BJ's Wholsale Club and the Federal Trade Commission have entered into a settlement agreement following charges that BJ's didn't provide adequate security for customers' personal information. The process of dealing with the charges is said to have cost BJ's $10M in legal fees and the settlement requires BJ to do audits of their practices every two years for the next twenty years. From Privacyspot:
$10 Million Later, BJ's Agrees to Audits Every Other Year for 20 Years | PrivacySpot.com - Privacy Law and Data Protection:
"The FTC and BJ's Whole Sale Club ("BJ's") recently announced that they have agreed to settle the charges against BJ's that it failed to provide adequate security for its customer data.
The FTC claimed that BJ's lackadaisical data security policies failed to protect against fraudulent purchases at other stores made with counterfeit credit cards that contained personal information BJ's had collected from the magnetic stripes of its customers' credit cards. Specifically, the FTC cited BJ's failure to encrypt customer data when transmitted or stored on BJ's computers, to properly password protect customer data, and to run secure, sufficiently monitored wireless networks.
In a classic case of why companies should be proactive about addressing security and privacy, it's being reported that BJ's incurred $10 million in legal costs in 2004 and 2005 resolving this matter.
As part of the settlement, BJ's agreed to implement a comprehensive information-security program. Additionally, in line with the FTC's notorious history of lengthy audit requirements, even though BJ's admitted to no wrongdoing, it will be subject to third-party audits every other year for the next 20 years. Imagine the administrative burden associated with this settlement requirement.
In announcing the settlement, FTC chairman Deborah Platt Majoras stated, "Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security. This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information." Companies that fail to pay close attention to what constitutes "due care," run the risk of facing expensive and burdensome clean-up costs down the road."