BJ's Wholesale Club Settles FTC Data-Protection Complaint - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:47 PM
Connect Directly

BJ's Wholesale Club Settles FTC Data-Protection Complaint

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

The Federal Trade Commission said today that BJ's Wholesale Club Inc. has agreed to settle charges that it failed to provide adequate security for its customer data.

According to the FTC, BJ's failed to encrypt customer data when transmitted or stored on BJ's computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks.

The FTC charges that the company's lax data security led to a series of fraudulent purchases at non-BJ's stores made with counterfeit credit cards that contained personal information BJ's had previously collected from the magnetic stripes of customers' credit cards. As a result of the fraud, affected financial institutions filed suit against BJ's to recover damages. According to a May securities and Exchange Commission filing, BJ's recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs incurred in this matter.

BJ's, with revenue of $7.4 billion in fiscal 2005, operates 157 warehouse stores and 83 gas stations in 16 Eastern states. Some 8 million consumers are members. Nationally, it's the third-largest membership warehouse club, behind Costco and Sam's Club.

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

"BJ's takes the privacy and security of its members' information very seriously," the company said in a statement. "We have implemented and are committed to maintaining an information-security program that is designed to protect the security, confidentiality, and integrity of our members' information."

The consent agreement settling the FTC complaint includes the following requirements: a designated employee or employees to coordinate and be accountable for the information-security program; the identification of risks to customer data; the design and implementation of reasonable safeguards for that data; and monitoring to ensure compliance.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security," said FTC chairman Deborah Platt Majoras in a statement. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."

The FTC may have a lot of companies to challenge given the incidence of data loss and data breaches in past months. Companies with less-than-stellar data-handling records recently include Ameritrade, Bank of America, ChoicePoint, Citibank, DSW Shoe Warehouse, Polo Ralph Lauren, LexisNexis, and Time Warner.

Making good on her avowed intention, Platt Majoras in testimony before the Senate Committee on Commerce, Science and Transportation on Thursday recommended that "Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety."

She also urged that Congress consider requiring companies to notify consumers in the event of a data breach. California already has such a requirement.

Data Debacles: Top 10 Customer Data Loss Incidents
Company/Organization Number of
Date of
3.9 million
June 6
DSW Shoe Warehouse
1.4 million
March 8
Bank of America
1.2 million
Feb. 25
Time Warner
May 2
March 9
April 19
Polo Ralph Lauren
April 14
Feb. 15
Boston College
March 17
Bank of America
and Wachovia
May 23
Source: InformationWeek, public disclosures by companies

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll