Genica Corporation and Compgeeks.com; Analysis of Proposed Consent Order to Aid Public Comment, 6627-6629 [E9-2764]
Download as PDF
<![CDATA[
Federal Register / Vol. 74, No. 26 / Tuesday, February 10, 2009 / Notices
Under the Federal Reserve Bank of
Atlanta heading, the entry for
Redemptus Group, LLC, Atlanta,
Georgia, is revised to read as follows:
A. Federal Reserve Bank of Atlanta
(Steve Foley, Vice President) 1000
Peachtree Street, N.E., Atlanta, Georgia
30309:
1. Redemptus Group LLC, Dunwoody,
Georgia, to acquire voting shares of
McIntosh Bancshares, Inc., and thereby
indirectly acquire voting shares of
McIntosh State Bank, both of Jackson,
Georgia.
Comments on this application must
be received by February 20, 2009.
Board of Governors of the Federal Reserve
System, February 5, 2009.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. E9–2718 Filed 2–9–09; 8:45 am]
BILLING CODE 6210–01–S
FEDERAL RESERVE SYSTEM
erowe on PROD1PC63 with NOTICES
Change in Bank Control Notices;
Acquisition of Shares of Bank or Bank
Holding Companies
The notificants listed below have
applied under the Change in Bank
Control Act (12 U.S.C. 1817(j)) and
§ 225.41 of the Board’s Regulation Y (12
CFR 225.41) to acquire a bank or bank
holding company. The factors that are
considered in acting on the notices are
set forth in paragraph 7 of the Act (12
U.S.C. 1817(j)(7)).
The notices are available for
immediate inspection at the Federal
Reserve Bank indicated. The notices
also will be available for inspection at
the office of the Board of Governors.
Interested persons may express their
views in writing to the Reserve Bank
indicated for that notice or to the offices
of the Board of Governors. Comments
must be received not later than February
25, 2009.
A. Federal Reserve Bank of San
Francisco (Kenneth Binning, Vice
President, Applications and
Enforcement) 101 Market Street, San
Francisco, California 94105–1579:
1. Koh–Wilshire LP, Los Angeles,
California, to retain voting shares of
Wilshire Bancorp, Inc., and thereby
indirectly retain voting shares of
Wilshire State Bank, both of Los
Angeles, California.
2. Daniel Day, Yakima, Washington,
to acquire additional voting shares of
YNB Financial Services Corporation,
and thereby indirectly acquire
additional voting shares of Yakima
National Bank, both of Yakima,
Washington.
VerDate Nov<24>2008
18:25 Feb 09, 2009
Jkt 217001
6627
Board of Governors of the Federal Reserve
System, February 5, 2009.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. E9–2719 Filed 2–9–09; 8:45 am]
Board of Governors of the Federal Reserve
System, February 5, 2009.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. E9–2717 Filed 2–9–09; 8:45 am]
BILLING CODE 6210–01–S
BILLING CODE 6210–01–S
FEDERAL RESERVE SYSTEM
FEDERAL TRADE COMMISSION
Formations of, Acquisitions by, and
Mergers of Bank Holding Companies
[File No. 082 3113]
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Bank Holding Company
Act of 1956 (12 U.S.C. 1841 et seq.)
(BHC Act), Regulation Y (12 CFR Part
225), and all other applicable statutes
and regulations to become a bank
holding company and/or to acquire the
assets or the ownership of, control of, or
the power to vote shares of a bank or
bank holding company and all of the
banks and nonbanking companies
owned by the bank holding company,
including the companies listed below.
The applications listed below, as well
as other related filings required by the
Board, are available for immediate
inspection at the Federal Reserve Bank
indicated. The applications also will be
available for inspection at the offices of
the Board of Governors. Interested
persons may express their views in
writing on the standards enumerated in
the BHC Act (12 U.S.C. 1842(c)). If the
proposal also involves the acquisition of
a nonbanking company, the review also
includes whether the acquisition of the
nonbanking company complies with the
standards in section 4 of the BHC Act
(12 U.S.C. 1843). Unless otherwise
noted, nonbanking activities will be
conducted throughout the United States.
Additional information on all bank
holding companies may be obtained
from the National Information Center
website at www.ffiec.gov/nic/.
Unless otherwise noted, comments
regarding each of these applications
must be received at the Reserve Bank
indicated or the offices of the Board of
Governors not later than March 6, 2009.
