Client Alert

December 2005

Contacts Retailer Liable for Failing to Protect Customer Data

Lisa J. Sotto
Partner On December 1, 2005, the Federal Trade numbers. Fraudulent charges occurred on
200 Park Avenue Commission (“FTC”) announced that DSW some of the compromised accounts. Some
New York, NY 10166 Inc., a shoe retailer, agreed to settle FTC customers whose checking accounts were
(212) 309-1223 charges that it engaged in “unfair” business compromised closed their accounts, caus-
lsotto@hunton.com practices by failing to properly secure ing them to lose access to their accounts
Ellen Finn customer data. This is the second time this and to incur out-of-pocket expenses, includ-
Fleetway House, 6th Floor year that the FTC has used its authority ing the cost of ordering new checks.
25 Farringdon Street to prevent unfair trade practices to hold
London EC4A 4AB a company liable for having insufficient
+44 (0)20 7246 5728 information security measures to protect DSW Failed to Use “Reasonable and
efinn@hunton.com consumers’ personal information. The Appropriate” Security Measures
proposed settlement shows that the FTC
Orson Swindle* The FTC alleged that DSW had failed to
Chairman of Information Security will continue to use its authority to police
the security of consumer data even when use reasonable and appropriate measures
Projects and Senior Policy to secure the personal information it col-
Advisor companies have no specific legal mandate
to safeguard the information and have lected at its stores. Specifically, the FTC
Center for Information
made no privacy or security promises to claimed that DSW:
Policy Leadership
1900 K Street, NW consumers. Companies that fail to exercise
‡ created unnecessary risks to the
Washington, DC 20006 reasonable care to safeguard customer
(202) 955-1946 information could face FTC enforcement information by storing it in multiple
eswindle@hunton.com actions. files when it no longer had a business
need to keep the information;
Additional Lawyers
Christopher Kuner ‡ did not use readily available security
The FTC’s Allegations
Manuel E. Maisog measures to limit access to its
Kathy Robb
DSW collected consumer personal informa- computer networks through wireless
Stephen C. King
tion for purchases, including name, credit access points on the networks;
Elisabeth M. McCarthy
Elizabeth Hendrix Johnson card number and expiration date, and
“magnetic stripe” data including a security ‡ stored the information in unencrypted
Ashley B. Rowe
code. This information was collected at the files that could be accessed easily by
Aaron P. Simpson
Marian A. Waldmann cash register and sent wirelessly to DSW’s using a commonly known user ID and
Jörg Hladjk in-store computer network. DSW then trans- password;
Isabelle Chatelier mitted the information to the processors to
‡ did not limit sufficiently the ability of
obtain check, credit card, and debit card
Additional Contacts computers on one in-store network
Naotaka Matsukata* authorizations. All this data, including mag-
netic stripe data, was stored on in-store and to connect to computers on other
Yukiko Ko*
corporate computer networks. In March and in-store and corporate networks; and
Center for Information Policy April 2005, DSW announced that hackers
Leadership ‡ failed to employ sufficient measures to
had stolen credit card and other information
Martin E. Abrams** detect unauthorized access.
(including checking account information
Fred H. Cate
and driver’s license numbers) from DSW’s The FTC claimed the lack of security
computer networks. More than 1.4 mil- measures was “unfair” because DSW’s
*Not a lawyer
**Mr. Abrams serves as Executive lion credit and debit card numbers were lapses caused (or were likely to cause)
Director of Hunton & Williams’ compromised, along with nearly 100,000 “substantial injury to consumers that is not
Center for Information Policy checking accounts and driver’s license offset by countervailing benefits to consum-
Leadership. He is not a lawyer.
Hunton & Williams LLP
ers . . . and is not reasonably avoidable
by consumers.”
Comprehensive Information Security
Program Required
As part of the proposed settlement,
DSW must establish and maintain a
comprehensive information security
program designed to protect the security,
confidentiality, and integrity of customer
information. The program must contain
administrative, technical, and physical
safeguards, including (i) designating an
employee to coordinate and be account-
able for the program; (ii) identifying
internal and external risks to the informa-
tion; and (iii) implementing safeguards
to control these risks. In addition, DSW
will need to obtain every two years for 20
years an audit from an independent third-
party professional, who will certify that the
required information security program is
in place and that it is operating effectively
to protect consumer data.
Additional Liability
Despite the proposed settlement with the
FTC, DSW still faces additional liability
as a result of its insufficient data security
program. According to DSW’s SEC filings,
as of July 2005, its exposure for losses
related to the security breach ranges from
$6.5 to $9.5 million.
© 2005 Hunton & Williams LLP. These materials have been prepared for informational purposes only and are not legal advice. This informa-
tion is not intended to create an attorney-client or similar relationship. Please do not send us confidential information. Past successes cannot
be an assurance of future success. Whether you need legal services and which lawyer you select are important decisions that should not
be based solely upon these materials.
Atlanta • Bangkok • Beijing • Brussels • Charlotte • Dallas • Houston • Knoxville • London • McLean • Miami • New York • Norfolk • Raleigh • Richmond • Singapore • Washington
Significance of the Case
Like the BJ’s Wholesale Clubs case, the
FTC’s complaint against DSW does not
allege that the company made any false
representations about its information
security practices. Thus, the case signals
the FTC’s continued willingness to bring
enforcement actions based solely on a
company’s failure to implement appropri-
ate information security measures. In
addition, the settlement indicates the
FTC’s intention to impose a security
standard on businesses that maintain
sensitive consumer data that is similar to
that required under the Gramm-Leach-
Bliley Safeguards Rule for financial
institutions.
The FTC alleged that DSW “created
unnecessary risks to [consumers’
personal] information by storing it ...
when it no longer had a business need to
keep the information.” This suggests that
companies should carefully examine their
data retention practices to ensure that
sensitive information is stored no longer
than necessary.
Recommended Security Practices
Given the FTC’s clear intent to challenge
companies’ inadequate information secu­
rity measures, businesses that maintain
sensitive consumer data should take
affirmative steps to ensure that their infor-
mation security measures are sufficient.
Any company that maintains consumer
data would be well advised to develop
and implement a comprehensive informa-
tion security program, with a designated
employee in charge of and accountable
for the program. At a minimum, such a
program should include evaluation of the
risks and implementation of safeguards
in the areas of employee training and
management, information systems, and
the prevention and detection of intrusions
or other system failures.
The FTC’s requirements in this case and
others resemble the security require-
ments imposed on financial institutions by
the Gramm-Leach-Bliley Act’s Safeguards
Rule. Congress is currently considering
new legislation that would extend the
Safeguards Rule beyond financial institu-
tions to cover all companies that maintain
consumer data. The FTC’s repeated use
of Section 5 of the FTC Act to apply a
GLB Safeguards Rule-type standard to
companies not subject to the Safeguards
Rule suggests that additional enforce-
ment activity is likely even in the absence
of new legislation.
We Can Help
Hunton & Williams’ Privacy and
Information Management practice assists
clients in developing, implementing and
evaluating information security programs
and data retention policies. If you would
like assistance structuring an information
security pro­gram or if you have any other
privacy or information management
needs, please contact us.