The Federal Trade Commission has been penalizing companies for poor cybersecurity for more than 20 years, but some businesses still haven’t gotten the message.
Houghton called for just that. “It will take measures such as taking away a company’s ability to conduct business online until all measures are complied with to really make companies more serious about cybersecurity,” he said. Among several other problems, Drizly also didn’t monitor for unauthorized attempts to transfer or remove customer data, the FTC added.
In Chegg’s case, the FTC accused it of poor cybersecurity practices that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses, and passwords. In some cases, students’ sexual orientation and disabilities and parents’ income information were also leaked.
A Chegg spokeswoman said data privacy is a “top priority” there. The company worked with the FTC to find a “mutually agreeable outcome” and will comply with the mandates in the order, she added. She noted that the FTC did not fine the company.