Tower Records has agreed to settle charges from the Federal Trade Commission that a flaw in its online checkout system exposed customer information in violation of the company's own security and privacy statement on its Web site.

Tower's security woes began in November 2002, according to the FTC complaint, when the company redesigned its checkout software. According to the FTC, the updated software failed to properly password-protect customers' account information, as was promised in the company's privacy and confidentiality statements to consumers. Also, the FTC alleged, the new checkout system contained a "commonly known and reasonably foreseeable vulnerability."

While Tower Records, a unit of MTS Inc., didn't admit to any wrongdoing as part of the consent order, the settlement requires that Tower not make further security and privacy "misrepresentations" and that it maintain an appropriate security program. The agreement also requires Tower's Web site be audited every two years for a period of 10 years.

According to the FTC, the security hole allowed others to possibly view the order history, names, billing and shipping addresses, E-mail addresses, and phone numbers of Tower customers.

In a statement, Tower described the incident as isolated and said no personal financial information, such as credit-card or Social Security numbers, was at risk. "We take the privacy and security of personal information collected from our customers very seriously and have cooperated fully and worked closely with the FTC to ensure that we protect our customers to the best of our ability," CIO Bill Baumann said in the statement.

This is the fourth time the FTC has taken such action. Previous agreements have been struck with Guess, Eli Lilly, and Microsoft.

In a statement, Howard Beales, director of the FTC's Bureau of Consumer Protection, said, "Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities."