RealTime IT News

Congress Reacts to Breach Onslaught

WASHINGTON -- On a day marked by another major data security breach and more tough talk from Congress, the Federal Trade Commission (FTC) moved against a Fortune 500 company for its data protection practices.

Testifying before a Senate panel investigating possible national legislation aimed at better data protection and a national data breach disclosure law, FTC Chairman Deborah Majoris said BJ's Wholesale Club agreed to settle FTC charges that it failed to take adequate measures to protect consumers' personal information.

"For the first time we allege that inadequate data security can be an unfair business practice," Majoris told a Senate panel. "This action should provide clear notice to the business community to establish and maintain reasonable affirmative security measures."

The settlement requires BJ's, which operates 150 warehouse stores and 78 gas stations in 16 states, to implement a comprehensive information security program while submitting to third-party security audits every other year for 20 years.

According to the FTC complaint, BJ's failed to encrypt consumer information when it was transmitted or stored on the company's computers and created unnecessary risks by storing the data even when it no longer needed the information.

In addition, the FTC alleges BJ's failed to use readily available security measures to prevent unauthorized wireless connections to its networks and failed to take sufficient measures to detect unauthorized access.

Majoris' testimony came on the same day the Federal Deposit Insurance Corp. (FDIC) acknowledged it is in the process of notifying 6,000 current and former employees that their personally identifying information was possibly compromised in a 2004 data breach.

FDIC spokeswoman Tibby Ford stressed the breach was not the result of a system hack, but the agency did not give any other details of the breach, citing an ongoing FBI investigation.

"Identity theft is a growing problem which shows no signs of abating," Sen. Dianne Feinstein (D-Calif.) told the Senate Commerce Committee. "And why should it as long as people's sensitive personal information is so easily accessible in the marketplace?"

Feinstein said that over the last two years, there have been 34 "major" data breaches involving the personal information of approximately 18 million individuals. According to the FTC, the total cost to individuals and business from identity theft was more than $52 billion.

Sen. Conrad Burns (R-Calif.) added, "People have a right to be concerned and angry."

A new survey released on Wednesday by Entrust indicates they are. According to the survey of 1,003 likely U.S. voters, 97 percent of the respondents rate identity theft as a serious problem, with 48 percent saying they now avoid online purchases out of fear of their financial data being stolen.

The survey also shows that 71 percent of Americans believe new laws are needed to protect consumer privacy.

Sen. Gordon Smith (R-Ore.), who chaired the panel in Chairman Ted Stevens (R-Alas.) absence, said he would be introducing legislation to make it a "national obligation" for businesses and government agencies to have adequate security measures in place.

Smith's legislation joins a growing list of bills, including legislation by Feinstein and Sen. Charles Schumer (D-N.Y.), that seek to address identity theft and impose a national data breach disclosure law.

"Unless Congress, companies and consumers take action, this is an epidemic that threatens to spiral out of control," Schumer told the committee. "Congressional action must be quick and it must be comprehensive. "Identity theft is not a Democrat issue or a Republican issue -- it is a non-partisan consumer and economic crisis. There is no excuse for Congress failing to act in a bipartisan way."