In re DSW, Inc., FTC Docket No. C-4157, Decision and Order (Dec. 1, 2005) (full-text).
Factual Background Edit
According to the FTC’s complaint, DSW used computer networks to obtain authorization for credit card, debit card, and check purchases at its stores and to track inventory. For credit and debit card purchases, DSW collected information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. The magnetic stripe information also contained a security code that could be used to create counterfeit cards that would appear to be genuine in the authorization process. For check purchases, DSW collected information such as routing number, account number, check number, and the consumer’s driver’s license number and state. According to the complaint, DSW’s data security failures allowed hackers to gain access to information on more than 1.4 million customers.
The FTC alleged that DSW:
- Created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
- Failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
- Stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
- Failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
- Failed to employ sufficient measures to detect unauthorized access.
The question of whether any of these acts constituted “unfair acts or practices” under Section 5 was never adjudicated, since DSW immediately settled.
Consent and Order Edit
Under the Order, which lasts for 20 years, DSW must:
- “Designate an employee or employees to coordinate and be accountable for the information security program”;
- “Identify material internal and external risks to security, confidentiality, and integrity of consumer information that could result in unauthorized disclosure, misuse, loss, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks”;
- “Design and implement reasonable safeguards to control risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems and procedures”; and
- “Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, and any other circumstances that DSW knows or has reason to know may have a material impact on the effectiveness of its information security program.”
DSW must also obtain a biennial assessment and report from a qualified, objective, independent, certified, third-party professional concerning DSW’s compliance with the Order.
In commenting on the DSW decision, the Commission indicated that it might use its enforcement discretion under Section 5 of the FTC Act to go beyond the substantive requirements of the Safeguards Rule under the Gramm-Leach-Bliley Act, and protect consumers' personal information even where the information is public.