By Roy Mark
June 16, 2005
WASHINGTON -- On a day marked by another major data security breach
and more tough talk from Congress, the Federal Trade Commission (FTC)
moved against a Fortune 500 company for its data protection practices.
Testifying before a Senate panel investigating possible national
legislation aimed at better data protection and a national data breach
disclosure law, FTC Chairman Deborah Majoris said BJ's Wholesale Club
agreed to settle FTC charges that it failed to take adequate measures
to protect consumers' personal information.
"For the first time we allege that inadequate data security can be an
unfair business practice," Majoris told a Senate panel. "This action
should provide clear notice to the business community to establish and
maintain reasonable affirmative security measures."
The settlement requires BJ's, which operates 150 warehouse stores and
78 gas stations in 16 states, to implement a comprehensive information
security program while submitting to third-party security audits every
other year for 20 years.
According to the FTC complaint, BJ's failed to encrypt consumer
information when it was transmitted or stored on the company's
computers and created unnecessary risks by storing the data even when
it no longer needed the information.
In addition, the FTC alleges BJ's failed to use readily available
security measures to prevent unauthorized wireless connections to its
networks and failed to take sufficient measures to detect unauthorized
Majoris' testimony came on the same day the Federal Deposit Insurance
Corp. (FDIC) acknowledged it is in the process of notifying 6,000
current and former employees that their personally identifying
information was possibly compromised in a 2004 data breach.
FDIC spokeswoman Tibby Ford stressed the breach was not the result of
a system hack, but the agency did not give any other details of the
breach, citing an ongoing FBI investigation.
"Identity theft is a growing problem which shows no signs of abating,"
Sen. Dianne Feinstein (D-Calif.) told the Senate Commerce Committee.
"And why should it as long as people's sensitive personal information
is so easily accessible in the marketplace?"
Feinstein said that over the last two years, there have been 34
"major" data breaches involving the personal information of
approximately 18 million individuals. According to the FTC, the total
cost to individuals and business from identity theft was more than $52
Sen. Conrad Burns (R-Calif.) added, "People have a right to be
concerned and angry."
A new survey released on Wednesday by Entrust (Quote, Chart) indicates
they are. According to the survey of 1,003 likely U.S. voters, 97
percent of the respondents rate identity theft as a serious problem,
with 48 percent saying they now avoid online purchases out of fear of
their financial data being stolen.
The survey also shows that 71 percent of Americans believe new laws
are needed to protect consumer privacy.
Sen. Gordon Smith (R-Ore.), who chaired the panel in Chairman Ted
Stevens (R-Alas.) absence, said he would be introducing legislation to
make it a "national obligation" for businesses and government agencies
to have adequate security measures in place.
Smith's legislation joins a growing list of bills, including
legislation by Feinstein and Sen. Charles Schumer (D-N.Y.), that seek
to address identity theft and impose a national data breach disclosure
"Unless Congress, companies and consumers take action, this is an
epidemic that threatens to spiral out of control," Schumer told the
committee. "Congressional action must be quick and it must be
comprehensive. "Identity theft is not a Democrat issue or a Republican
issue -- it is a non-partisan consumer and economic crisis. There is
no excuse for Congress failing to act in a bipartisan way."
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.