June 17, 2005
FTC Settles Another Case for Failure to Use Reasonable Security
In the Matter of BJ's Wholesale Club, Inc., File No. 042 3160. The FTC settled with BJ'S Wholesale Club over BJ's allegedly deficient security practices. This is the second settlement of its nature in three months (the last being an enforcement action under the Gramm-Leach-Bliley Act against Nationwide Mortgage Group).
This enforcement action seems especially problematic because it's not exactly clear what BJ did wrong (except get caught, of course). I'm still trying to figure out how BJ's practices differed from industry standards. If not, this case has significant implications for everyone who touches credit cards--including all retailers, restaurants, gas stations and e-tailers.
The FTC complaint alleged the following:
"The Commission’s proposed complaint alleges that BJ’s stored members’ personal information on computers at its stores and failed to employ reasonable and appropriate security measures to protect the information. The complaint alleges that this failure was an unfair practice because it caused or was likely to cause substantial consumer injury that was not reasonably avoidable and was not outweighed by countervailing benefits to consumers or competition. In particular, the complaint alleges that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive personal information, including: (1) failing to encrypt information collected in its stores while the information was in transit or stored on BJ’s computer networks; (2) storing the information in files that could be accessed anonymously, that is, using a commonly known default user id and password; (3) failing to use readily available security measures to limit access to its networks through wireless access points on the networks; (4) failing to employ measures sufficient to detect unauthorized access to the networks or conduct security investigations; and (5) storing information for up to 30 days when BJ’s no longer had a business need to keep the information, in violation of bank security rules. The complaint further alleges that several million dollars in fraudulent purchases were made using counterfeit copies of credit and debit cards members had used at BJ’s stores. The counterfeit cards contained the same personal information BJ’s had collected from the magnetic stripes of members’ credit and debit cards and then stored on its computer networks. After discovering the fraudulent purchases, banks cancelled and re-issued thousands of credit and debit cards members had used at BJ’s stores, and members holding these cards were unable to use them to access credit and their own bank accounts."
As I said, other than get caught (and holding onto the data longer than it should), I'm not sure what BJ did that was unusual. The FTC is implying that every database of credit card numbers must be stored in an encrypted database with restricted access. Here, BJ failed to do this and got nailed by a hacker, which led to a fairly public problem as the hacker forced banks to reissue credit cards. But credit card databases are ubiquitous, and I'm having a hard time imagining that other retailers are doing more than BJ is doing.
The FTC's proposed remedy is pretty interesting. It seems like the FTC is foreshadowing what it considers to be best practices for managing security of credit card databases. The requirements imposed on BJ:
"• Designate an employee or employees to coordinate and be accountable for the information security program.
• Identify material internal and external risks to the security, confidentiality, and integrity of consumer information that could result in unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and
assess the sufficiency of any safeguards in place to control these risks.
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that BJ’s knows or has to reason to know may have a material impact on the effectiveness of its information security program."
Seems like the lawyers and security consultants will love having this as the best practices! Perhaps I should get into the security consulting business...
But it's not immediately clear to me that all of this self-assessment and navel-gazing will actually improve security. It might, or it might just turn into one big paper-pushing/CYA/pay-the-consultants-and-do-whatever-they-say fiesta. You can't really mandate that people care about security; this has to be interally-motivated, or it just becomes a go-through-the-motions exercise.
As I've said before, I have historically dismissed the lawyers hyping security concerns as hucksters trying to drum up some low-utility business. If that view was once correct, it certainly is no longer, and I recant any such views. Enforcement actions like this one (and the prior Nationwide Mortgage action) send a clear message: the FTC does believe there is a baseline level of security that companies must undertake, and failing to do so has legal ramifications. While security measures must still be evaluated on a cost/benefit basis, the costs of non-compliance must now include legal risks that previously might have been de minimis but are now tangible and non-trivial.
Posted by Eric at June 17, 2005 04:43 PM | Privacy/Security