DSW, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 73474-73476 [E5-7178]
Download as PDF
<![CDATA[
73474
Federal Register / Vol. 70, No. 237 / Monday, December 12, 2005 / Notices
information for individuals from the
public comments it receives before
placing those comments on the FTC
Web site. More information, including
routine uses permitted by the Privacy
Act, may be found in the FTC’s privacy
policy at https://www.ftc.gov/ftc/
privacy.htm.
FOR FURTHER INFORMATION CONTACT:
Requests for additional information or
copies of the proposed information
requirements should be sent to Stephen
Ecklund, Investigator, Division of
Enforcement, Bureau of Consumer
Protection, Federal Trade Commission,
600 Pennsylvania Ave., NW.,
Washington, DC 20580, (202) 326–2841.
SUPPLEMENTARY INFORMATION: On
September 27, 2005, the FTC sought
comment on the information collection
requirements associated with the FPLA,
16 CFR parts 500 through 503 (OMB
Control Number: 3084–0110). See 70 FR
56468. No comments were received.
Pursuant to the OMB regulations that
implement the PRA (5 CFR part 1320),
the FTC is providing this second
opportunity for public comment while
seeking OMB approval to extend the
existing paperwork clearance for the
Rule. All comments should be filed as
prescribed in the ADDRESSES section
above, and must be received on or
before January 11, 2006.
The FPLA was enacted to eliminate
consumer deception concerning product
size representations and package
content information. The regulations
that implement the FPLA, 16 CFR parts
500 through 503, establish requirements
for the manner and form of labeling
applicable to manufacturers, packagers,
and distributors of ‘‘consumer
commodities.’’ 2 Section 4 of the FPLA
specifically requires packages or labels
to be marked with: (1) A statement of
identity; (2) a net quantity of contents
disclosure; and (3) the name and place
of business of a company that is
responsible for the product.
Estimated annual hours burden:
6,534,000 total burden hours, rounded
to the nearest thousand (solely relating
to disclosure 3).
Staff conservatively estimates that
approximately 653,397 manufacturers,
packagers, distributors, and retailers of
consumer commodities make
disclosures at an average burden of ten
hours per entity, for a total disclosure
burden of 6,533,970 hours. As in the
past, Commission staff has used census
data to estimate the number of
companies. Based on a revised approach
to the commodity categories in the
Retail Trade census data, staff has
eliminated much of the overlapping
redundancies and lowered the estimate
of the number of retailers that sell
products subject to the Commission’s
FPLA regulations.
Estimated annual cost burden:
$114,998,000, rounded to the nearest
thousand (solely relating to labor costs).
The estimated annual labor cost
burden associated with the FPLA
disclosure requirements consists of an
estimated hour of managerial and/or
professional time per covered entity (at
an estimated average hourly rate of $50)
and nine hours of clerical time per
covered entity (at an estimated average
hourly rate of $14), for a total of
$114,997,872 ($176 per covered entity ×
653,397 entities).
Total capital and start-up costs are de
minimis. For many years, the packaging
and labeling activities that require
capital and start-up costs have been
performed by covered entities in the
ordinary course of business
independent of the FPLA and
implementing regulations. Similarly,
firms provide in the ordinary course of
business the information that the statute
and regulations require be placed on
packages and labels.
2 ‘‘Consumer commodity’’ means any article,
product, or commodity of any kind or class which
is customarily produced or distributed for sale
through retail sales agencies or instrumentalities for
consumption by individuals, or use by individuals
for purposes of personal care or in the performance
of services ordinarily rendered within the
household, and which usually is consumed or
expended in the course of such consumption or
use.’’ 16 CFR 500.2(c). For the precise scope of the
term’s coverage see 16 CFR 500.2(c); 503.2; 503.5.
See also https://www.ftc.gov/os/statutes/fpla/
outline.html.
3 To the extent that the FPLA-implementing
regulations require sellers of consumer
commodities to keep records that substantiate
AGENCY:
VerDate Aug<31>2005
17:51 Dec 09, 2005
Jkt 208001
William Blumenthal,
General Counsel.
[FR Doc. E5–7179 Filed 12–9–05; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
[File No. 052 3096]
DSW, Inc.; Analysis of Proposed
Consent Order To Aid Public Comment
ACTION:
Federal Trade Commission.
Proposed Consent Agreement.
SUMMARY: The consent agreement in this
matter settles alleged violations of
Federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
‘‘cents off,’’ ‘‘introductory offer,’’ and/or ‘‘economy
size’’ claims, staff believes that most, if not all, of
the records that sellers maintain would be kept in
the ordinary course of business, regardless of the
legal mandates.
PO 00000
Frm 00045
Fmt 4703
Sfmt 4703
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
Comments must be received on
or before January 2, 2006.
DATES:
Interested parties are
invited to submit written comments.
Comments should refer to ‘‘DSW, Inc.,
File No. 052 3096,’’ to facilitate the
organization of comments. A comment
filed in paper form should include this
reference both in the text and on the
envelope, and should be mailed or
delivered to the following address:
Federal Trade Commission/Office of the
Secretary, Room 135–H, 600
Pennsylvania Avenue, NW.,
Washington, DC 20580. Comments
containing confidential material must be
filed in paper form, must be clearly
labeled ‘‘Confidential,’’ and must
comply with Commission Rule 4.9(c).
16 CFR 4.9(c) (2005).1 The FTC is
requesting that any comment filed in
paper form be sent by courier or
overnight service, if possible, because
U.S. postal mail in the Washington area
and at the Commission is subject to
delay due to heightened security
precautions. Comments that do not
contain any nonpublic information may
instead be filed in electronic form as
part of or as an attachment to e-mail
messages directed to the following email box: consentagreement@ftc.gov.
The FTC Act and other laws the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. All timely and responsive
public comments, whether filed in
paper or electronic form, will be
considered by the Commission, and will
be available to the public on the FTC
Web site, to the extent practicable, at
https://www.ftc.gov. As a matter of
discretion, the FTC makes every effort to
remove home contact information for
individuals from the public comments it
receives before placing those comments
on the FTC Web site. More information,
including routine uses permitted by the
Privacy Act, may be found in the FTC’s
privacy policy, at https://www.ftc.gov/
ftc/privacy.htm.
ADDRESSES:
1 The comment must be accompanied by an
explicit request for confidential treatment,
including the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record.
The request will be granted or denied by the
Commission’s General Counsel, consistent with
applicable law and the public interest. See
Commission Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\12DEN1.SGM
12DEN1
Federal Register / Vol. 70, No. 237 / Monday, December 12, 2005 / Notices
FOR FURTHER INFORMATION CONTACT:
Jessica Rich (202) 326–3224, Bureau of
Consumer Protection, Room NJ–3158,
600 Pennsylvania Avenue, NW.,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 of the Commission
Rules of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for December 1, 2005), on
the World Wide Web, at https://
www.ftc.gov/os/2005/12/index.htm. A
paper copy can be obtained from the
FTC Public Reference Room, Room 130–
H, 600 Pennsylvania Avenue, NW.,
Washington, DC 20580, either in person
or by calling (202) 326–2222.
Public comments are invited, and may
be filed with the Commission in either
paper or electronic form. All comments
should be filed as prescribed in the
ADDRESSES section above, and must be
received on or before the date specified
in the DATES section.
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted a consent agreement, subject to
final approval, from DSW Inc. (‘‘DSW’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received
and will decide whether it should
withdraw from the agreement and take
other appropriate action or make final
the agreement’s proposed order.
As described in the Commission’s
proposed complaint, DSW sells
footwear for men and women at
approximately 190 stores in 32 states.
Consumers pay for their purchases with
cash, credit cards, debit cards, and
personal checks. In the course of
seeking approval for credit and debit
card purchases, DSW collects
consumers’ personal information,
including name, card number and
expiration date, and other information,
from magnetic stripes on the cards. The
VerDate Aug<31>2005
17:51 Dec 09, 2005
Jkt 208001
information collected from the magnetic
stripe is particularly sensitive because it
contains a security code which can be
used to create counterfeit cards that
appear genuine in the authorization
process. In the course of seeking
approval for personal check purchases,
DSW also collects consumers’ personal
information, including routing number,
account number, check number, and the
consumer’s driver’s license number and
state, from the check using Magnetic Ink
Character Recognition (‘‘MICR’’)
technology.
The Commission’s proposed
complaint alleges that DSW stored
consumers’ personal information on
computers on networks located at both
the store and corporate levels and failed
to employ reasonable and appropriate
security measures to protect the
information. The complaint alleges that
this failure was an unfair practice
because it caused or was likely to cause
substantial consumer injury that was
not reasonably avoidable and was not
outweighed by countervailing benefits
to consumers or competition. In
particular, the complaint alleges that
until at least March 2005, DSW engaged
in a number of practices which, taken
together, failed to provide reasonable
security for sensitive personal
information, including: (1) Creating
unnecessary risks to personal
information collected at its stores by
storing it in multiple files when it no
longer had a business need to keep the
information; (2) failing to use readily
available security measures to limit
access to its computer networks through
wireless access points on the networks;
(3) storing the information in
unencrypted files that could be accessed
easily by using a commonly known user
ID and password; (4) failing to
sufficiently limit the ability of
computers on one in-store computer
network to connect to computers on
other in-store and corporate networks;
and (5) failing to employ sufficient
measures to detect unauthorized access.
The complaint further alleges that
there have been fraudulent charges on
accounts that consumers had used at
DSW’s stores. Additionally, some
consumers whose checking account
information was compromised were
advised to close their accounts, thereby
losing access to those accounts, and
incurred out-of-pocket expenses such as
the cost of ordering new checks.
The proposed order applies to
personal information from or about
consumers that DSW collects in
connection with its business. It contains
provisions designed to prevent DSW
from engaging in the future in practices
PO 00000
Frm 00046
Fmt 4703
Sfmt 4703
73475
similar to those alleged in the
complaint.
Specifically, part I of the proposed
order requires DSW to establish and
maintain a comprehensive information
security program in writing that is
reasonably designed to protect the
security, confidentiality, and integrity of
personal information it collects from or
about consumers. The security program
must contain administrative, technical,
and physical safeguards appropriate to
DSW’s size and complexity, the nature
and scope of its activities, and the
sensitivity of the personal information
collected. Specifically, the order
requires DSW to:
• Designate an employee or
employees to coordinate and be
accountable for the information security
program.
• Identify material internal and
external risks to the security,
confidentiality, and integrity of
consumer information that could result
in unauthorized disclosure, misuse,
loss, alteration, destruction, or other
compromise of such information, and
assess the sufficiency of any safeguards
in place to control these risks.
• Design and implement reasonable
safeguards to control the risks identified
through risk assessment, and regularly
test or monitor the effectiveness of the
safeguards’ key controls, systems, and
procedures.
• Evaluate and adjust its information
security program in light of the results
of testing and monitoring, any material
changes to its operation or business
arrangements, or any other
circumstances that DSW knows or has
reason to know may have a material
impact on the effectiveness of its
information security program.
Part II of the proposed order requires
that DSW obtain within 180 days, and
on a biennial basis thereafter, an
assessment and report from a qualified,
objective, independent third-party
professional, certifying, among other
things, that: (1) DSW has in place a
security program that provides
protections that meet or exceed the
protections required by part I of the
proposed order, and (2) DSW’s security
program is operating with sufficient
effectiveness to provide reasonable
assurance that the security,
confidentiality, and integrity of
consumers’ personal information has
been protected. This provision is
substantially similar to comparable
provisions obtained in prior
Commission orders under section 5 of
the FTC Act. See, e.g., BJ’s Wholesale
Club, Inc., FTC Docket No. C–4148
(Sept. 20, 2005).
E:\FR\FM\12DEN1.SGM
12DEN1
73476
Federal Register / Vol. 70, No. 237 / Monday, December 12, 2005 / Notices
Parts III through VII of the proposed
order are reporting and compliance
provisions. Part III requires DSW to
retain documents relating to
compliance. For the assessments and
supporting documents, DSW must
retain the documents for three (3) years
after the date that each assessment is
prepared. Part IV requires dissemination
of the order now and for the next ten
(10) years to persons with supervisory
responsibilities. Part V ensures
notification to the FTC of changes in
corporate status. Part VI mandates that
DSW submit compliance reports to the
FTC. Part VII is a provision ‘‘sunsetting’’
the order after twenty (20) years, with
certain exceptions.
The purpose of this analysis is to
facilitate public comment on the
proposed order, and it is not intended
to constitute an official interpretation of
the agreement and proposed order or to
modify in any way their terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. E5–7178 Filed 12–9–05; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the National Coordinator;
American Health Information
Community Meeting
ACTION:
Announcement of meeting.
SUMMARY: This notice announces the
third meeting of the American Health
Information Community in accordance
with the Federal Advisory Committee
Act (Pub. L. 92–463, 5 U.S.C., App.) The
American Health Information
Community will advise the Secretary
and recommend specific actions to
achieve a common interoperability
framework for health information
technology (IT).
DATES: January 17, 2006 from 8:30 a.m.
to 4 p.m.
ADDRESSES: Hubert H. Humphrey
building (200 Independence Ave., SW.,
Washington, DC 20201), conference
room 800.
FOR FURTHER INFORMATION CONTACT:
https://www.hhs.gov/healthit.
SUPPLEMENTARY INFORMATION: A Web
cast of the third Community meeting
will be available on the NIH Web site at:
https://www.videocast.nih.gov/. If you
have special needs for the meeting
please contact Amanda Smith at
VerDate Aug<31>2005
17:51 Dec 09, 2005
Jkt 208001
Amanda.Smith@hhs.gov or (202) 690–
7385.
Dated: December 1, 2005.
Dana Haza,
Office of Programs and Coordination, Office
of the National Coordinator.
[FR Doc. 05–23925 Filed 12–9–05; 8:45 am]
BILLING CODE 4150–24–M
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
Board of Scientific Counselors,
National Center for Health Statistics
In accordance with section 10(a)(2) of
the Federal Advisory Committee Act
(Pub. L. 92–463), the Centers for Disease
Control and Prevention (CDC), National
Center for Health Statistics (NCHS)
announces the following committee
meeting.
Name: Board of Scientific Counselors
(BSC), NCHS.
Times and Dates: 2 p.m.–5:30 p.m.,
January 26, 2006. 8:30 a.m.–2 p.m.,
January 27, 2006.
Place: NCHS Headquarters, 3311
Toledo Road, Hyattsville, Maryland
20782.
Status: Open to the public, limited
only by the space available. The meeting
room accommodates approximately 100
people.
Purpose: This committee is charged
with providing advice and making
recommendations to the Secretary,
Department of Health and Human
Services; the Director, CDC; and the
Director, NCHS, regarding the scientific
and technical program goals and
objectives, strategies, and priorities of
NCHS.
Matters to be Discussed: The agenda
will include welcome remarks by the
Director, NCHS; introductions of
members and key NCHS staff; scientific
presentations and discussions; and an
open session for comments from the
public.
Requests to make oral presentations
should be submitted in writing to the
contact person listed below by January
6, 2006. All requests must contain the
name, address, telephone number, and
organizational affiliation of the
presenter.
Written comments should not exceed
five single-spaced typed pages in length
and must be received by the Agenda
items are subject to change as priorities
dictate.
PO 00000
Frm 00047
Fmt 4703
Sfmt 4703
For Further Information Contact:
Robert Weinzimer, Executive Secretary,
NCHS, 3311 Toledo Road, Room 7108,
Hyattsville, Maryland 20782, telephone
(301) 458–4565, fax (301) 458–4021.
The Director, Management Analysis
and Services Office, has been delegated
the authority to sign Federal Register
notices pertaining to announcements of
meetings and other committee
management activities for both CDC and
the Agency for Toxic Substances and
Disease Registry.
Dated: December 5, 2005.
Diane Allen,
Acting Director, Management Analysis and
Services Office, Centers for Disease Control
and Prevention.
