Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions

FTC applies Safeguards Rule to retailer’s non-financial activities

November 22, 2010

The Federal Trade Commission has settled a charge against a large retailer, BJ’s Wholesale Club, that the company failed to appropriately safeguard sensitive credit and debit card information that it received from thousands of its customers.


Because the alleged security violation did not involve finance or lease activity by the retailer, the FTC did not allege a violation of the FTC Safeguards Rule. Instead, it alleged that the retailer’s inadequate security procedures constituted an unfair practice under the Federal Trade Commission Act.


That distinction aside, the FTC’s proposed consent order requires BJ’s to establish and maintain a comprehensive written information security program that contains most elements required by the Safeguards Rule.


Thus, even though the alleged security failure did not involve significant financial activity that triggers Safeguards Rule compliance, the FTC nonetheless imposed Safeguards Rule requirements on the retailer’s non-financial activity based on its FTC Act authority.


In a news release explaining the action, FTC Chairman Deborah Platt Majoras said: "Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security. . . . This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information."


The development underscores the need for dealers to adequately safeguard customer information received in all parts of the dealership, not jut those involving finance and lease activity.


Expanding customer information safeguards also should help to reduce future compliance burdens that likely will result from anti-identity theft legislation currently being considered on Capitol Hill.


BJ’s Wholsesale Club agreed to settle the FTC charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers led to an unauthorized person or persons to make millions of dollars of fraudulent purchases.


The FTC charged that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency charged that BJ’s:


  • Failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores; 
  • Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;
  • Stored the information in files that could be accessed using commonly known default user IDs and passwords; 
  • Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
  • Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations. 

The FTC’s complaint charged that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ’s stores, and that the counterfeit cards contained the same personal information BJ’s had collected from the magnetic stripes of the cards.


After the fraud was discovered, banks cancelled and re-issued thousands of credit and debit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards. Since then, banks and credit unions have filed lawsuits against BJ’s and pursued bank procedures seeking the return millions of dollars in fraudulent purchases and operating expenses.  

According to BJ’s SEC filings, as of May 2005, the amount of outstanding claims was approximately $13 million.


The settlement also requires BJ’s to obtain audits by an independent third party security professional every other year for 20 years.