« How Much Are Supreme Court Clerks Worth? | Main | Thinking About the Birth Rate »

Friday, June 17, 2005

Is the FTC Finally Getting Serious About Security?

Ftc2 Bjs

The FTC just announced a settlement with BJ's Wholesale Club, Inc.  From the FTC press release:

BJ’s Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years. . . .

The FTC charged that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJ’s:Failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores;

    • Created unnecessary risks to the information by storing it for up to 30 days, in
      violation of bank security rules, even when it no longer needed the information;
    • Stored the information in files that could be accessed using commonly known default user IDs and passwords;
    • Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
    • Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

The FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce."   An act or practice is unfair if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."  15 U.S.C. § 45(n). The complaint and settlement agreement are available here.

Posted by Daniel Solove on June 17, 2005 at 03:02 PM in Daniel Solove, Information and Technology | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Is the FTC Finally Getting Serious About Security?:

» The FTC and BJs Wholesale from Emergent Chaos
The FTC has recently issued a consent order to BJ's Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This... [Read More]

Tracked on Jun 29, 2005 10:56:46 AM

» liquidation problems fannie mae from liquidation supplies
More Trouble For Fannie Mae? Investigators combing through Fannie Mae’s finances have found new and pervasive accounting violations on top of what has already been disclosed, Dow Jones Newswires reported, citing unnamed people close to the probe. [Read More]

Tracked on Oct 6, 2005 1:01:07 PM


The comments to this entry are closed.