What rough beast, its hour come round at last.... ?
Corporate counsel and Chief Information Security Officers need to pay very close attention to this decree; it lays the groundwork for a standard of due care in the protection of consumers' private information. In my opinion this is, to use Churchill's famous phrase, "the end of the beginning" for information security and privacy as a liability-free zone.
Whether you agree with Bruce or disagree with him, the FTC's action means that you now must acknowledge, and start to plan for, the possibility of liability for your security failures. You must also begin to prepare for the imposition of legally mandated minimum standards on your security programs, at least if those programs protect private information.
As Ronald London, who posted the Privacy and Security Law blog's entry on the Life is good consent decree, so mildly puts it, "The FTC's announcement of the consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs".
A word, to the wise, is sufficient.