The Federal Trade Commission said today that BJ's Wholesale Club Inc. has agreed to settle charges that it failed to provide adequate security for its customer data.

According to the FTC, BJ's failed to encrypt customer data when transmitted or stored on BJ's computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks.

The FTC charges that the company's lax data security led to a series of fraudulent purchases at non-BJ's stores made with counterfeit credit cards that contained personal information BJ's had previously collected from the magnetic stripes of customers' credit cards. As a result of the fraud, affected financial institutions filed suit against BJ's to recover damages. According to a May securities and Exchange Commission filing, BJ's recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs incurred in this matter.

BJ's, with revenue of $7.4 billion in fiscal 2005, operates 157 warehouse stores and 83 gas stations in 16 Eastern states. Some 8 million consumers are members. Nationally, it's the third-largest membership warehouse club, behind Costco and Sam's Club.

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

"BJ's takes the privacy and security of its members' information very seriously," the company said in a statement. "We have implemented and are committed to maintaining an information-security program that is designed to protect the security, confidentiality, and integrity of our members' information."

The consent agreement settling the FTC complaint includes the following requirements: a designated employee or employees to coordinate and be accountable for the information-security program; the identification of risks to customer data; the design and implementation of reasonable safeguards for that data; and monitoring to ensure compliance.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security," said FTC chairman Deborah Platt Majoras in a statement. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."

The FTC may have a lot of companies to challenge given the incidence of data loss and data breaches in past months. Companies with less-than-stellar data-handling records recently include Ameritrade, Bank of America, ChoicePoint, Citibank, DSW Shoe Warehouse, Polo Ralph Lauren, LexisNexis, and Time Warner.

Making good on her avowed intention, Platt Majoras in testimony before the Senate Committee on Commerce, Science and Transportation on Thursday recommended that "Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety."

She also urged that Congress consider requiring companies to notify consumers in the event of a data breach. California already has such a requirement.

Data Debacles: Top 10 Customer Data Loss Incidents
Company/Organization	Number of affected customers	Date of initial disclosure
Citigroup	3.9 million	June 6
DSW Shoe Warehouse	1.4 million	March 8
Bank of America	1.2 million	Feb. 25
Time Warner	600,000	May 2
LexisNexis	310,000	March 9
Ameritrade	200,000	April 19
Polo Ralph Lauren	180,000	April 14
ChoicePoint	145,000	Feb. 15
Boston College	120,000	March 17
Bank of America and Wachovia	108,000	May 23
Source: InformationWeek, public disclosures by companies