A. Federal Reserve Bank of Atlanta
(Steve Foley, Vice President) 1000
Peachtree Street, N.E., Atlanta, Georgia
30309:
1. Intercontinental Bankshares, LLC,
Coral Gables, Florida, to become a bank
holding company by acquiring 81
percent of the voting shares of
Intercontinental Bank, West Miami,
Florida.
PO 00000
Frm 00059
Fmt 4703
Sfmt 4703
Genica Corporation and
Compgeeks.com; Analysis of
Proposed Consent Order to Aid Public
Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
SUMMARY: The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before March 9, 2009.
ADDRESSES: Interested parties are
invited to submit written comments.
Comments should refer to ‘‘Genica
Corporation, File No. 082 3113,’’ to
facilitate the organization of comments.
A comment filed in paper form should
include this reference both in the text
and on the envelope, and should be
mailed or delivered to the following
address: Federal Trade Commission/
Office of the Secretary, Room 135–H,
600 Pennsylvania Avenue, N.W.,
Washington, D.C. 20580. Comments
containing confidential material must be
filed in paper form, must be clearly
labeled ‘‘Confidential,’’ and must
comply with Commission Rule 4.9(c).
16 CFR 4.9(c) (2005).1 The FTC is
requesting that any comment filed in
paper form be sent by courier or
overnight service, if possible, because
U.S. postal mail in the Washington area
and at the Commission is subject to
delay due to heightened security
precautions. Comments that do not
contain any nonpublic information may
instead be filed in electronic form by
1 The comment must be accompanied by an
explicit request for confidential treatment,
including the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record.
The request will be granted or denied by the
Commission’s General Counsel, consistent with
applicable law and the public interest. See
Commission Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\10FEN1.SGM
10FEN1
6628
Federal Register / Vol. 74, No. 26 / Tuesday, February 10, 2009 / Notices
following the instructions on the webbased form at (https://
secure.commentworks.com/ftc-Genica).
To ensure that the Commission
considers an electronic comment, you
must file it on that web-based form.
The FTC Act and other laws the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. All timely and responsive
public comments, whether filed in
paper or electronic form, will be
considered by the Commission, and will
be available to the public on the FTC
website, to the extent practicable, at
www.ftc.gov. As a matter of discretion,
the FTC makes every effort to remove
home contact information for
individuals from the public comments it
receives before placing those comments
on the FTC website. More information,
including routine uses permitted by the
Privacy Act, may be found in the FTC’s
privacy policy, at (https://www.ftc.gov/
ftc/privacy.shtm).
FOR FURTHER INFORMATION CONTACT:
Molly Crawford, Bureau of Coonsumer
Protection, 600 Pennsylvania Avenue,
NW, Washington, D.C. 20580, (202)
326–2252.
Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 of the Commission
Rules of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for February 5, 2009), on
the World Wide Web, at (https://
www.ftc.gov/os/2009/02/index.htm). A
paper copy can be obtained from the
FTC Public Reference Room, Room 130–
H, 600 Pennsylvania Avenue, NW,
Washington, D.C. 20580, either in
person or by calling (202) 326–2222.
Public comments are invited, and may
be filed with the Commission in either
paper or electronic form. All comments
should be filed as prescribed in the
ADDRESSES section above, and must be
received on or before the date specified
in the DATES section.
erowe on PROD1PC63 with NOTICES
SUPPLEMENTARY INFORMATION:
VerDate Nov<24>2008
14:17 Feb 09, 2009
Jkt 217001
Analysis of Agreement Containing
Consent Order to Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from Genica
Corporation (‘‘Genica’’) and
Compgeeks.com, also doing business as
Computer Geeks Discount Outlet and
Geeks.com (‘‘Compgeeks.com’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Genica and its wholly-owned
subsidiary, Compgeeks.com,
(collectively ‘‘respondents’’) sell
computer systems, peripherals, and
consumer electronics to consumers over
the internet, including through a
website (www.geeks.com) operated by
Compgeeks.com. Respondents operate a
computer network that consumers use,
in conjunction with the www.geeks.com
website and web application, to obtain
information and to buy their products.
In selling products through the
www.geeks.com website, respondents
routinely collect sensitive information
from consumers to obtain authorization
for credit card purchases, including a
first and last name, address, e-mail
address, telephone number, credit card
number, credit card expiration date, and
credit card security code (hereinafter
‘‘personal information’’). This
information is particularly sensitive,
because it can be used to facilitate
payment card fraud and other consumer
harm. This matter concerns alleged false
or misleading representations
respondents made about the security
they provided for this information.
The Commission’s complaint alleges
that respondents represented that they
implemented reasonable and
appropriate security measures to protect
the privacy and confidentiality of
personal information. The complaint
alleges that this representation was false
because respondents engaged in a
number of practices that, taken together,
failed to provide reasonable and
appropriate security for sensitive
personal information stored on their
network. Among other things,
respondents allegedly: (1) stored
personal information in clear, readable
text; (2) did not adequately assess the
vulnerability of their web application
and network to commonly known or
PO 00000
Frm 00060
Fmt 4703
Sfmt 4703
reasonably foreseeable attacks, such as
‘‘Structured Query Language’’ (‘‘SQL’’)
injection attacks; (3) did not implement
simple, free or low-cost, and readily
available defenses to such attacks; (4)
did not use readily available security
measures to monitor and control
connections between computers on the
network and from the network to the
internet; and (5) failed to employ
reasonable measures to detect and
prevent unauthorized access to personal
information, such as by logging or
employing an intrusion detection
system.
The complaint further alleges that
since at least January 2007 and
continuing through at least June 2007,
hackers repeatedly exploited these
vulnerabilities by using SQL injection
attacks on the www.geeks.com website
and web application. Through these
attacks, the hackers allegedly found
personal information stored on
respondents’ network and exported the
information of hundreds of customers,
including credit card numbers,
expiration dates, and security codes,
over the internet to outside computers.
The proposed order applies to
personal information respondents
collect from or about consumers. It
contains provisions designed to prevent
respondents from engaging in the future
in practices similar to those alleged in
the complaint.
Part I of the proposed order prohibits
respondents, in connection with the
advertising, marketing, promotion,
offering for sale, or sale of any product
or service, from misrepresenting the
extent to which respondents maintain
and protect the privacy, confidentiality,
or integrity of any personal information
collected from or about consumers.
Part II of the proposed order requires
respondents to establish and maintain a
comprehensive information security
program that is reasonably designed to
protect the security, confidentiality, and
integrity of personal information
collected from or about consumers. The
written security program must contain
administrative, technical, and physical
safeguards appropriate to respondents’
size and complexity, the nature and
scope of respondents’ activities, and the
sensitivity of the personal information
collected from or about consumers.
Specifically the order requires
respondents to:
1. Designate an employee or
employees to coordinate and be
accountable for the information security
program;
2. Identify material internal and
external risks to the security,
confidentiality, and integrity of personal
information that could result in the
E:\FR\FM\10FEN1.SGM
10FEN1
erowe on PROD1PC63 with NOTICES
Federal Register / Vol. 74, No. 26 / Tuesday, February 10, 2009 / Notices
unauthorized disclosure, misuse, loss,
alteration, destruction, or other
compromise of such information, and
assess the sufficiency of any safeguards
in place to control these risks;
3. Design and implement reasonable
safeguards to control the risks identified
through risk assessment, and regularly
test or monitor the effectiveness of the
safeguards’ key controls, systems, and
procedures;
4. Develop and use reasonable steps to
retain service providers capable of
appropriately safeguarding personal
information they receive from
respondents and requiring service
providers by contract to implement and
maintain appropriate safeguards; and
5. Evaluate and adjust respondents’
information security program in light of
the results of the testing and monitoring,
any material changes to respondents’
operations or business arrangements, or
any other circumstances that
respondents know or have reason to
know may have a material impact on the
effectiveness of their information
security program.
Part III of the proposed order requires
that respondents, in connection with the
online advertising, marketing,
promotion, offering for sale, or sale of
any product or service to consumers,
obtain within 180 days, and on a
biennial bases thereafter for a period of
ten (10) years, an assessment and report
from a qualified, objective, independent
third-party professional, certifying,
among other things, that respondents
have in place a security program that
provides protections that meet or exceed
the protections required by Part II of the
proposed order; and (2) respondents’
security program is operating with
sufficient effectiveness to provide
reasonable assurance that the security,
confidentiality, and integrity of
consumers’ personal information is
protected.
Parts IV through VIII of the proposed
order are reporting and compliance
provisions. Part IV requires respondents
to retain documents relating to their
compliance with the order. For most
records, the order requires that the
documents be retained for a five-year
period. For the third-party assessments
and supporting documents, respondents
must retain the documents for a period
of three years after the date that each
assessment is prepared. Part V requires
dissemination of the order now and in
the future to persons with
responsibilities relating to the subject
matter of the order. Part VI ensures
notification to the FTC of changes in
corporate status. Part VII mandates that
respondents submit an initial
compliance report to the FTC, and make
VerDate Nov<24>2008
14:17 Feb 09, 2009
Jkt 217001
available to the FTC subsequent reports.
Part VIII is a provision ‘‘sunsetting’’ the
order after twenty (20) years, with
certain exceptions.
The purpose of the analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the proposed
order or to modify its terms in any way.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E9–2764 Filed 2–9–09: 8:45 am]
BILLING CODE 6750–01–S
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
Findings of Scientific Misconduct
Office of the Secretary, HHS.
Notice.
AGENCY:
ACTION:
SUMMARY: Notice is hereby given that
the Office of Research Integrity (ORI)
and the Assistant Secretary for Health
have taken final action in the following
case:
Kazuhiro Tanaka, M.D., Ph.D.,
National Institute of Dental and
Craniofacial Research, National
Institutes of Health: Based on the report
of an investigation conducted by the
National Institutes of Health (NIH) and
additional analysis conducted by the
Office of Research Integrity (ORI) in its
oversight review, the U.S. Public Health
Service (PHS) found that Dr. Kazuhiro
Tanaka, former Visiting Postdoctoral
Fellow, Molecular Biology Section,
Craniofacial Developmental and Biology
and Regeneration Branch (CDBRB),
National Institute of Dental and
Craniofacial Research (NIDCR), NIH,
engaged in scientific misconduct in
research supported by PHS funds from
the NIDCR, NIH Intramural Program.
PHS found that Respondent engaged
in scientific misconduct by falsifying
data that were included in three
published papers: Kazuhiro Tanaka,
Yoshihiro Matsumoto, Fumihiko
Nakatani, Yukihide Iwamoto, and
Yoshihiko Yamada, ‘‘A zinc finger
transcription aA-crystallin binding
protein 1, is a negative regulator of the
chondrocyte-specific enhancer of the
a1(II) collagen gene,’’ Molecular and
Cellular Biology (MCB) 20:4428–4435,
2000; Kazuhiro Tanaka, Noriyuki
Tsumaki, Christine A. Kozak, Yoshihiro
Matsumoto, Fumihiko Nakatani,
Yukihide Iwamoto, and Yoshihiko
¨
Yamada, ‘‘A Kruppel-associated boxzinc finger protein, NT2, represses celltype-specific promoter activity of the
PO 00000
Frm 00061
Fmt 4703
Sfmt 4703
6629
a2(XI) collagen gene,’’Molecular and
Cellular Biology 22:4256–4267, 2002;
and Ying Liu, Haochuan Li, Kazuhiro
Tanaka, Noriyuki Tsumaki, and
Yoshihiko Yamada, ‘‘Identification of an
enhancer sequence with the first intron
required for cartilage-specific
transcription of the a2(XI) collagen
gene,’’ Journal of Biological Chemistry
(JBC) 275:12712–12718, 2000.
Specifically, PHS found that
Respondent:
• Falsified the results for CRYBP1 or
Sox9 binding to the Col2a1 DNA
sequence in electrophoretic mobility
shift assays in Figure 1D and Figure 7
in MCB 20:4428–4435, 2000. He used
duplicate copies of bands or duplicate
copies of parts of lanes to falsely
represent results from reportedly
different experimental conditions;
• Falsified the results for NT2
binding to the Col11a2 DNA sequence
in electrophoretic mobility shift assays
in Figures 2D and 6B, and falsified the
Western blot for NT2 mutant proteins in
Figure 8B in MCB 22:4256–4267, 2002.
He used duplicate copies of bands, parts
of bands, or duplicate copies of parts of
lanes to falsely represent results from
reportedly different experimental
conditions in Figures 2D and 6B; and
falsely represented results for the Figure
8B Western blot by using duplicate
copies of bands to represent NT2D1
(lane 2) and NT2D4 (lane 5) mutant
proteins;
• Falsified the Western blot for Sox9
protein expression in Figure 4B, JBC
275:12712–12718, 2000, by using
duplicate copies of lanes 1 and 2 to
represent the Sox9 expression in cell
extracts from both Balb 3T3 and
undifferentiated ATDC5 cells; and
• Falsified the Northern blots in
multiple panels of Figure 3, MCB
20:4428–4435, 2000. He used duplicate
copies of bands for CRYBP1, for Type II
collagen, for Type X collagen, and for
GAPDH and 18S EtBr stained control
bands to falsely represent results of
RNA expression from these different
genes in ATDC5 cells. He also used
duplicate copies of bands to falsely
represent the RNA expression in ATDC5
cells grown under different conditions
for either collagen Type II in Figure 3,
MCB 2000 or collagen a1(X) in Figure 5
in MCB 22:4256–4267, 2002. Similarly,
duplicate copies of 18S EtBr stained
control bands were used in both figures
with reportedly different experimental
conditions.
Both Respondent and PHS are
desirous of concluding this matter
without further expense of time and
other resources, and the parties have
entered into a Voluntary Exclusion
Agreement (Agreement). The settlement
E:\FR\FM\10FEN1.SGM
10FEN1
]]>Agencies
[Federal Register Volume 74, Number 26 (Tuesday, February 10, 2009)]
[NOT]
[Pages 6627-6629]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-2764]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 082 3113]
Genica Corporation and Compgeeks.com; Analysis of Proposed
Consent Order to Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before March 9, 2009.
ADDRESSES: Interested parties are invited to submit written comments.
Comments should refer to ``Genica Corporation, File No. 082 3113,'' to
facilitate the organization of comments. A comment filed in paper form
should include this reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission/Office of the Secretary, Room 135-H, 600 Pennsylvania
Avenue, N.W., Washington, D.C. 20580. Comments containing confidential
material must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with Commission Rule 4.9(c). 16 CFR
4.9(c) (2005).\1\ The FTC is requesting that any comment filed in paper
form be sent by courier or overnight service, if possible, because U.S.
postal mail in the Washington area and at the Commission is subject to
delay due to heightened security precautions. Comments that do not
contain any nonpublic information may instead be filed in electronic
form by
[[Page 6628]]
following the instructions on the web-based form at (https://
secure.commentworks.com/ftc-Genica). To ensure that the Commission
considers an electronic comment, you must file it on that web-based
form.
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See Commission Rule 4.9(c),
16 CFR 4.9(c).
---------------------------------------------------------------------------
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC website, to the extent
practicable, at www.ftc.gov. As a matter of discretion, the FTC makes
every effort to remove home contact information for individuals from
the public comments it receives before placing those comments on the
FTC website. More information, including routine uses permitted by the
Privacy Act, may be found in the FTC's privacy policy, at (https://
www.ftc.gov/ftc/privacy.shtm).
FOR FURTHER INFORMATION CONTACT: Molly Crawford, Bureau of Coonsumer
Protection, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580, (202)
326-2252.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 of
the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given
that the above-captioned consent agreement containing a consent order
to cease and desist, having been filed with and accepted, subject to
final approval, by the Commission, has been placed on the public record
for a period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for February 5, 2009), on the World Wide Web, at (https://www.ftc.gov/
os/2009/02/index.htm). A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW, Washington,
D.C. 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order to Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from Genica Corporation (``Genica'') and
Compgeeks.com, also doing business as Computer Geeks Discount Outlet
and Geeks.com (``Compgeeks.com'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Genica and its wholly-owned subsidiary, Compgeeks.com,
(collectively ``respondents'') sell computer systems, peripherals, and
consumer electronics to consumers over the internet, including through
a website (www.geeks.com) operated by Compgeeks.com. Respondents
operate a computer network that consumers use, in conjunction with the
www.geeks.com website and web application, to obtain information and to
buy their products. In selling products through the www.geeks.com
website, respondents routinely collect sensitive information from
consumers to obtain authorization for credit card purchases, including
a first and last name, address, e-mail address, telephone number,
credit card number, credit card expiration date, and credit card
security code (hereinafter ``personal information''). This information
is particularly sensitive, because it can be used to facilitate payment
card fraud and other consumer harm. This matter concerns alleged false
or misleading representations respondents made about the security they
provided for this information.