[FR Doc. 05–23906 Filed 12–9–05; 8:45 am]
BILLING CODE 4163–18–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Children and
Families
Proposed Information Collection
Activity; Comment Request
Proposed Projects
Title: Child Care Case-Level Report.
OMB No.: 0970–0167.
Description: Section 658K of the Child
Care and Development Block Grant Act
of 1990 (P.L. 101–508, 42 U.S.C. 9858)
requires that States and Territories
submit monthly case-level data on the
children and families receiving direct
services under the Child Care and
Development Fund. The implementing
regulations for the statutorily required
reporting are at 45 CFR 98.70. Case-level
reports, submitted quarterly or monthly
(at grantee option), include monthly
sample or full population case-level
data. The data elements to be included
in these reports are represented in the
ACF–801. ACF uses disaggregate data to
determine program and participant
characteristics as well as costs and
levels of child care services provided.
This provides ACF with the information
necessary to make reports to Congress,
address national child care needs, offer
technical assistance to grantees, meet
performance measures, and conduct
research. Consistent with the statute and
regulations, ACF requests extension of
the ACF–801.
Respondents: States, District of
Columbia, and Territories including
Puerto Rico, Guam, the Virgin Islands,
American Samoa, and the Northern
Marianna Islands.
E:\FR\FM\12DEN1.SGM
12DEN1
]]>Agencies
[Federal Register Volume 70, Number 237 (Monday, December 12, 2005)]
[Notices]
[Pages 73474-73476]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E5-7178]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 052 3096]
DSW, Inc.; Analysis of Proposed Consent Order To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of Federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before January 2, 2006.
ADDRESSES: Interested parties are invited to submit written comments.
Comments should refer to ``DSW, Inc., File No. 052 3096,'' to
facilitate the organization of comments. A comment filed in paper form
should include this reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission/Office of the Secretary, Room 135-H, 600 Pennsylvania
Avenue, NW., Washington, DC 20580. Comments containing confidential
material must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with Commission Rule 4.9(c). 16 CFR
4.9(c) (2005).\1\ The FTC is requesting that any comment filed in paper
form be sent by courier or overnight service, if possible, because U.S.
postal mail in the Washington area and at the Commission is subject to
delay due to heightened security precautions. Comments that do not
contain any nonpublic information may instead be filed in electronic
form as part of or as an attachment to e-mail messages directed to the
following e-mail box: consentagreement@ftc.gov.
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See Commission Rule 4.9(c),
16 CFR 4.9(c).
---------------------------------------------------------------------------
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC Web site, to the extent
practicable, at https://www.ftc.gov. As a matter of discretion, the FTC
makes every effort to remove home contact information for individuals
from the public comments it receives before placing those comments on
the FTC Web site. More information, including routine uses permitted by
the Privacy Act, may be found in the FTC's privacy policy, at https://
www.ftc.gov/ftc/privacy.htm.
[[Page 73475]]
FOR FURTHER INFORMATION CONTACT: Jessica Rich (202) 326-3224, Bureau of
Consumer Protection, Room NJ-3158, 600 Pennsylvania Avenue, NW.,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 of
the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given
that the above-captioned consent agreement containing a consent order
to cease and desist, having been filed with and accepted, subject to
final approval, by the Commission, has been placed on the public record
for a period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for December 1, 2005), on the World Wide Web, at https://www.ftc.gov/
os/2005/12/index.htm. A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington,
DC 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted a consent agreement,
subject to final approval, from DSW Inc. (``DSW'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received and will decide whether it should
withdraw from the agreement and take other appropriate action or make
final the agreement's proposed order.
As described in the Commission's proposed complaint, DSW sells
footwear for men and women at approximately 190 stores in 32 states.
Consumers pay for their purchases with cash, credit cards, debit cards,
and personal checks. In the course of seeking approval for credit and
debit card purchases, DSW collects consumers' personal information,
including name, card number and expiration date, and other information,
from magnetic stripes on the cards. The information collected from the
magnetic stripe is particularly sensitive because it contains a
security code which can be used to create counterfeit cards that appear
genuine in the authorization process. In the course of seeking approval
for personal check purchases, DSW also collects consumers' personal
information, including routing number, account number, check number,
and the consumer's driver's license number and state, from the check
using Magnetic Ink Character Recognition (``MICR'') technology.
