Dave & Buster’s, Inc.; Analysis of Proposed Consent Order to Aid Public Comment, 16123-16125 [2010-7127]
Download as PDF
<![CDATA[
jlentini on DSKJ8SOYB1PROD with NOTICES
Federal Register / Vol. 75, No. 61 / Wednesday, March 31, 2010 / Notices
Annual reporting hours: 20 hours.
Estimated average hours per response:
2 hours.
Number of respondents: 10.
General description of report: This
information collection is mandatory
pursuant to section 17A(c) of the
Securities Exchange Act of 1934 (15
U.S.C. 78q–1(c)) as amended by the
Securities Acts Amendments of 1975.
The Federal Reserve is authorized to
collect these data from state member
banks or their subsidiaries, and BHCs or
their subsidiaries (except national banks
and state nonmember banks that are
insured by the FDIC) by 15 U.S.C.
78c(a)(34)(B)(ii). The data collected are
not given confidential treatment.
Abstract: Banks, BHCs, and trust
companies subject to the Federal
Reserve’s supervision that are lowvolume transfer agents voluntarily file
the notice on occasion with the Federal
Reserve. Transfer agents are institutions
that provide securities transfer,
registration, monitoring, and other
specified services on behalf of securities
issuers. The purpose of the notice,
which is effective until the agent
withdraws it, is to claim exemption
from certain rules and regulations of the
Securities and Exchange Commission
(SEC). The Federal Reserve uses the
notices for supervisory purposes
because the SEC has assigned to the
Federal Reserve responsibility for
collecting the notices and verifying their
accuracy through examinations of the
respondents. There is no formal
reporting form and each notice is filed
as a letter.
6. Report title: Investment in Bank
Premises Notification.
Agency form number: FR 4014.
OMB control number: 7100–0139.
Frequency: On occasion.
Reporters: SMBs.
Annual reporting hours: 7 hours.
Estimated average hours per response:
30 minutes.
Number of respondents: 13.
General description of report: This
information collection is required to
obtain a benefit pursuant to Section
24A(a) of the Federal Reserve Act (12
U.S.C. 371d(a)) and is not given
confidential treatment. However, a
respondent may request confidential
treatment for all or part of a notification,
which would be reviewed on a case-bycase basis.
Abstract: The Federal Reserve Act
requires an SMB to seek prior Federal
Reserve approval before making an
investment in bank premises that
exceeds certain thresholds. There is no
formal reporting form, and each
required request for prior approval must
be filed as a notification with the
VerDate Nov<24>2008
19:40 Mar 30, 2010
Jkt 220001
appropriate Reserve Bank of the SMB.
The Federal Reserve uses the
information provided in the notice to
fulfill its statutory obligation to
supervise SMBs.
Board of Governors of the Federal Reserve
System, March 26, 2010.
Jennifer J. Johnson,
Secretary of the Board.
16123
Trust into a national bank and thereby
merging it with Morgan Stanley Bank,
N.A., which will be relocated to
Purchase, New York.
Board of Governors of the Federal Reserve
System, March 26, 2010.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. 2010–7182 Filed 3–30–10; 8:45 am]
BILLING CODE 6210–01–S
[FR Doc. 2010–7164 Filed 3–30–10; 8:45 am]
BILLING CODE 6210–01–P
FEDERAL TRADE COMMISSION
FEDERAL RESERVE SYSTEM
[File No. 082 3153]
Formations of, Acquisitions by, and
Mergers of Bank Holding Companies
Dave & Buster’s, Inc.; Analysis of
Proposed Consent Order to Aid Public
Comment
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Bank Holding Company
Act of 1956 (12 U.S.C. 1841 et seq.)
(BHC Act), Regulation Y (12 CFR Part
225), and all other applicable statutes
and regulations to become a bank
holding company and/or to acquire the
assets or the ownership of, control of, or
the power to vote shares of a bank or
bank holding company and all of the
banks and nonbanking companies
owned by the bank holding company,
including the companies listed below.
The applications listed below, as well
as other related filings required by the
Board, are available for immediate
inspection at the Federal Reserve Bank
indicated. The applications also will be
available for inspection at the offices of
the Board of Governors. Interested
persons may express their views in
writing on the standards enumerated in
the BHC Act (12 U.S.C. 1842(c)). If the
proposal also involves the acquisition of
a nonbanking company, the review also
includes whether the acquisition of the
nonbanking company complies with the
standards in section 4 of the BHC Act
(12 U.S.C. 1843). Unless otherwise
noted, nonbanking activities will be
conducted throughout the United States.
Additional information on all bank
holding companies may be obtained
from the National Information Center
website at www.ffiec.gov/nic/.
Unless otherwise noted, comments
regarding each of these applications
must be received at the Reserve Bank
indicated or the offices of the Board of
Governors not later than April 26, 2010.
