Retailer's Inadequate Data Security Represents Unfair Practice

July 20, 2005

The Federal Trade Commission's prosecution of BJ's Wholesale Club and settlement of claims in connection with the chain's alleged failure to implement and maintain adequate data protection and security measures signals an alarming trend worthy of the attention of businesses that receive and collect personal information. On June 16, 2005, the FTC announced a settlement with BJ's that requires the company to implement a comprehensive information security program for the next 20 years. Significantly, the settlement did not include financial penalties, although according to BJ's SEC filings, it faces outstanding litigation claims from others totaling approximately $13 million arising from its information security practices.

The FTC prosecution and settlement was a reaction to a series of frauds committed in connection with unlawful access to credit card numbers and related information that BJ's had received from consumers.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security," said Deborah Platt Majoras, chairman of the FTC. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."

The FTC's complaint alleged that BJ's used a computer network to obtain bank authorization for credit and debit card purchases and to track inventory. For card purchases, BJ's, like many retail businesses, collected information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. The information was sent from the computer network in retail stores to BJ's central data center, and from there through outside computer networks to the banks that issued the cards.

BJ's Data Protection Practices: The FTC's Allegations

The FTC charged that BJ's did not provide reasonable security for sensitive customer information. It alleged that BJ's:

  • failed to encrypt consumer information when it was transmitted or stored on computers in BJ's retail stores;
  • created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;
  • stored the information in files that could be accessed using commonly known default user IDs and passwords;
  • failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
  • failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

Litigation and Related Risks: Lax Security Linked to Fraud by Others - BJ's Blamed

Taken together, these acts and omissions caused the FTC to allege that BJ's failed to provide adequate security for information and that the failure constituted an unfair practice. According to the FTC, fraudulent purchases were made using counterfeit copies of credit and debit cards that had been used at BJ's stores, and the counterfeit cards contained the same personal information BJ's had collected from the magnetic stripes of the cards. The FTC charged that because of the failure to safeguard information supplied to BJ's, banks were required to cancel and re-issue thousands of credit and debit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards.

Implications: Increased Compliance, More Complex Negotiations, Heightened Risks

The FTC's prosecution of BJ's demonstrates the agency's increasingly aggressive efforts to combat identity theft and misuse of personal information. Unlike prior prosecutions in the area that have focused on deceptive messaging towards consumers, the FTC's action here suggests it may take action concerning lax data security, even where there have been no specific misrepresentations to consumers. It thus appears that failure to provide adequate security for sensitive information in and of itself now may be deemed an unfair practice by the FTC subject to prosecution.

Vendors and others who receive personal information, especially from financial institutions or consumers who maintain accounts with such institutions, may face increasing scrutiny of their information security practices. Those who obtain sensitive information should seek to apportion related litigation risk through contractual means, and even through vehicles such as insurance. Given that laws relating to providing notice of security breaches, both on the federal and state levels, are being enacted at a brisk pace, increased risk of litigation and related expenses to manage and contain these risks seems likely.

Wilson Sonsini Goodrich & Rosati routinely counsels clients in all aspects of their privacy and data protection programs, including assisting with incident response and remediation strategies. In addition to assisting with incident response, the firm has extensive experience assisting companies in negotiating issues relating to information security and data protection. If you have questions in these areas, please contact Gerry Stegmaier (703) 734-3109 or David Kramer (650) 320-4741.

A copy of the FTC's press release concerning the prosecution and related documents may be found at