The Commission's proposed complaint alleges that DSW stored
consumers' personal information on computers on networks located at
both the store and corporate levels and failed to employ reasonable and
appropriate security measures to protect the information. The complaint
alleges that this failure was an unfair practice because it caused or
was likely to cause substantial consumer injury that was not reasonably
avoidable and was not outweighed by countervailing benefits to
consumers or competition. In particular, the complaint alleges that
until at least March 2005, DSW engaged in a number of practices which,
taken together, failed to provide reasonable security for sensitive
personal information, including: (1) Creating unnecessary risks to
personal information collected at its stores by storing it in multiple
files when it no longer had a business need to keep the information;
(2) failing to use readily available security measures to limit access
to its computer networks through wireless access points on the
networks; (3) storing the information in unencrypted files that could
be accessed easily by using a commonly known user ID and password; (4)
failing to sufficiently limit the ability of computers on one in-store
computer network to connect to computers on other in-store and
corporate networks; and (5) failing to employ sufficient measures to
detect unauthorized access.
The complaint further alleges that there have been fraudulent
charges on accounts that consumers had used at DSW's stores.
Additionally, some consumers whose checking account information was
compromised were advised to close their accounts, thereby losing access
to those accounts, and incurred out-of-pocket expenses such as the cost
of ordering new checks.
The proposed order applies to personal information from or about
consumers that DSW collects in connection with its business. It
contains provisions designed to prevent DSW from engaging in the future
in practices similar to those alleged in the complaint.
Specifically, part I of the proposed order requires DSW to
establish and maintain a comprehensive information security program in
writing that is reasonably designed to protect the security,
confidentiality, and integrity of personal information it collects from
or about consumers. The security program must contain administrative,
technical, and physical safeguards appropriate to DSW's size and
complexity, the nature and scope of its activities, and the sensitivity
of the personal information collected. Specifically, the order requires
DSW to:
Designate an employee or employees to coordinate and be
accountable for the information security program.
Identify material internal and external risks to the
security, confidentiality, and integrity of consumer information that
could result in unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.
Design and implement reasonable safeguards to control the
risks identified through risk assessment, and regularly test or monitor
the effectiveness of the safeguards' key controls, systems, and
procedures.
Evaluate and adjust its information security program in
light of the results of testing and monitoring, any material changes to
its operation or business arrangements, or any other circumstances that
DSW knows or has reason to know may have a material impact on the
effectiveness of its information security program.
Part II of the proposed order requires that DSW obtain within 180
days, and on a biennial basis thereafter, an assessment and report from
a qualified, objective, independent third-party professional,
certifying, among other things, that: (1) DSW has in place a security
program that provides protections that meet or exceed the protections
required by part I of the proposed order, and (2) DSW's security
program is operating with sufficient effectiveness to provide
reasonable assurance that the security, confidentiality, and integrity
of consumers' personal information has been protected. This provision
is substantially similar to comparable provisions obtained in prior
Commission orders under section 5 of the FTC Act. See, e.g., BJ's
Wholesale Club, Inc., FTC Docket No. C-4148 (Sept. 20, 2005).
[[Page 73476]]
Parts III through VII of the proposed order are reporting and
compliance provisions. Part III requires DSW to retain documents
relating to compliance. For the assessments and supporting documents,
DSW must retain the documents for three (3) years after the date that
each assessment is prepared. Part IV requires dissemination of the
order now and for the next ten (10) years to persons with supervisory
responsibilities. Part V ensures notification to the FTC of changes in
corporate status. Part VI mandates that DSW submit compliance reports
to the FTC. Part VII is a provision ``sunsetting'' the order after
twenty (20) years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order, and it is not intended to constitute an official
interpretation of the agreement and proposed order or to modify in any
way their terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. E5-7178 Filed 12-9-05; 8:45 am]
BILLING CODE 6750-01-P
