Federal Trade Commission Increases Scrutiny of Customer Data Security in Matter of DSW, Inc.
Since 2001, the FTC has filed more than 10 enforcement actions alleging that businesses failed to design, implement or maintain adequate security standards for handling customer data. The actions involved companies involved in mortgage lending, data brokering, internet retailing, credit/debit card processing, and email information subscription services. Most of the actions included alleged violations of specific federal statutes such as the Gramm-Leach-Bliley Act (regulating financial services), or specific representations made in consumer agreements or advertising. However, in Matter of DSW, Inc., No. 052-3096, dkt. C-4157 (Mar. 7, 2006) the FTC based an enforcement action squarely upon the premise that inadequate customer data security could constitute an “unfair trade practice” in and of itself. In specific, the FTC alleged that “failure to employ reasonable and appropriate security measures to protect personal data and files caused or is likely to cause substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers. This practice was and is an unfair trade practice.”
DSW is an Ohio-based retailer, doing business through more than 200 stores located in more than 30 states, with 2004 net sales of exceeding $950 million. According to the FTC Complaint, the company used computer networks to obtain authorization for non-cash purchases and to track inventory. From debit and credit card purchases, DSW collected information such as the cardholder name, card number, expiration date, and card security code. From purchases by check, DSW collected information such as the check number, routing and account numbers, and the purchaser’s driver’s license number and the licensing state. For all purchases, the data collected was transmitted wirelessly to an in-store computer network, and then was re-transmitted to an outside bank or processing institution.
In March 2005, DSW announced that it had discovered a breach in its data security practices. By April 2005, DSW began to send notification letters to potentially affected customers for whom the company had obtained addresses. After DSW took these actions, the FTC investigated and filed an administrative action. The FTC alleged that DSW’s practices constituted an unfair trade practice because the company “failed to provide reasonable and appropriate security for sensitive customer information.” The FTC’s Complaint specifically alleged:
- improper creation of unnecessary risks to sensitive customer information, by storing data in multiple files when it no longer had a business need to keep the information;
- failure to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
- improper storage of sensitive customer information in unencrypted files that could be easily accessed using a commonly known user ID and password;
- failure to limit sufficiently the ability of computers on an in-store network to connect to computers on other networks; and
- failure to employ sufficient measures to detect unauthorized access to company networks.
More than 1.4 million credit card, debit card, or checking accounts were compromised through activities at approximately 108 of DSW’s store locations. The FTC alleged that some of the compromised accounts had incurred fraudulent charges. The FTC also alleged that some customers had incurred expenses in connection with closing compromised accounts. DSW estimated its own potential exposure to exceed six million dollars
Without admitting any liability, DSW agreed to settle the FTC Complaint through a Consent Agreement that regulates DSW’s future data-gathering and security practices. DSW agreed to establish and maintain “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” Specific provisions included:
- designation of employees to coordinate and be accountable for the program;
- identification of material internal and external risks to information security, and assessment of safeguards in place to control the risks, including (1) training and management, (2) information systems management, and (3) prevention, detection and response to intrusions or other system failures;
- design, implementation, and testing or monitoring of reasonable safeguards to control the risks identified through risk assessment; and
- ongoing evaluation and adjustment of the information security program to respond to any events that may have a material impart upon the program’s effectiveness.
To monitor compliance, DSW agreed to implement recordkeeping and reporting provisions. DSW also agreed to obtain a security assessment within six months of the Consent Agreement, and then to conduct security assessments biennially for the next 20 years. In each assessment, a qualified, independent, third-party professional would review DSW’s security program for compliance with the Agreement. DSW further agreed to produce its first assessment to the FTC’s Bureau of Consumer Protection, and to maintain assessments and related documents thereafter for production to the FTC upon request.
When the Complaint and proposed settlement were released for public comment, the Bank of America commented that the “definition for ‘personal information’ within the Consent Agreement … goes beyond that covered under the [Gramm-Leach-Bliley Act].” The Bank also expressed concern that if made a standard, the broad definition of information subject to security measures would include publicly-available information and increase a risk of “unreasonable lawsuits and/or the need to adopt risk mitigation programs that are not in the best interests of consumers or businesses.” In response, the FTC released a letter stating in part that the “Commission does not believe that the [Gramm-Leach-Bliley] Act definitions …are controlling in a case … under the Federal Trade Commission Act.”
DSW therefore represents an expansion of the FTC’s enforcement initiatives, beyond existing federal statutes and case-specific customer agreements regarding security of customer information. In that regard, DSW is an extension of the FTC’s previous Complaint and Order in the Matter of BJ’s Wholesale Club, Inc., No. 042-3160, dkt. C-4148 (Sept. 20, 2005). BJ’s Wholesale Club alleged that inadequate customer data security practices were an unfair trade practice, but where some of the challenged activitiesm additionally violated bank security rules. DSW also reflects a movement to enforce minimum data security standards, including propositions that (1) sensitive customer information should not be collected or stored any longer than necessary for reasonable business purposes; (2) sensitive data should be stored in an encrypted form; (3) data networks should be secured against both internal and external threats of unauthorized access; and (4) security standards and procedures should be monitored regularly to assure their effectiveness.