As Internet security threats multiply, redesigns of e-commerce sites can introduce a lot more than a sleek new user interface. Tower Records recently settled charges with the U.S. Federal Trade Commission, which sued the company last year after a redesign of its online music store introduced security holes that exposed customers' personal information.

The lapse violated federal law as well as Tower's privacy policy, according to the FTC, which warned that online merchants and banks will be held accountable for lax security auditing of redesigns. "In a fast moving world of electronic commerce, change is inevitable," said Howard Beales, Director of the FTC’s Bureau of Consumer Protection. "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities." The consent agreement requires Tower to have its web site audited by third-party security professionals every two years for the next 10 years.

The Tower case marked the FTC's fourth case targeting companies that exposed sensitive customer data through security gaffes, with previous cases producing consent agreements with Microsoft, Guess and Eli Lilly. The FTC scrutiny comes as corporate IT are facing pressure to bring their IT security into compliance with a bevy of government regulations. They include:

• A new California law obligates e-commerce providers to disclose any compromise of customer data.
• Updated regulations from the Basel Committee on Banking Supervision will require UK financial institutions to produce exact details of any security breaches.
• The Sarbanes-Oxley Act of 2002 (SarbOx), an accounting oversight and corporate governance law with broad technology impacts, which requires stronger internal IT controls for financial data, with CEOs ultimately accountable.
• The Health Insurance Portability and Accountability Act (HIPAA), which applies stringent secuurity standards for the handling of medical records, and stiff fines for companies that suffer lapses that expose private data.

Netcraft offers a range of advanced security services, including The Netcraft Network Examination, an automated vulnerability test of Internet-connected networks which checks for new security vulnerabilities and configuration errors caused by system and network maintenance.