Spyware hampers compliance initiatives

Does spyware pose a threat to enterprise compliance initiatives?

In the wake of multiple data-breach disclosures—and more state laws governing such breaches—many companies are surveying the conduits through which sensitive information can escape the enterprise. All told, 19 states have passed customer-notification laws, modeled after California's SB 1386, and 21 other states are still considering such measures.

The most recent law went into effect last week in New York and protects such information as Social Security numbers, driver's license and bank account numbers, and non-driver ID card numbers. The fine for non-compliance is up to $10 per instance of failed notification.

Spyware can record keystrokes and upload information to an attacker, making it a potent data-breach threat. In July the FDIC issued a letter to financial institutions, "Best Practices on Spyware Prevention and Detection," which recommended they implement better spyware defenses to limit risk of theft of customers' sensitive information.

A report from anti-spyware software provider Webroot asserts: "Failure to take spyware seriously may expose an enterprise to substantial risks, including prosecution by the Federal Trade Commission (FTC) or non-compliance with HIPAA or [the] Gramm-Leach-Bliley Act."

While companies weigh the compliance ramifications of spyware, the battle over what is or isn't spyware—and what to do about it—is heating up. For example, take 180search Assistant, EliteBar and ISTbar. These three tools made the most recent Webroot list of the top 10 spyware and adware threats, and they also factor in recent lawsuits or enforcement actions.

In November the FTC shut down the "spyware ring" that ran EliteBar—also known as Search Miracle, Miracle Search, EM Toolbar and Elite Toolbar—and froze the assets of its creator and distributor, Enternet Media.

The FTC is also investigating ISTbar after the Center for Democracy & Technology filed a complaint asking the agency to investigate Integrated Search Technologies, which develops and distributes the technology.

Don't expect adware and spyware software developers to go down without a fight. For example, 180systems, which develops the 180search Assistant, recently filed a lawsuit against Zone Labs (owned by Check Point Software Technologies) for labeling its software as spyware.

Meanwhile, in September, 180solutions was itself the target of a class action lawsuit on behalf of the residents of the United States and the state of Illinois. The lawsuit alleges 180systems, in effect, lied to consumers about whether it was distributing spyware.

Both cases are still pending.