed in electronic
form as part of or as an attachment to email messages directed to the
following email box: consentagreement@ftc.gov.
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See Commission Rule 4.9(c),
16 CFR 4.9(c).
---------------------------------------------------------------------------
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC website, to the extent
practicable, at www.ftc.gov. As a matter of discretion, the FTC makes
every effort to remove home contact information for individuals from
the public comments it receives before placing those comments on the
FTC website. More information, including routine uses permitted by the
Privacy Act, may be found in the FTC's privacy policy, at https://
www.ftc.gov/ftc/privacy.htm.
FOR FURTHER INFORMATION CONTACT: Jessica Rich, FTC Bureau of Consumer
Protection, 600 Pennsylvania Avenue, NW., Washington, D.C. 20580, (202)
326-2252.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 of
the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given
that the above-captioned consent agreement containing a consent order
to cease and desist, having been filed with and accepted, subject to
final approval, by the Commission, has been placed on the public record
for a period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for January 17, 2008), on the World Wide Web, at https://www.ftc.gov/
os/2008/01/index.htm. A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington,
D.C. 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments
[[Page 4232]]
should be filed as prescribed in the ADDRESSES section above, and must
be received on or before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order to Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from Life is good, Inc. and Life is good
Retail, Inc. (collectively, ``Life is good'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Life is good designs and distributes retail apparel and accessories
and operates a retail website at www.lifeisgood.com. In selling its
products, Life is good routinely has collected sensitive information
from consumers, including name, address, e-mail address, phone number,
credit card number, credit card expiration date, and credit card
security code (hereinafter ``consumer information''). Life is good has
collected this consumer information through its website and telephone
orders and stored it on a network computer accessible through the
website. This matter concerns alleged false or misleading
representations Life is good made about the security it provided for
this information.
The Commission's proposed complaint alleges that Life is good
represented that it implemented reasonable and appropriate security
measures to protect the privacy and confidentiality of sensitive
consumer information. The complaint alleges this representation was
false because Life is good engaged in a number of practices that, taken
together, failed to provide reasonable and appropriate security for the
sensitive consumer information stored on its computer network. In
particular, Life is good: (1) created unnecessary risks to credit card
information by storing it indefinitely in clear, readable text on its
network without a business need, and by storing credit card security
codes; (2) failed to assess adequately the vulnerability of its web
application and corporate computer network to certain commonly known or
reasonably foreseeable attacks, such SQL injection attacks; (3) failed
to implement simple, free or low-cost, and readily available defenses
to SQL and related types of attacks; (4) failed to use readily
available security measures to monitor and control connections from the
network to the internet; and (5) failed to employ sufficient measures
to detect unauthorized access to credit card information.
The complaint further alleges that between June and August 2006, a
hacker exploited Life is good's failures by using SQL injection attacks
on Life is good's website and web application and exporting to the
hacker's browser consumer information for thousands of customers,
including credit card numbers, expiration dates, and security codes.
The proposed order applies to personal information Life is good
collects from or about consumers. It contains provisions designed to
prevent Life is good from engaging in the future in practices similar
to those alleged in the complaint.
Part I of the proposed order prohibits Life is good, in connection
with the collection of personally identifiable information from or
about consumers, in or affecting commerce, from misrepresenting the
extent to which it maintains and protects the privacy, confidentiality,
or integrity of such information.
Part II of the proposed order requires Life is good to establish
and maintain a comprehensive information security program in writing
that is reasonably designed to protect the security, confidentiality,
and integrity of personal information collected from or about
consumers. The security program must contain administrative, technical,
and physical safeguards appropriate to Life is good's size and
complexity, the nature and scope of its activities, and the sensitivity
of the personal information collected from or about consumers.
Specifically, the order requires Life is good to:
1. Designate an employee or employees to coordinate and be
accountable for the information security program.
2. Identify material internal and external risks to the security,
confidentiality, and integrity of personal information that could
result in the unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.
3. Design and implement reasonable safeguards to control the risks
identified through risk assessment, and regularly test or monitor the
effectiveness of the safeguards' key controls, systems, and procedures.
4. Develop and use reasonable steps to retain service providers
capable of appropriately safeguarding personal information they receive
from respondents, require service providers by contract to implement
and maintain appropriate safeguards, and monitor their safeguarding of
personal information.
5. Evaluate and adjust its information security program in light of
the results of the testing and monitoring, any material changes to its
operations or business arrangements, or any other circumstances that it
knows or has reason to know may have a material impact on the
effectiveness of their information security program.
Part III of the proposed order requires that Life is good obtain,
covering the first 180 days after the order is served, and on a
biennial basis thereafter for twenty (20) years, an assessment and
report from a qualified, objective, independent third-party
professional, certifying, among other things, that (1) it has in place
a security program that provides protections that meet or exceed the
protections required by Part II of the proposed order; and (2) its
security program is operating with sufficient effectiveness to provide
reasonable assurance that the security, confidentiality, and integrity
of consumers' personal information is protected.
Parts IV through VII of the proposed order are reporting and
compliance provisions. Part IV requires Life is good to retain
documents relating to their compliance with the order. For most
records, the order required that the documents be retained for a five-
year period. For the third-party assessments and supporting documents,
Life is good must retain the documents for a period of three years
after the date that each assessment is prepared. Part V requires
dissemination of the order now and in the future to persons with
responsibilities relating to the subject matter of the order. Part VI
ensures notification to the FTC of changes in corporate status. Part
VII mandates that Life is good submit an initial compliance report to
the FTC, and make available to the FTC subsequent reports. Part VIII is
a provision ``sunsetting'' the order after twenty (20) years, with
certain exceptions.
The purpose of the analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed order or to modify its terms in any way.
[[Page 4233]]
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E8-1168 Filed 1-23-08: 8:45 am]
[BILLING CODE 6750-01-S]
