The Federal Trade Commission's recent settlement with BJ's Wholesale Club makes an effective security program a national requirement for any company that holds personal information, regardless of industry or specific statutory or regulatory requirements. To the FTC, a failure to develop and implement an effective information security program constitutes an "unfair and deceptive" trade practice, independent of any specific statutory or regulatory requirements. As such, every company should be familiar with the facts about the BJ Wholesale case and the security program mandated by the FTC enforcement action, so that the company can design an effective security program for its business operations. Moreover, pending legislation in both the House and the Senate likely will make these provisions more formal and more binding.
The BJ Wholesale Case
For the past ten years, the Federal Trade Commission has been an aggressive enforcer of privacy and security programs, typically relying on its jurisdiction under Section 5 of the Federal Trade Commission Act to regulate "unfair or deceptive trade practices." In its numerous prior enforcement actions, the Federal Trade Commission typically has relied on measuring a company's promise to provide effective security protections and taking enforcement action where a company's program did not live up to these promises, even where there was no legal requirement to make such a promise.
The Alleged Violation:
In the BJ Wholesale case (announced June 16, 2005), however, the FTC took enforcement action despite the fact that BJ Wholesale apparently made no representations whatsoever to its customers concerning security protections. Instead, the FTC alleged (in the Complaint filed along with various settlement documents) that BJ Wholesale's information security practices, taken together, did not provide "reasonable security for sensitive customer information." Specifically, the FTC alleged that BJ Wholesale violated the FTC Act because it:
These problematic practices apparently came to light because of a large number of false or fraudulent charges posted to BJ Wholesale customer accounts, which the FTC determined to have been derived from "hacker" access to this poorly secured information (including through in-store wireless networks). (See http://www.ftc.gov/opa/2005/06/bjswholesale.htm for a full set of documents related to this action).
As a result of these alleged failures, BJ Wholesale settled the FTC allegations, without admitting any wrongdoing. This settlement includes not only a requirement to implement "a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers," but also requires the company to have an independent third party assessment of this program, every other year for the next 20 years, subject to ongoing FTC oversight.
In effect, the FTC required BJ Wholesale to implement a security program mirroring the requirements set out by the FTC for entities regulated under the Gramm-Leach-Bliley Act. This "comprehensive" security program, which must be "fully documented in writing" and be "appropriate" to the company's "size and complexity, the nature and scope of the company's activities, and the sensitivity of the personal information collected," must include the following components:
1. The designation of an employee (or employees) to coordinate and be accountable for the information security program;
2. The identification of "material internal and external" risks to the security of this personal information (with this risk assessment to include employee training and management; information systems and prevention, detection and response to attacks, intrusions or other system failures);
3. The design and implementation of reasonable safeguards to control the risks identified in this risk assessment; and
4. The evaluation and adjustment of the program in light of the results of testing and ongoing monitoring of the program, material changes to the company's operations or business arrangements or "any other" circumstances that may have a material impact on the effectiveness of the security program.
Beyond the specific components of the information security program, BJ Wholesale also agreed to obtain, on a biannual basis, an "assessment and report" from a "qualified, objective, independent third party professional" that:
The settlement requires BJ Wholesale to provide the first assessment directly to the FTC, and to make all subsequent reports, for a 20-year period, available to the FTC upon request. (There are other document retention requirements related to documents that "contradict, qualify or call into question" the company's compliance with the settlement order, and all other documents relating to the company's compliance with the order). The settlement agreement remains in effect for 20 years from the date of its issuance.
With each successive enforcement action, the FTC is extending the reach of its information security enforcement activities. Starting with regulated entities, and moving on to breach of security representations and now to a general obligation to maintain an effective security program, the FTC has essentially created a national, non-statutory standard requiring any business that collects and maintains personal information to develop and implement an information security program. The only remaining step, perhaps, is to take enforcement action without a security breach, but the standard has been set across the country. What does this mean?
Developing An Effective Security Program
The clearest conclusion from the BJ Wholesale case is that the Federal Trade Commission believes that every company, regardless of industry and formal statutory or regulatory requirements, must maintain an effective information security program if it is to avoid "unfair and deceptive" trade practices. So, regardless of industry, any company that collects or maintains personal information must have such a program. (Note that this program also must incorporate the "disposal" requirements of the FTC's rule on the disposal of consumer report information .
While an "effective" program is not the same as a "perfect" program, an effective security program must be appropriate to the "size and complexity" of the company's business activities, and must take into account the "sensitivity" of the customer information. This program must include a risk assessment, addressing the company's overall collection of personal information (and, unlike the rules for the health care industry, is not limited to 'electronic" information). Following this risk assessment, the company must make "reasonable" choices about how it is to mitigate the risks identified in this assessment. Once this initial assessment and plan has been developed, a company must test, monitor and regularly re-evaluate the program, to ensure that the program keeps pace with developments both in the information security field in general, and in the specific operations and environment of the company.
On the same day that the BJ Wholesale case was announced, the Senate Commerce Committee held a hearing focusing on the recent barrage of information security breaches, and evaluating appropriate legislative responses to this highly visible problem. The hearing focused on three main issues:
The FTC's actions in BJ Wholesale indicate that, at least as far as broad requirements for a security program, the FTC believes (at least through its enforcement activities) that such a requirement is already present at a national level, but the legislative debate will continue, with some legislation likely this year. Each news report concerning a new security breach increases the likelihood of this new legislation. The Senate Commerce Committee has passed a legislative proposal detailing specific security requirements, with hearings in the Senate Judiciary and the House also expected shortly.
Because of the focus on "appropriate" risk levels and "reasonable" security measures, there is the obvious possibility that security breaches will occur no matter what precautions are taken. Accordingly, it is critical that companies have an effective mitigation plan in the event of a security breach. This plan should involve not only how to correct the particular situation - but also an assessment of how to revise existing policies to prevent recurrences. This mitigation plan is very important, because this plan kicks in when the rubber meets the road - you have had a breach and need to "fix it" immediately in the eyes of your customers, regulators and management.
This plan also needs a reporting component - evaluating whether reporting (to regulators or customers) is required, and whether reporting should be undertaken independent of any specific legal requirements. (This "reporting" component is a key feature of the ongoing legislative debate.) This analysis should include consideration of what to say about a breach and when to say it. Again, because of the tensions and pressures created when a security breach takes place, these reporting decisions typically are made under intense business pressure and (perhaps) public scrutiny. Reporting is neither required nor appropriate with every security breach (and Congress and the FTC both are concerned about the risk of "overnotification," with the concern that consumers will become numbed by constant security breach notifications), but it should be considered by senior management in any circumstance where there is any realistic likelihood of customer impact.
Security breaches remain in the news, with each successive breach both reinforcing the risks and increasing awareness of security problems. No company, large or small, can afford to ignore this sea change in the protection of personal information. The FTC guidelines stemming from BJ's Wholesale should be a minimum starting point for every company, with a critical need to identify the risks in a particular company's environment and an effective means of reducing these risks to reasonable levels.
Kirk J. Nahra is a Partner with Wiley Rein & Fielding LLP in Washington, DC, where he specializes in healthcare, privacy, information security and insurance fraud litigation and counseling for the health care and property/casualty insurance industries and others in the financial services industry and elsewhere facing compliance obligations in these areas. He chairs the firm's Privacy Practice and is co-chair of its Health Care Practice, assisting companies in a wide range of industries in analyzing and implementing the requirements of privacy and security laws across the country and internationally. Nahra, a Certified Information Privacy Professional, was elected to the Board of Directors of the International Association of Privacy Professionals, and serves as the editor of Privacy Officers Advisor, the monthly newsletter of the International Association of Privacy Professionals. He can be reached at (202)719-7335.