Privacy — Enter the FTC

Another alphabet-agency jumps into the pool regarding lapses in customer data security.

Just when a GC may think this issue mostly involves financial institutions, in comes the Federal Trade Commission. In a case involving BJ’s Wholesale Club, the FTC has reached a settlement that, among other things will require:

… BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.

Twenty years! The Economist noted this development, and wondered whether “Boards should pay as much attention to these IT operational risks as they do to other operational risks in the firm…”

The FTC press release goes on to say:

The FTC alleges that BJ’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition.

More on the the FTC action is available here, in a recent BJ’s 10-Q filing (at item #8), and in Information Week.

If customer information “dataspills” go beyond violations of specific privacy statutes and become characterized as unfair competition, the universe of potential plaintiffs facing a company–formerly just the customers involved–may now include its competitors.