Client Alert

December 2005

Contacts
Lisa J. Sotto Partner 200 Park Avenue New York, NY 10166 (212) 309-1223 lsotto@hunton.com Ellen Finn Fleetway House, 6th Floor 25 Farringdon Street London EC4A 4AB +44 (0)20 7246 5728 efinn@hunton.com Orson Swindle* Chairman of Information Security Projects and Senior Policy Advisor Center for Information Policy Leadership 1900 K Street, NW Washington, DC 20006 (202) 955-1946 eswindle@hunton.com Additional Lawyers Christopher Kuner Manuel E. Maisog Kathy Robb Stephen C. King Elisabeth M. McCarthy Elizabeth Hendrix Johnson Ashley B. Rowe Aaron P. Simpson Marian A. Waldmann Jörg Hladjk Isabelle Chatelier Additional Contacts Naotaka Matsukata* Yukiko Ko* Center for Information Policy Leadership Martin E. Abrams** Fred H. Cate *Not a lawyer **Mr. Abrams serves as Executive Director of Hunton & Williams’ Center for Information Policy Leadership. He is not a lawyer. Hunton & Williams LLP

Retailer Liable for Failing to Protect Customer Data
On December 1, 2005, the Federal Trade Commission (“FTC”) announced that DSW Inc., a shoe retailer, agreed to settle FTC charges that it engaged in “unfair” business practices by failing to properly secure customer data. This is the second time this year that the FTC has used its authority to prevent unfair trade practices to hold a company liable for having insufficient information security measures to protect consumers’ personal information. The proposed settlement shows that the FTC will continue to use its authority to police the security of consumer data even when companies have no specific legal mandate to safeguard the information and have made no privacy or security promises to consumers. Companies that fail to exercise reasonable care to safeguard customer information could face FTC enforcement actions. The FTC’s Allegations DSW collected consumer personal information for purchases, including name, credit card number and expiration date, and “magnetic stripe” data including a security code. This information was collected at the cash register and sent wirelessly to DSW’s in-store computer network. DSW then transmitted the information to the processors to obtain check, credit card, and debit card authorizations. All this data, including magnetic stripe data, was stored on in-store and corporate computer networks. In March and April 2005, DSW announced that hackers had stolen credit card and other information (including checking account information and driver’s license numbers) from DSW’s computer networks. More than 1.4 million credit and debit card numbers were compromised, along with nearly 100,000 checking accounts and driver’s license numbers. Fraudulent charges occurred on some of the compromised accounts. Some customers whose checking accounts were compromised closed their accounts, causing them to lose access to their accounts and to incur out-of-pocket expenses, including the cost of ordering new checks. DSW Failed to Use “Reasonable and Appropriate” Security Measures The FTC alleged that DSW had failed to use reasonable and appropriate measures to secure the personal information it collected at its stores. Specifically, the FTC claimed that DSW:

created unnecessary risks to the information by storing it in multiple files when it no longer had a business need to keep the information; did not use readily available security measures to limit access to its computer networks through wireless access points on the networks; stored the information in unencrypted files that could be accessed easily by using a commonly known user ID and password; did not limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and failed to employ sufficient measures to detect unauthorized access.

The FTC claimed the lack of security measures was “unfair” because DSW’s lapses caused (or were likely to cause) “substantial injury to consumers that is not offset by countervailing benefits to consum-

ers . . . and is not reasonably avoidable by consumers.” Comprehensive Information Security Program Required As part of the proposed settlement, DSW must establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of customer information. The program must contain administrative, technical, and physical safeguards, including (i) designating an employee to coordinate and be accountable for the program; (ii) identifying internal and external risks to the information; and (iii) implementing safeguards to control these risks. In addition, DSW will need to obtain every two years for 20 years an audit from an independent thirdparty professional, who will certify that the required information security program is in place and that it is operating effectively to protect consumer data. Additional Liability Despite the proposed settlement with the FTC, DSW still faces additional liability as a result of its insufficient data security program. According to DSW’s SEC filings, as of July 2005, its exposure for losses related to the security breach ranges from $6.5 to $9.5 million.

Significance of the Case Like the BJ’s Wholesale Clubs case, the FTC’s complaint against DSW does not allege that the company made any false representations about its information security practices. Thus, the case signals the FTC’s continued willingness to bring enforcement actions based solely on a company’s failure to implement appropriate information security measures. In addition, the settlement indicates the FTC’s intention to impose a security standard on businesses that maintain sensitive consumer data that is similar to that required under the Gramm-LeachBliley Safeguards Rule for financial institutions. The FTC alleged that DSW “created unnecessary risks to [consumers’ personal] information by storing it ... when it no longer had a business need to keep the information.” This suggests that companies should carefully examine their data retention practices to ensure that sensitive information is stored no longer than necessary. Recommended Security Practices Given the FTC’s clear intent to challenge companies’ inadequate information security measures, businesses that maintain sensitive consumer data should take affirmative steps to ensure that their information security measures are sufficient. Any company that maintains consumer data would be well advised to develop

and implement a comprehensive information security program, with a designated employee in charge of and accountable for the program. At a minimum, such a program should include evaluation of the risks and implementation of safeguards in the areas of employee training and management, information systems, and the prevention and detection of intrusions or other system failures. The FTC’s requirements in this case and others resemble the security requirements imposed on financial institutions by the Gramm-Leach-Bliley Act’s Safeguards Rule. Congress is currently considering new legislation that would extend the Safeguards Rule beyond financial institutions to cover all companies that maintain consumer data. The FTC’s repeated use of Section 5 of the FTC Act to apply a GLB Safeguards Rule-type standard to companies not subject to the Safeguards Rule suggests that additional enforcement activity is likely even in the absence of new legislation. We Can Help Hunton & Williams’ Privacy and Information Management practice assists clients in developing, implementing and evaluating information security programs and data retention policies. If you would like assistance structuring an information security program or if you have any other privacy or information management needs, please contact us.

© 2005 Hunton & Williams LLP. These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create an attorney-client or similar relationship. Please do not send us confidential information. Past successes cannot be an assurance of future success. Whether you need legal services and which lawyer you select are important decisions that should not be based solely upon these materials.

Atlanta • Bangkok • Beijing • Brussels • Charlotte • Dallas • Houston • Knoxville • London • McLean • Miami • New York • Norfolk • Raleigh • Richmond • Singapore • Washington