03:47 PM
Connect Directly
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

BJ's Wholesale Club Settles FTC Data-Protection Complaint

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

The Federal Trade Commission said today that BJ's Wholesale Club Inc. has agreed to settle charges that it failed to provide adequate security for its customer data.

According to the FTC, BJ's failed to encrypt customer data when transmitted or stored on BJ's computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks.

The FTC charges that the company's lax data security led to a series of fraudulent purchases at non-BJ's stores made with counterfeit credit cards that contained personal information BJ's had previously collected from the magnetic stripes of customers' credit cards. As a result of the fraud, affected financial institutions filed suit against BJ's to recover damages. According to a May securities and Exchange Commission filing, BJ's recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs incurred in this matter.

BJ's, with revenue of $7.4 billion in fiscal 2005, operates 157 warehouse stores and 83 gas stations in 16 Eastern states. Some 8 million consumers are members. Nationally, it's the third-largest membership warehouse club, behind Costco and Sam's Club.

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

"BJ's takes the privacy and security of its members' information very seriously," the company said in a statement. "We have implemented and are committed to maintaining an information-security program that is designed to protect the security, confidentiality, and integrity of our members' information."

The consent agreement settling the FTC complaint includes the following requirements: a designated employee or employees to coordinate and be accountable for the information-security program; the identification of risks to customer data; the design and implementation of reasonable safeguards for that data; and monitoring to ensure compliance.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security," said FTC chairman Deborah Platt Majoras in a statement. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."

The FTC may have a lot of companies to challenge given the incidence of data loss and data breaches in past months. Companies with less-than-stellar data-handling records recently include Ameritrade, Bank of America, ChoicePoint, Citibank, DSW Shoe Warehouse, Polo Ralph Lauren, LexisNexis, and Time Warner.

Making good on her avowed intention, Platt Majoras in testimony before the Senate Committee on Commerce, Science and Transportation on Thursday recommended that "Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety."

She also urged that Congress consider requiring companies to notify consumers in the event of a data breach. California already has such a requirement.

Data Debacles: Top 10 Customer Data Loss Incidents
Company/Organization Number of
Date of
3.9 million
June 6
DSW Shoe Warehouse
1.4 million
March 8
Bank of America
1.2 million
Feb. 25
Time Warner
May 2
March 9
April 19
Polo Ralph Lauren
April 14
Feb. 15
Boston College
March 17
Bank of America
and Wachovia
May 23
Source: InformationWeek, public disclosures by companies

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.