In a record settlement, ValueClick recently agreed to pay the Federal Trade Commission (“FTC”) $2.9 million to settle claims that ValueClick violated federal law and used deceptive advertising. The FTC alleged that ValueClick failed to protect consumer information and misled consumers with advertising that did not clearly disclose the cost of products.
ValueClick, through its wholly owned subsidiary, E-Babylon, sold printer ink and printer accessories through a variety of websites that utilized an on-line credit and debit card payment processing system. Consumers purchasing products on these websites were required to provide personal information including name, address, phone number, credit card number, and credit card expiration date. The website also required consumers to provide the three-digit credit card verification code ("CVV2 code") printed on the back of credit cards. CVV2 codes are particularly sensitive because they are intended to protect consumers against fraudulent internet and telephone purchases in which a sales associate can not physically verify that the card belongs to the card-holder. If stolen, possession of the CVV2 code in conjunction with the consumer's personal information would make it easy for information thieves to make fraudulent purchases with stolen information.
The FTC also alleged that ValueClick and its subsidiaries distributed or caused to be distributed privacy policies that claimed to protect consumers' personal information by encrypting data collected for the purpose of delivering products and services to consumers. The privacy policies claimed to use "industry standard" security measures to protect consumers' personal information. ValueClick and its subsidiaries used either no or limited encryption in its database systems. One of the defendant's systems used a simple alphabetic substitution system that was not consistent with industry standards.
Furthermore, the E-Babylon sites were subject to Structured Query Language (SQL) injection attacks. In SQL injection attacks, the attacker manipulates the address in the internet browser's address bar to gain access to information in the database supporting the website. These databases contained consumers' personal information and credit card information. The FTC alleged that SQL attacks were a well-known and well-publicized form of hacking and that solutions were both available and inexpensive.
In addition to the monetary penalties, ValueClick agreed to clearly disclose in its ads and web pages that consumers must spend money to qualify for “free” merchandise. Additionally, ValueClick and its subsidiaries must refrain from making misrepresentations about the use of encryption to protect consumers’ data. Finally, ValueClick agreed to independent third-party assessments of its programs for 20 years.