The FTC just announced a settlement with BJ’s Wholesale Club, Inc. From the FTC press release:
BJ’s Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years. . . .
The FTC charged that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJ’s:Failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores;
- Created unnecessary risks to the information by storing it for up to 30 days, in
violation of bank security rules, even when it no longer needed the information;
- Stored the information in files that could be accessed using commonly known default user IDs and passwords;
- Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
- Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.
The FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” An act or practice is unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). The complaint and settlement agreement are available here.
Originally posted at PrawfsBlawg
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.