BJ's Wholesale Club Settles FTC Data-Protection Complaint - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
6/16/2005
03:47 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

BJ's Wholesale Club Settles FTC Data-Protection Complaint

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

The Federal Trade Commission said today that BJ's Wholesale Club Inc. has agreed to settle charges that it failed to provide adequate security for its customer data.

According to the FTC, BJ's failed to encrypt customer data when transmitted or stored on BJ's computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks.

The FTC charges that the company's lax data security led to a series of fraudulent purchases at non-BJ's stores made with counterfeit credit cards that contained personal information BJ's had previously collected from the magnetic stripes of customers' credit cards. As a result of the fraud, affected financial institutions filed suit against BJ's to recover damages. According to a May securities and Exchange Commission filing, BJ's recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs incurred in this matter.

BJ's, with revenue of $7.4 billion in fiscal 2005, operates 157 warehouse stores and 83 gas stations in 16 Eastern states. Some 8 million consumers are members. Nationally, it's the third-largest membership warehouse club, behind Costco and Sam's Club.

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

"BJ's takes the privacy and security of its members' information very seriously," the company said in a statement. "We have implemented and are committed to maintaining an information-security program that is designed to protect the security, confidentiality, and integrity of our members' information."

The consent agreement settling the FTC complaint includes the following requirements: a designated employee or employees to coordinate and be accountable for the information-security program; the identification of risks to customer data; the design and implementation of reasonable safeguards for that data; and monitoring to ensure compliance.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security," said FTC chairman Deborah Platt Majoras in a statement. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."

The FTC may have a lot of companies to challenge given the incidence of data loss and data breaches in past months. Companies with less-than-stellar data-handling records recently include Ameritrade, Bank of America, ChoicePoint, Citibank, DSW Shoe Warehouse, Polo Ralph Lauren, LexisNexis, and Time Warner.

Making good on her avowed intention, Platt Majoras in testimony before the Senate Committee on Commerce, Science and Transportation on Thursday recommended that "Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety."

She also urged that Congress consider requiring companies to notify consumers in the event of a data breach. California already has such a requirement.

Data Debacles: Top 10 Customer Data Loss Incidents
Company/Organization Number of
affected
customers
Date of
initial
disclosure
Citigroup
3.9 million
June 6
DSW Shoe Warehouse
1.4 million
March 8
Bank of America
1.2 million
Feb. 25
Time Warner
600,000
May 2
LexisNexis
310,000
March 9
Ameritrade
200,000
April 19
Polo Ralph Lauren
180,000
April 14
ChoicePoint
145,000
Feb. 15
Boston College
120,000
March 17
Bank of America
and Wachovia
108,000
May 23
Source: InformationWeek, public disclosures by companies

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Commentary
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
News
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll