FTC Sharpens FACTA's Teeth
On June 16th the FTC issued the first ruling against a company under the Fair and Accurate Credit Transaction Act (FACTA). This ruling dramatically increased the scope of business covered under the law. Initially the FTC defined personal information as that taken from a credit report. Companies are now responsible for safely collecting, holding and disposing of any personally identifiable information or risk running afoul of the law.
The FTC charged that BJ's Wholesale Club engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. The FTC also alleges that BJ's failure to secure customers' sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition.
So what did BJ's Wholesale Club do? They failed to encrypt credit card numbers that were stored in computers at BJ's stores, the customer information was stored past the date it was required and the files with the customer information were protected by only default passwords. The result was the theft of credit card numbers that were used to run up $13 million in charges.
"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security,” said Deborah Platt Majoras, Chairman of the FTC. “This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information.”
In addition to FTC enforcement, FACTA provides for civil action against companies. “With unlimited statutory damages [under FACTA] this is a litigator's dream,” says Thomas Hefferon, Partner at Goodwin Proctor LLP. He describes the perfect case as one that is interesting, clearly in violation of the law and involves a large number of people or dollars. An example of all three is a dumpster full of customer records.
If you aren't scared yet consider California Senate Bill 1386. This is the California law that requires companies to notify their customers of any breach of consumer information. Public companies that have had to notify their customers have seen their stock valuations drop by 9-11%. How would your investors react to a drop in your stock price that dramatic?
The lessons that every business should learn from this ruling is that you are now held to a higher standard with your customer's personal information. Minimal security is no longer an acceptable standard. You should be looking to implement “best practices” for all your information security. This includes properly destroying information after its useful life.