You are on page 1of 2
December 2005 Contacts Lisa J. Sotto Partner 200 Park Avenue New York, NY 10166 (212)

December 2005


Lisa J. Sotto Partner 200 Park Avenue New York, NY 10166 (212) 309-1223

Ellen Finn Fleetway House, 6th Floor 25 Farringdon Street London EC4A 4AB +44 (0)20 7246 5728

Orson Swindle* Chairman of Information Security Projects and Senior Policy Advisor Center for Information Policy Leadership 1900 K Street, NW Washington, DC 20006 (202) 955-1946

Additional Lawyers Christopher Kuner Manuel E. Maisog Kathy Robb Stephen C. King Elisabeth M. McCarthy Elizabeth Hendrix Johnson Ashley B. Rowe Aaron P. Simpson Marian A. Waldmann Jörg Hladjk Isabelle Chatelier

Additional Contacts Naotaka Matsukata* Yukiko Ko*

Center for Information Policy Leadership Martin E. Abrams** Fred H. Cate

*Not a lawyer **Mr. Abrams serves as Executive Director of Hunton & Williams’ Center for Information Policy Leadership. He is not a lawyer.

Hunton & Williams LLP

Client Alert

is not a lawyer. Hunton & Williams LLP C lient A lert Retailer Liable for Failing

Retailer Liable for Failing to Protect Customer Data

On December 1, 2005, the Federal Trade Commission (“FTC”) announced that DSW Inc., a shoe retailer, agreed to settle FTC charges that it engaged in “unfair” business practices by failing to properly secure customer data. This is the second time this year that the FTC has used its authority to prevent unfair trade practices to hold a company liable for having insufficient information security measures to protect consumers’ personal information. The proposed settlement shows that the FTC will continue to use its authority to police the security of consumer data even when companies have no specific legal mandate to safeguard the information and have made no privacy or security promises to consumers. Companies that fail to exercise reasonable care to safeguard customer information could face FTC enforcement actions.

The FTC’s Allegations

DSW collected consumer personal informa- tion for purchases, including name, credit card number and expiration date, and “magnetic stripe” data including a security code. This information was collected at the cash register and sent wirelessly to DSW’s in-store computer network. DSW then trans- mitted the information to the processors to obtain check, credit card, and debit card authorizations. All this data, including mag- netic stripe data, was stored on in-store and corporate computer networks. In March and April 2005, DSW announced that hackers had stolen credit card and other information (including checking account information and driver’s license numbers) from DSW’s computer networks. More than 1.4 mil- lion credit and debit card numbers were compromised, along with nearly 100,000 checking accounts and driver’s license

numbers. Fraudulent charges occurred on some of the compromised accounts. Some customers whose checking accounts were compromised closed their accounts, caus- ing them to lose access to their accounts and to incur out-of-pocket expenses, includ- ing the cost of ordering new checks.

DSW Failed to Use “Reasonable and Appropriate” Security Measures

The FTC alleged that DSW had failed to use reasonable and appropriate measures to secure the personal information it col- lected at its stores. Specifically, the FTC claimed that DSW:

created unnecessary risks to the information by storing it in multiple files when it no longer had a business need to keep the information;

did not use readily available security measures to limit access to its computer networks through wireless access points on the networks;

stored the information in unencrypted files that could be accessed easily by using a commonly known user ID and password;

did not limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and

failed to employ sufficient measures to detect unauthorized access.

The FTC claimed the lack of security measures was “unfair” because DSW’s lapses caused (or were likely to cause) “substantial injury to consumers that is not offset by countervailing benefits to consum-

(or were likely to cause) “substantial injury to consumers that is not offset by countervailing benefits
ers by consumers.” and is not reasonably avoidable Comprehensive Information Security Program Required As part


by consumers.”

and is not reasonably avoidable

Comprehensive Information Security Program Required

As part of the proposed settlement, DSW must establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of customer information. The program must contain administrative, technical, and physical safeguards, including (i) designating an employee to coordinate and be account- able for the program; (ii) identifying internal and external risks to the informa- tion; and (iii) implementing safeguards to control these risks. In addition, DSW will need to obtain every two years for 20 years an audit from an independent third- party professional, who will certify that the required information security program is in place and that it is operating effectively to protect consumer data.

Additional Liability

Despite the proposed settlement with the FTC, DSW still faces additional liability as a result of its insufficient data security program. According to DSW’s SEC filings, as of July 2005, its exposure for losses related to the security breach ranges from $6.5 to $9.5 million.

Significance of the Case

Like the BJ’s Wholesale Clubs case, the FTC’s complaint against DSW does not allege that the company made any false representations about its information security practices. Thus, the case signals the FTC’s continued willingness to bring enforcement actions based solely on a company’s failure to implement appropri- ate information security measures. In addition, the settlement indicates the FTC’s intention to impose a security standard on businesses that maintain sensitive consumer data that is similar to that required under the Gramm-Leach- Bliley Safeguards Rule for financial institutions.

The FTC alleged that DSW “created unnecessary risks to [consumers’ personal] information by storing it when it no longer had a business need to keep the information.” This suggests that companies should carefully examine their data retention practices to ensure that sensitive information is stored no longer than necessary.

Recommended Security Practices

Given the FTC’s clear intent to challenge companies’ inadequate information secu- rity measures, businesses that maintain sensitive consumer data should take affirmative steps to ensure that their infor- mation security measures are sufficient. Any company that maintains consumer data would be well advised to develop

and implement a comprehensive informa- tion security program, with a designated employee in charge of and accountable for the program. At a minimum, such a program should include evaluation of the risks and implementation of safeguards in the areas of employee training and management, information systems, and the prevention and detection of intrusions or other system failures.

The FTC’s requirements in this case and others resemble the security require- ments imposed on financial institutions by the Gramm-Leach-Bliley Act’s Safeguards Rule. Congress is currently considering new legislation that would extend the Safeguards Rule beyond financial institu- tions to cover all companies that maintain consumer data. The FTC’s repeated use of Section 5 of the FTC Act to apply a GLB Safeguards Rule-type standard to companies not subject to the Safeguards Rule suggests that additional enforce- ment activity is likely even in the absence of new legislation.

We Can Help

Hunton & Williams’ Privacy and Information Management practice assists clients in developing, implementing and evaluating information security programs and data retention policies. If you would like assistance structuring an information security program or if you have any other privacy or information management needs, please contact us.

© 2005 Hunton & Williams LLP. These materials have been prepared for informational purposes only and are not legal advice. This informa- tion is not intended to create an attorney-client or similar relationship. Please do not send us confidential information. Past successes cannot be an assurance of future success. Whether you need legal services and which lawyer you select are important decisions that should not be based solely upon these materials.