Agency Says Company Failed to Protect Sensitive Customer Data
Shoe discounter DSW Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law. According to the FTC, DSW’s data-security failure allowed hackers to gain access to the sensitive credit card, debit card, and checking account information of more than 1.4 million customers. The settlement will require DSW to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.
Columbus, Ohio-based DSW operates approximately 190 stores in 32 states. In 2004, DSW generated $961 million in net sales and sold approximately 23.7 million pairs of shoes.
According to the FTC’s complaint, DSW uses computer networks to obtain authorization for credit card, debit card, and check purchases at its stores and to track inventory. For credit and debit card purchases, DSW collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. This magnetic stripe information is particularly sensitive because it contains a security code that can be used to create counterfeit cards that appear genuine in the authorization process. For check purchases, DSW collects information such as routing number, account number, check number, and the consumer’s driver’s license number and state. In each case, the information was wirelessly transmitted to a computer network located in the store, and from there was sent to the appropriate bank or check processor.
The FTC charges that until at least March 2005, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information. Specifically, the agency alleges that DSW:
- Created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
- Failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
- Stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
- Failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
- Failed to employ sufficient measures to detect unauthorized access.
The FTC charges that a total of approximately 1.4 million credit and debit cards and 96,000 checking accounts were compromised, and that there have been fraudulent charges on some of these accounts. Further, some customers whose checking account information was compromised have incurred out-of-pocket expenses in connection with closing their accounts and ordering new checks. Some checking account customers have contacted DSW to request reimbursement for their expenses, and DSW has provided some amount of reimbursement to these customers. According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million.
The FTC alleges that DSW’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires DSW to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order. DSW also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.
This is the FTC’s seventh case challenging faulty data security practices by retailers and others.
The Commission vote to accept the proposed consent agreement was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through January 2, 2006, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: Consent agreements are for settlement purposes only and do not constitute an admission by the defendant of a law violation.
Copies of the complaint and consent order are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 052-3096)
Office of Public Affairs
Bureau of Consumer Protection