[Federal Register Volume 70, Number 237 (Monday, December 12, 2005)]
[Notices]
[Pages 73474-73476]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E5-7178]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 052 3096]
DSW, Inc.; Analysis of Proposed Consent Order To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of Federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before January 2, 2006.
ADDRESSES: Interested parties are invited to submit written comments.
Comments should refer to ``DSW, Inc., File No. 052 3096,'' to
facilitate the organization of comments. A comment filed in paper form
should include this reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission/Office of the Secretary, Room 135-H, 600 Pennsylvania
Avenue, NW., Washington, DC 20580. Comments containing confidential
material must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with Commission Rule 4.9(c). 16 CFR
4.9(c) (2005).\1\ The FTC is requesting that any comment filed in paper
form be sent by courier or overnight service, if possible, because U.S.
postal mail in the Washington area and at the Commission is subject to
delay due to heightened security precautions. Comments that do not
contain any nonpublic information may instead be filed in electronic
form as part of or as an attachment to e-mail messages directed to the
following e-mail box: consentagreement@ftc.gov.
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See Commission Rule 4.9(c),
16 CFR 4.9(c).
---------------------------------------------------------------------------
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC Web site, to the extent
practicable, at http://www.ftc.gov. As a matter of discretion, the FTC
makes every effort to remove home contact information for individuals
from the public comments it receives before placing those comments on
the FTC Web site. More information, including routine uses permitted by
the Privacy Act, may be found in the FTC's privacy policy, at http://
www.ftc.gov/ftc/privacy.htm.
[[Page 73475]]
FOR FURTHER INFORMATION CONTACT: Jessica Rich (202) 326-3224, Bureau of
Consumer Protection, Room NJ-3158, 600 Pennsylvania Avenue, NW.,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 of
the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given
that the above-captioned consent agreement containing a consent order
to cease and desist, having been filed with and accepted, subject to
final approval, by the Commission, has been placed on the public record
for a period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for December 1, 2005), on the World Wide Web, at http://www.ftc.gov/
os/2005/12/index.htm. A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington,
DC 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted a consent agreement,
subject to final approval, from DSW Inc. (``DSW'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received and will decide whether it should
withdraw from the agreement and take other appropriate action or make
final the agreement's proposed order.
As described in the Commission's proposed complaint, DSW sells
footwear for men and women at approximately 190 stores in 32 states.
Consumers pay for their purchases with cash, credit cards, debit cards,
and personal checks. In the course of seeking approval for credit and
debit card purchases, DSW collects consumers' personal information,
including name, card number and expiration date, and other information,
from magnetic stripes on the cards. The information collected from the
magnetic stripe is particularly sensitive because it contains a
security code which can be used to create counterfeit cards that appear
genuine in the authorization process. In the course of seeking approval
for personal check purchases, DSW also collects consumers' personal
information, including routing number, account number, check number,
and the consumer's driver's license number and state, from the check
using Magnetic Ink Character Recognition (``MICR'') technology.
The Commission's proposed complaint alleges that DSW stored
consumers' personal information on computers on networks located at
both the store and corporate levels and failed to employ reasonable and
appropriate security measures to protect the information. The complaint
alleges that this failure was an unfair practice because it caused or
was likely to cause substantial consumer injury that was not reasonably
avoidable and was not outweighed by countervailing benefits to
consumers or competition. In particular, the complaint alleges that
until at least March 2005, DSW engaged in a number of practices which,
taken together, failed to provide reasonable security for sensitive
personal information, including: (1) Creating unnecessary risks to
personal information collected at its stores by storing it in multiple
files when it no longer had a business need to keep the information;
(2) failing to use readily available security measures to limit access
to its computer networks through wireless access points on the
networks; (3) storing the information in unencrypted files that could
be accessed easily by using a commonly known user ID and password; (4)
failing to sufficiently limit the ability of computers on one in-store
computer network to connect to computers on other in-store and
corporate networks; and (5) failing to employ sufficient measures to
detect unauthorized access.
The complaint further alleges that there have been fraudulent
charges on accounts that consumers had used at DSW's stores.
Additionally, some consumers whose checking account information was
compromised were advised to close their accounts, thereby losing access
to those accounts, and incurred out-of-pocket expenses such as the cost
of ordering new checks.
The proposed order applies to personal information from or about
consumers that DSW collects in connection with its business. It
contains provisions designed to prevent DSW from engaging in the future
in practices similar to those alleged in the complaint.
Specifically, part I of the proposed order requires DSW to
establish and maintain a comprehensive information security program in
writing that is reasonably designed to protect the security,
confidentiality, and integrity of personal information it collects from
or about consumers. The security program must contain administrative,
technical, and physical safeguards appropriate to DSW's size and
complexity, the nature and scope of its activities, and the sensitivity
of the personal information collected. Specifically, the order requires
DSW to:
Designate an employee or employees to coordinate and be
accountable for the information security program.
Identify material internal and external risks to the
security, confidentiality, and integrity of consumer information that
could result in unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.
Design and implement reasonable safeguards to control the
risks identified through risk assessment, and regularly test or monitor
the effectiveness of the safeguards' key controls, systems, and
procedures.
Evaluate and adjust its information security program in
light of the results of testing and monitoring, any material changes to
its operation or business arrangements, or any other circumstances that
DSW knows or has reason to know may have a material impact on the
effectiveness of its information security program.
Part II of the proposed order requires that DSW obtain within 180
days, and on a biennial basis thereafter, an assessment and report from
a qualified, objective, independent third-party professional,
certifying, among other things, that: (1) DSW has in place a security
program that provides protections that meet or exceed the protections
required by part I of the proposed order, and (2) DSW's security
program is operating with sufficient effectiveness to provide
reasonable assurance that the security, confidentiality, and integrity
of consumers' personal information has been protected. This provision
is substantially similar to comparable provisions obtained in prior
Commission orders under section 5 of the FTC Act. See, e.g., BJ's
Wholesale Club, Inc., FTC Docket No. C-4148 (Sept. 20, 2005).
[[Page 73476]]
Parts III through VII of the proposed order are reporting and
compliance provisions. Part III requires DSW to retain documents
relating to compliance. For the assessments and supporting documents,
DSW must retain the documents for three (3) years after the date that
each assessment is prepared. Part IV requires dissemination of the
order now and for the next ten (10) years to persons with supervisory
responsibilities. Part V ensures notification to the FTC of changes in
corporate status. Part VI mandates that DSW submit compliance reports
to the FTC. Part VII is a provision ``sunsetting'' the order after
twenty (20) years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order, and it is not intended to constitute an official
interpretation of the agreement and proposed order or to modify in any
way their terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. E5-7178 Filed 12-9-05; 8:45 am]
BILLING CODE 6750-01-P