United States: Data Security Breaches – The DSW and Other Recent FTC Actions Expand Requirements for Safeguarding Customer Data. What Can You Do To Reduce Your Exposure?

Originally published December 6, 2005

In a dramatic shift, in recent enforcement actions, the Federal Trade Commission ("FTC") is pursuing a heightened enforcement standard with expanded requirements for safeguarding customer data. The target? Not financial institutions. Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices." Until recently, the FTC brought enforcement actions against businesses that made promises to consumers about the level of privacy or data security, and then, in the FTC’s view, breached those promises by deceiving consumers. In addition to violations for deceptive conduct, the FTC now is casting a wider net and using its authority to go after "unfair" trade practices, including bringing enforcement actions against businesses even if they don’t make promises about data security.

The FTC has published its Safeguards Rule, which applies only to financial institutions covered under the Gramm-Leach-Bliley Act, but the FTC is now requiring other businesses to safeguard information security of consumers or face liability. The FTC has now shown that it will act when it concludes that a company fails to provide "reasonable and appropriate security for customer information." These actions go beyond financial institutions, and could be applicable to any company that obtains or stores sensitive customer information. The scope of the information that must be protected to avoid unfair trade practices is quite broad, and is not clearly defined by the FTC.

Most recently, on December 1, 2005, the FTC announced that it had entered into a consent judgment and disclosed a draft complaint against retail shoe discounter DSW Inc. where it concluded that DSW had failed to protect sensitive customer information. Earlier this year, the FTC announced a consent judgment against BJ’s Wholesale Club arising out of the compromise of thousands of credit and debit cards. Both companies’ settlements include onerous requirements, including obtaining independent security audits every two years for the next 20 years, and being subject to ongoing FTC oversight of data security practices. The FTC noted that, in their SEC filings, the companies estimated their exposure relating to the security breaches was at least $6.5 million each.

In these recent announcements, the FTC dug into the specifics of corporate data security practices and – without any applicable published standards that regulate these companies – found certain practices deficient. The FTC highlighted six data security failures:

• Storing sensitive information in multiple files when the company no longer had a business need to keep the information;
• Failure to encrypt consumer information when it was transmitted or stored on computers in company stores;
• Failure to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
• Storing the information in files that could be easily accessed using a commonly known or default user ID and password;
• Failure to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
• Failure to employ sufficient measures to detect unauthorized access.

These cases represent a dramatic shift from FTC precedent. Most significantly, the FTC did not allege that either DSW or BJ’s had failed to meet its promises to its customers. In previous cases determining insufficient data security to be an "unfair trade practice," the FTC typically had held a company’s own privacy and data security promises against it. For example, in a case against the clothing maker Guess?, Inc., the FTC found that Guess had breached its own privacy policy, which promised that "all" personal information, including credit card information, was stored in an unreadable, encrypted format "at all times" when in fact it was not. Similarly, in a case against pet food supplier Petco Animal Supplies, the FTC found that Petco had promised its customers that protecting customer information was Petco’s "number one priority" and that entering credit card information was "completely safe" because their server encrypted "all" customer information; again, a hacker was able to penetrate the Web site and access credit card information stored in unencrypted, or "clear" text.

Additionally, the FTC did not claim that either DSW or BJ’s had failed to comply with any particular FTC regulation or guideline. The FTC did not charge DSW and BJ’s with violating the FTC’s Safeguards Rule, which applies only to "financial institutions." For example, the FTC in September 2005 brought a case against a mortgage lender, Superior Mortgage Corp., for violating the Safeguards Rule. Even there, the FTC further charged Superior Mortgage with falsely claiming that it encrypted data submitted online.

Wholly absent from the DSW and BJ’s cases is any allegation that either company had made any inaccurate claim to consumers or violated any FTC rule. In the case of BJ’s, the FTC characterized one of the five identified deficient practices as a violation of "bank rules" but did not claim that BJ’s had violated rules of either the FTC or any other government agency. With regard to DSW, the FTC did not claim that any of its offending practices violated any government or industry rule, practice or guideline.

Essentially, the FTC concluded that, taken as a whole, BJ’s and DSW’s security practices were not "reasonable" or "appropriate." The FTC did not provide any general guidance or standards for what would be reasonable for other companies to avoid similar liability, but the consent judgments make clear that the Safeguards Rule provides helpful guidance for compliance and a likely safe harbor.

Companies are left with little guidance on how to minimize this potential source of liability, and the civil liability or penalties that can arise from data security breaches. The FTC’s Safeguards Rule recognizes that each financial institution’s information security program must be tailored to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. The allegations in the DSW draft complaint outline a failure to undertake a process such as that outlined in the Safeguards Rule, and it is now important for all businesses with sensitive customer information to, at a minimum, examine their information security programs in light of the following:

• Ensure, either through an audit or otherwise, that your company’s practices do not include the same data security failures (such as the six failures identified above) that the FTC has previously found to be unfair;
• Evaluate your company’s practices regarding management of customer information such as credit or debit card data, and whether it is kept any longer than necessary;
• Identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information against unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control such risks;
• Design and implement information safeguards to control identifiable risks for all areas of operations through risk assessment, and regularly test or monitor the effectiveness of such safeguards’ key controls, systems and procedures;
• Appraise your company’s practices regarding oversight of safeguards by outside service providers who handle customer information, including reviewing all contracts with service providers to ensure sufficient compliance with your information security program;
• Develop, implement and maintain a comprehensive information security program to ensure that it goes beyond the minimal steps of adherence to your company’s publicly posted privacy policy or relevant regulations in order to ensure sufficient data security for customer information;
• Consider adopting a program similar to that outlined by the FTC’s Safeguards Rule, which is likely to evolve as a safe harbor, including implementing a written program with administrative, technical and physical safeguards, and charging an individual with responsibility for coordinating the program; and
• Continue to monitor developments in this evolving area of potential liability.

In view of the potentially onerous terms of any FTC settlement as well as the potential civil liability that can arise from security breaches, companies should be wary of internal policies that are not followed. Education and training are a must, in addition to strong safeguards.

Goodwin Procter LLP is one of the nation's leading law firms, with a team of 700 attorneys and offices in Boston, Los Angeles, New York, San Diego, San Francisco and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.