What rough beast, its hour come round at last.... ?

Online retailer Life is good has entered into a consent decree with the US Federal Trade Commission to settle claims that its assurances of privacy protection to consumers were false. Davis, Wright, Tremaine LLP's excellent Privacy and Security Law blog has coverage of the decree here.

Corporate counsel and Chief Information Security Officers need to pay very close attention to this decree; it lays the groundwork for a standard of due care in the protection of consumers' private information. In my opinion this is, to use Churchill's famous phrase, "the end of the beginning" for information security and privacy as a liability-free zone.

Bruce Schneier, who has just been selected to receive CPSR's Norbert Wiener award, has long advocated liability as a step toward better computer security.

Whether you agree with Bruce or disagree with him, the FTC's action means that you now must acknowledge, and start to plan for, the possibility of liability for your security failures. You must also begin to prepare for the imposition of legally mandated minimum standards on your security programs, at least if those programs protect private information.

As Ronald London, who posted the Privacy and Security Law blog's entry on the Life is good consent decree, so mildly puts it, "The FTC's announcement of the consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs".

A word, to the wise, is sufficient.