A. Federal Reserve Bank of New
York (Ivan Hurwitz, Bank Applications
Officer) 33 Liberty Street, New York,
New York 10045–0001:
1. Morgan Stanley, New York, New
York; to acquire 100 percent of the
voting shares of Morgan Stanley Private
Bank, N.A., Jersey City, New Jersey, as
a result of converting Morgan Stanley
PO 00000
Frm 00058
Fmt 4703
Sfmt 4703
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
SUMMARY: The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order — embodied in the
consent agreement — that would settle
these allegations.
DATES: Comments must be received on
or before April 26, 2010.
ADDRESSES: Interested parties are
invited to submit written comments
electronically or in paper form.
Comments should refer to ‘‘Dave &
Buster’s, File No. 082 3153’’ to facilitate
the organization of comments. Please
note that your comment — including
your name and your state — will be
placed on the public record of this
proceeding, including on the publicly
accessible FTC website, at (https://
www.ftc.gov/os/publiccomments.shtm).
Because comments will be made
public, they should not include any
sensitive personal information, such as
an individual’s Social Security Number;
date of birth; driver’s license number or
other state identification number, or
foreign country equivalent; passport
number; financial account number; or
credit or debit card number. Comments
also should not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, comments should not include
any ‘‘[t]rade secret or any commercial or
financial information which is obtained
from any person and which is privileged
or confidential. . . .,’’ as provided in
Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and Commission Rule 4.10(a)(2),
16 CFR 4.10(a)(2). Comments containing
E:\FR\FM\31MRN1.SGM
31MRN1
16124
Federal Register / Vol. 75, No. 61 / Wednesday, March 31, 2010 / Notices
jlentini on DSKJ8SOYB1PROD with NOTICES
material for which confidential
treatment is requested must be filed in
paper form, must be clearly labeled
‘‘Confidential,’’ and must comply with
FTC Rule 4.9(c), 16 CFR 4.9(c).1
Because paper mail addressed to the
FTC is subject to delay due to
heightened security screening, please
consider submitting your comments in
electronic form. Comments filed in
electronic form should be submitted by
using the following weblink: (https://
public.commentworks.com/ftc/
daveandbusters) and following the
instructions on the web-based form. To
ensure that the Commission considers
an electronic comment, you must file it
on the web-based form at the weblink:
(https://public.commentworks.com/ftc/
daveandbusters). If this Notice appears
at (https://www.regulations.gov/search/
index.jsp), you may also file an
electronic comment through that
website. The Commission will consider
all comments that regulations.gov
forwards to it. You may also visit the
FTC website at (https://www.ftc.gov/) to
read the Notice and the news release
describing it.
A comment filed in paper form
should include the ‘‘Dave & Buster’s,
File No. 082 3153’’ reference both in the
text and on the envelope, and should be
mailed or delivered to the following
address: Federal Trade Commission,
Office of the Secretary, Room H-135
(Annex D), 600 Pennsylvania Avenue,
NW, Washington, DC 20580. The FTC is
requesting that any comment filed in
paper form be sent by courier or
overnight service, if possible, because
U.S. postal mail in the Washington area
and at the Commission is subject to
delay due to heightened security
precautions.
The Federal Trade Commission Act
(‘‘FTC Act’’) and other laws the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives,
whether filed in paper or electronic
form. Comments received will be
available to the public on the FTC
website, to the extent practicable, at
(https://www.ftc.gov/os/
publiccomments.shtm). As a matter of
discretion, the Commission makes every
1 The comment must be accompanied by an
explicit request for confidential treatment,
including the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record.
The request will be granted or denied by the
Commission’s General Counsel, consistent with
applicable law and the public interest. See FTC
Rule 4.9(c), 16 CFR 4.9(c).
VerDate Nov<24>2008
19:40 Mar 30, 2010
Jkt 220001
effort to remove home contact
information for individuals from the
public comments it receives before
placing those comments on the FTC
website. More information, including
routine uses permitted by the Privacy
Act, may be found in the FTC’s privacy
policy, at (https://www.ftc.gov/ftc/
privacy.shtm).
FOR FURTHER INFORMATION CONTACT:
Katrina Blodgett (202-326-3158), Bureau
of Consumer Protection, 600
Pennsylvania Avenue, NW, Washington,
D.C. 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 the Commission Rules
of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for March 25, 2010), on the
World Wide Web, at (https://
www.ftc.gov/os/actions.shtm). A paper
copy can be obtained from the FTC
Public Reference Room, Room 130-H,
600 Pennsylvania Avenue, NW,
Washington, D.C. 20580, either in
person or by calling (202) 326-2222.
Public comments are invited, and may
be filed with the Commission in either
paper or electronic form. All comments
should be filed as prescribed in the
ADDRESSES section above, and must be
received on or before the date specified
in the DATES section.