The Commission's complaint alleges that respondents represented
that they implemented reasonable and appropriate security measures to
protect the privacy and confidentiality of personal information. The
complaint alleges that this representation was false because
respondents engaged in a number of practices that, taken together,
failed to provide reasonable and appropriate security for sensitive
personal information stored on their network. Among other things,
respondents allegedly: (1) stored personal information in clear,
readable text; (2) did not adequately assess the vulnerability of their
web application and network to commonly known or reasonably foreseeable
attacks, such as ``Structured Query Language'' (``SQL'') injection
attacks; (3) did not implement simple, free or low-cost, and readily
available defenses to such attacks; (4) did not use readily available
security measures to monitor and control connections between computers
on the network and from the network to the internet; and (5) failed to
employ reasonable measures to detect and prevent unauthorized access to
personal information, such as by logging or employing an intrusion
detection system.
The complaint further alleges that since at least January 2007 and
continuing through at least June 2007, hackers repeatedly exploited
these vulnerabilities by using SQL injection attacks on the
www.geeks.com website and web application. Through these attacks, the
hackers allegedly found personal information stored on respondents'
network and exported the information of hundreds of customers,
including credit card numbers, expiration dates, and security codes,
over the internet to outside computers.
The proposed order applies to personal information respondents
collect from or about consumers. It contains provisions designed to
prevent respondents from engaging in the future in practices similar to
those alleged in the complaint.
Part I of the proposed order prohibits respondents, in connection
with the advertising, marketing, promotion, offering for sale, or sale
of any product or service, from misrepresenting the extent to which
respondents maintain and protect the privacy, confidentiality, or
integrity of any personal information collected from or about
consumers.
Part II of the proposed order requires respondents to establish and
maintain a comprehensive information security program that is
reasonably designed to protect the security, confidentiality, and
integrity of personal information collected from or about consumers.
The written security program must contain administrative, technical,
and physical safeguards appropriate to respondents' size and
complexity, the nature and scope of respondents' activities, and the
sensitivity of the personal information collected from or about
consumers. Specifically the order requires respondents to:
1. Designate an employee or employees to coordinate and be
accountable for the information security program;
2. Identify material internal and external risks to the security,
confidentiality, and integrity of personal information that could
result in the
[[Page 6629]]
unauthorized disclosure, misuse, loss, alteration, destruction, or
other compromise of such information, and assess the sufficiency of any
safeguards in place to control these risks;
3. Design and implement reasonable safeguards to control the risks
identified through risk assessment, and regularly test or monitor the
effectiveness of the safeguards' key controls, systems, and procedures;
4. Develop and use reasonable steps to retain service providers
capable of appropriately safeguarding personal information they receive
from respondents and requiring service providers by contract to
implement and maintain appropriate safeguards; and
5. Evaluate and adjust respondents' information security program in
light of the results of the testing and monitoring, any material
changes to respondents' operations or business arrangements, or any
other circumstances that respondents know or have reason to know may
have a material impact on the effectiveness of their information
security program.
Part III of the proposed order requires that respondents, in
connection with the online advertising, marketing, promotion, offering
for sale, or sale of any product or service to consumers, obtain within
180 days, and on a biennial bases thereafter for a period of ten (10)
years, an assessment and report from a qualified, objective,
independent third-party professional, certifying, among other things,
that respondents have in place a security program that provides
protections that meet or exceed the protections required by Part II of
the proposed order; and (2) respondents' security program is operating
with sufficient effectiveness to provide reasonable assurance that the
security, confidentiality, and integrity of consumers' personal
information is protected.
Parts IV through VIII of the proposed order are reporting and
compliance provisions. Part IV requires respondents to retain documents
relating to their compliance with the order. For most records, the
order requires that the documents be retained for a five-year period.
For the third-party assessments and supporting documents, respondents
must retain the documents for a period of three years after the date
that each assessment is prepared. Part V requires dissemination of the
order now and in the future to persons with responsibilities relating
to the subject matter of the order. Part VI ensures notification to the
FTC of changes in corporate status. Part VII mandates that respondents
submit an initial compliance report to the FTC, and make available to
the FTC subsequent reports. Part VIII is a provision ``sunsetting'' the
order after twenty (20) years, with certain exceptions.
The purpose of the analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed order or to modify its terms in any way.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E9-2764 Filed 2-9-09: 8:45 am]
BILLING CODE 6750-01-S
