Another alphabet-agency jumps into the pool regarding lapses in customer data security.
Just when a GC may think this issue mostly involves financial institutions, in comes the Federal Trade Commission. In a case involving BJ’s Wholesale Club, the FTC has reached a settlement that, among other things will require:
… BJâ€™s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.
Twenty years! The Economist noted this development, and wondered whether â€œBoards should pay as much attention to these IT operational risks as they do to other operational risks in the firm…â€
The FTC press release goes on to say:
The FTC alleges that BJâ€™s failure to secure customersâ€™ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition.
If customer information “dataspills” go beyond violations of specific privacy statutes and become characterized as unfair competition, the universe of potential plaintiffs facing a company–formerly just the customers involved–may now include its competitors.