The IT Law Wiki

Citation[]

In re BJ’s Wholesale Club, Inc. (F.T.C. Sept. 20, 2005) (No. C-4148) (full-text)

Factual Background[]

In 2005, a Wi-Fi system at a BJ’s Wholesale Club store in Miami was used by thieves to gain access to the store’s on-site computers. The Wi-Fi system only connected the on-site computers to inventory scanning devices, but the thieves were able to use default user IDs and passwords to download bank card information and make fraudulent purchases with BJ’s customers’ credit and debit cards. The losses from fraudulent transactions, using counterfeit credit cards garnered from the stolen data, allegedly totaled around $13 million.

The Federal Trade Commission (FTC) filed a complaint against BJ’s under Section 5 of the FTC Act for an unfair act or practice due to BJ’s failure to provide “reasonable security” for its computer network, alleging that BJ’s:

  1. [D]id not encrypt the information while in transit or when stored on the in-store computer networks;
  2. [S]tored the information in files that could be accessed anonymously — that is, using a commonly known default user ID and password;
  3. [D]id not use readily available security measures to limit access to its computer networks through wireless access points on the networks;
  4. [F]ailed to employ sufficient measures to detect unauthorized access or conduct security investigations; and
  5. [C]reated unnecessary risks to the information by storing the data for up to thirty days when it no longer had a business need to keep the information, and in violation of bank rules.

“As a result, a hacker could have used the wireless access points on an in-store computer network to connect to the network and, without authorization, access personal information on the network.”

Settlement and Consent Order[]

The question of whether any or all of the acts alleged in the complaint constituted “unfair acts or practices” was never adjudicated. BJ’s immediately capitulated and agreed to a consent order. Under that order, which lasts for twenty years, BJ’s must:

  • designate “an employee or employees to coordinate and be accountable for the information security program”;
  • identify “material internal and external risks to security” including risks in “employee training and management, information systems . . . , and . . . response to . . . system failures”;
  • design and implement “reasonable safeguards to control risks identified through risk assessment and regular testing”; and
  • adjust the information security system to the results of the assessments and changes in the company’s operations.

BJ’s must also obtain a biennial assessment and report “from a qualified, objective, independent, certified third-party professional” concerning BJ’s compliance with the Order.

Comment[]

As one commentator noted, “[t]he agency will likely consider the terms of the BJ’s settlement (which last for 20 years) as the standard that all companies that obtain and store consumer financial information must meet.”[1]

References[]

  1. Perkins Coie LLP, "Is it an Unfair Practice to Lack Adequate Security for Consumer Information?," July 5, 2005.[1]