Businesses that collect consumers' personal information have been reminded again: Protect that information or face painful consequences.

Retailer TJX Cos. and data brokers Reed Elsevier (REI) and Seisint, in settlements with the Federal Trade Commission (FTC), agreed last week to have their security programs audited every other year for 20 years. The companies must retain independent, third-party security auditors to do the job. They also must implement stronger security programs and be subject to provisions that enable the FTC to monitor compliance.

TJX, which owns T.J. Maxx and other discount retail stores, in January 2007, disclosed that hackers had broken into its computer network, exposing at least 45 million credit cards to fraud. Banks that sued TJX estimated that more than 100 million cards were affected. Seisint, acquired by REI in 2004, allowed customers to use "easy-to-guess passwords" to enter its Accurint databases, the FTC stated. Identity thieves broke through the barriers.

In 2005, a shoe outlet and a wholesale club reached similar agreements with the FTC after security breaches. In addition to measures imposed by the FTC, at least 35 states have legislation in place regulating the handling of consumers' personal information—commonly defined as a person's first and last names in combination with a Social Security, driver's license, credit or debit card number. Most impose penalties on businesses that fail to report security breaches. Businesses also must meet standards established by the payment card industry (PCI).

Ballard Spahr has counseled businesses of all sizes in how to securely maintain personal information and become PCI-compliant. To discuss this or related issues, including best business practices to avoid state and/or federal enforcement action resulting from data security breaches, please contact any member of the White Collar Litigation Group.



Copyright © 2008 by Ballard Spahr LLP.
(No claim to original U.S. government material.)


All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This newsletter is a periodic publication of Ballard Spahr LLP and is intended to alert the recipients to new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer concerning your situation and specific legal questions you have.