WASHINGTON — On a day marked by another major data security breach and more
tough talk from Congress, the Federal Trade Commission (FTC) moved against a
Fortune 500 company for its data protection practices.
Testifying before a Senate panel investigating possible national legislation
aimed at better data protection and a national data breach disclosure law,
FTC Chairman Deborah Majoris said BJ’s Wholesale Club agreed to settle FTC
charges that it failed to take adequate measures to protect consumers’
personal information.
“For the first time we allege that inadequate data security can be an unfair
business practice,” Majoris told a Senate panel.
“This action should provide clear notice to the business community to
establish and maintain reasonable affirmative security measures.”
The settlement requires BJ’s, which operates 150 warehouse stores and 78 gas
stations in 16 states, to implement a comprehensive information security
program while submitting to third-party security audits every other year for
20 years.
According to the FTC complaint, BJ’s failed to encrypt consumer information
when it was transmitted or stored on the company’s computers and created
unnecessary risks by storing the data even when it no longer needed the
information.
In addition, the FTC alleges BJ’s failed to use readily available security
measures to prevent unauthorized wireless connections to its networks and
failed to take sufficient measures to detect unauthorized access.
Majoris’ testimony came on the same day the Federal Deposit Insurance Corp.
(FDIC) acknowledged it is in the process of notifying 6,000 current and
former employees that their personally identifying information was possibly
compromised in a 2004 data breach.
FDIC spokeswoman Tibby Ford stressed the breach was not the result of a
system hack, but the agency did not give any other details of the breach,
citing an ongoing FBI investigation.
“Identity theft is a growing problem which shows no signs of abating,” Sen.
Dianne Feinstein (D-Calif.) told the Senate Commerce Committee. “And why
should it as long as people’s sensitive personal information is so easily
accessible in the marketplace?”
Feinstein said that over the last two years, there have been 34 “major” data
breaches involving the personal information of approximately 18 million
individuals. According to the FTC, the total cost to individuals and
business from identity theft was more than $52 billion.
Sen. Conrad Burns (R-Calif.) added, “People have a right to be concerned and
angry.”
A new survey released on Wednesday by Entrust indicates
they are. According to the survey of 1,003 likely U.S. voters, 97 percent of
the respondents rate identity theft as a serious problem, with 48 percent
saying they now avoid online purchases out of fear of their financial data
being stolen.
The survey also shows that 71 percent of Americans believe new laws are
needed to protect consumer privacy.
Sen. Gordon Smith (R-Ore.), who chaired the panel in Chairman Ted Stevens
(R-Alas.) absence, said he would be introducing legislation to make it a
“national obligation” for businesses and government agencies to have
adequate security measures in place.
Smith’s legislation joins a growing list of bills, including legislation by
Feinstein and Sen. Charles Schumer (D-N.Y.), that seek to address identity
theft and impose a national data breach disclosure law.
“Unless Congress, companies and consumers take action, this is an epidemic
that threatens to spiral out of control,” Schumer told the committee.
“Congressional action must be quick and it must be comprehensive. “Identity
theft is not a Democrat issue or a Republican issue — it is a non-partisan
consumer and economic crisis. There is no excuse for Congress failing to act
in a bipartisan way.”