Shoe discounter DSW Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law.
According to the FTC, DSW's data-security failure allowed hackers to gain access to the sensitive credit card, debit card, and checking account information of more than 1.4 million customers.
The settlement will require DSW to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.
Columbus, Ohio-based DSW operates approximately 190 stores in 32 states. In 2004, DSW generated $961 million in net sales and sold approximately 23.7 million pairs of shoes.
According to the FTC's complaint, DSW uses computer networks to obtain authorization for credit card, debit card, and check purchases at its stores and to track inventory.
For credit and debit card purchases, DSW collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. This magnetic stripe information is particularly sensitive because it contains a security code that can be used to create counterfeit cards that appear genuine in the authorization process.
For check purchases, DSW collects information such as routing number, account number, check number, and the consumer's driver's license number and state.
In each case, the information was wirelessly transmitted to a computer network located in the store, and from there was sent to the appropriate bank or check processor.
The FTC charges that until at least March 2005, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information. Specifically, the agency alleges that DSW:
• created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
• failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
• stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
• failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
• failed to employ sufficient measures to detect unauthorized access.
The FTC charges that a total of approximately 1.4 million credit and debit cards and 96,000 checking accounts were compromised, and that there have been fraudulent charges on some of these accounts.
Further, some customers whose checking account information was compromised have incurred out-of-pocket expenses in connection with closing their accounts and ordering new checks. Some checking account customers have contacted DSW to request reimbursement for their expenses, and DSW has provided some amount of reimbursement to these customers.
According to DSW's SEC filings, as of July 2005, the company's exposure for losses related to the breach ranges from $6.5 million to $9.5 million.
The FTC alleges that DSW's failure to secure customers' sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition.
The settlement requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards.
It also requires DSW to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order.
DSW also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.
This is the FTC's seventh case challenging faulty data security practices by retailers and others.