Major Tech Publisher Reaches Agreement With Attorney General On E-commerce Security Standards

State Attorney General Spitzer today announced a multistate agreement with high-tech publisher Ziff Davis Media Inc. to redress an Internet security breach that exposed the personal information of thousands of magazine subscribers online.

The New York-led investigation stemmed from a magazine promotion Ziff Davis ran on its website in November of last year. Insufficient privacy controls by the company allowed a computer file of approximately 12,000 subscription orders for Electronic Gaming Monthly to be accessed by anyone surfing the Internet. Personal data was exposed, including credit card information, which resulted in some subscribers becoming victims of identity theft.

"The company's privacy policy promised reasonable security, but it was not effective in this case," Spitzer said. "With identity theft on the rise, consumers expect online businesses to recognize the sensitivity of personal contact and credit card information and to take reasonable measures to protect that information."

The agreement will help protect consumers from ID theft, Spam and loss of confidentiality. Under the terms of the settlement, the New York-based company will be required to:

  • encrypt sensitive data during transmission from consumers

  • control file access through user authentication and application controls

  • monitor and control server activity

  • review applications prior to implementation

  • implement risk identification and response protocols

  • establish management oversight and employee training programs

The settlement also requires Ziff Davis to pay $500 to each of the approximately fifty U.S. consumers who provided credit card information while the subscriber data was exposed, regardless of whether the consumer incurred fraudulent charges.

In addition, on an ongoing basis, Ziff Davis must update its practices to keep pace with evolving industry standards for the privacy, security, and integrity of consumer data.

Ziff Davis was made aware of the problem by subscribers who had been alerted by Web-surfing "good Samaritans." The company responded by securing the subscriber data file and notifying consumers who had paid by credit card. Spitzer commended Ziff Davis for its prompt actions and for its cooperation in identifying baseline network security practices for e-commerce enterprises.

The case was handled by Assistant Attorney General David Stampley of the Internet Bureau. The Attorney General's office acknowledged information security consultant Greg Shipley of Neohapsis for his contribution to the investigation.


For Adobe PDF files you can download Adobe Reader from Adobe Systems.