Dave & Buster's Busted: Another Allleged Failure to Implement "Reasonable Security"

We are seeing more and more private litigation and regulatory enforcement actions around the issue of what constitutes "reasonable security."  This week we see another.  Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information.  Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain.  Here is the Agreement Containing Consent Order.  The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards. 

Dave & Buster's collects from consumers the following kinds of card information to obtain authorization for payment card purchases:  credit card account number, expiration date, and an electronic security code for payment card authorization.  The restaurant collects this information at in-store terminals, transfers the data to its in-store servers, and then transmits the data to a third-party credit card processing company.  The FTC alleges the the hacker was successful because Dave & Buster's:

(a) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by employing an intrusion detection system and monitoring system logs;

(b) failed to adequately restrict third-party access to its networks, such as by restricting connections to specified IP addresses or granting temporary, limited access;

(c) failed to monitor and filter outbound traffic from its networks to identify and block export of sensitive personal information without authorization;

(d) failed to use readily available security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network; and

(e) failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks.

The card issuing banks have claimed several hundred thousand dollars in fraudulent charges.

Not surprisingly, the FTC alleged these failures to implement "reasonable security" constituted an unfair act or practice in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).

Like many other similar FTC settlements, this one requires that Dave & Buster's establish and maintain a comprehensive information security program and obtain independent audits by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, for (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order. 

Dave & Buster's' comprehensive information security program must include the following, and more:

A. the designation of an employee or employees to coordinate and be accountable for the information security program;

B. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;

C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;

D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and

E. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.

Incidentally, for those of you, like me, who are fascinated (yes, it is true, I admit it) by the many and differing definitions of "Personal Information" out there in this country, you may be interested to note the FTC's definition for purposes of this settlement:

“Personal information” shall mean individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver’s license number; (g) a credit card or debit card account number; (h) a persistent identifier, such as a customer number held in “cookie” or processor serial number, that is combined with other available data that identifies an individual consumer; or (i) any information that is combined with any of (a) through (h) above.

We fully expect to see more FTC action in this area.  Stay tuned for settlement number 28.