Analysis of Agreement Containing
Consent Order to Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from Dave &
Buster’s, Inc. (‘‘Dave & Buster’s’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Dave & Buster’s owns and operates 53
restaurant and entertainment complexes
PO 00000
Frm 00059
Fmt 4703
Sfmt 4703
in the United States. Consumers may
pay for purchases at these locations
with credit and debit cards (collectively,
‘‘payment cards’’) or cash. In conducting
its business, Dave & Buster’s routinely
collects information from consumers to
obtain authorization for payment card
purchases, including the credit card
account number, expiration date, and an
electronic security code for payment
authorization. This information is
particularly sensitive because it can be
used to facilitate payment card fraud
and other consumer fraud.
The Commission’s complaint alleges
that since at least April 2007, Dave &
Buster’s engaged in a number of
practices that, taken together, failed to
provide reasonable and appropriate
security for personal information on its
computer networks. Among other
things, Dave & Buster’s: (a) failed to
employ sufficient measures to detect
and prevent unauthorized access to
computer networks or to conduct
security investigations, such as by
employing an intrusion detection
system and monitoring system logs; (b)
failed to adequately restrict third-party
access to its networks, such as by
restricting connections to specific IP
addresses or granting temporary, limited
access; (c) failed to monitor and filter
outbound traffic from its networks to
identify and block export of sensitive
personal information without
authorization; (d) failed to use readily
available security measures to limit
access between in-store networks, such
as by using firewalls or isolating the
payment card system from the rest of
the corporate network; and (e) failed to
use readily available security measures
to limit access to its computer networks
through wireless access points on the
networks.
The complaint further alleges that
between April 30, 2007 and August 28,
2007, an intruder, exploiting some of
these vulnerabilities, connected to Dave
& Buster’s networks numerous times
without authorization, installed
unauthorized software, and intercepted
personal information in transit from instore networks to its credit card
processing company. The breach
compromised approximately 130,000
unique payment cards used by
consumers in the United States.
The proposed order applies to
personal information Dave & Buster’s
collects from or about consumers. It
contains provisions designed to prevent
Dave & Buster’s from engaging in the
future in practices similar to those
alleged in the complaint.
Part I of the proposed order requires
Dave & Buster’s to establish and
maintain a comprehensive information
E:\FR\FM\31MRN1.SGM
31MRN1
jlentini on DSKJ8SOYB1PROD with NOTICES
Federal Register / Vol. 75, No. 61 / Wednesday, March 31, 2010 / Notices
security program in writing that is
reasonably designed to protect the
security, confidentiality, and integrity of
personal information collected from or
about consumers. The security program
must contain administrative, technical,
and physical safeguards appropriate to
Dave & Buster’s size and complexity, the
nature and scope of its activities, and
the sensitivity of the personal
information collected from or about
consumers. Specifically, the order
requires Dave & Buster’s to:
∑ Designate an employee or
employees to coordinate and be
accountable for the information security
program.
∑ Identify material internal and
external risks to the security,
confidentiality, and integrity of personal
information that could result in the
unauthorized disclosure, misuse, loss,
alteration, destruction, or other
compromise of such information, and
assess the sufficiency of any safeguards
in place to control these risks.
∑ Design and implement reasonable
safeguards to control the risks identified
through risk assessment, and regularly
test or monitor the effectiveness of the
safeguards’ key controls, systems, and
procedures.
∑ Develop and use reasonable steps to
select and retain service providers
capable of appropriately safeguarding
personal information they receive from
respondents, and require service
providers by contract to implement and
maintain appropriate safeguards.
∑ Evaluate and adjust its information
security program in light of the results
of the testing and monitoring, any
material changes to its operations or
business arrangements, or any other
circumstances that it knows or has
reason to know may have a material
impact on the effectiveness of its
information security program.
Part II of the proposed order requires
that Dave & Buster’s obtain within 180
days, and on a biennial basis thereafter
for ten (10) years, an assessment and
report from a qualified, objective,
independent third-party professional,
certifying, among other things, that it
has in place a security program that
provides protections that meet or exceed
the protections required by Part I of the
proposed order; and its security
program is operating with sufficient
effectiveness to provide reasonable
assurance that the security,
confidentiality, and integrity of
consumers’ personal information is
protected.
Parts III through VII of the proposed
order are reporting and compliance
provisions. Part III requires Dave &
Buster’s to retain documents relating to
VerDate Nov<24>2008
19:40 Mar 30, 2010
Jkt 220001
its compliance with the order. For most
records, the order requires that the
documents be retained for a five-year
period. For the third-party assessments
and supporting documents, Dave &
Buster’s must retain the documents for
a period of three years after the date that
each assessment is prepared. Part IV
requires dissemination of the order now
and in the future to principals, officers,
directors, and managers at corporate
headquarters, regional offices, and at
each store having responsibilities
relating to the subject matter of the
order. Part V ensures notification to the
FTC of changes in corporate status. Part
VI mandates that Dave & Buster’s submit
an initial compliance report to the FTC,
and make available to the FTC
subsequent reports. Part VII is a
provision ‘‘sunsetting’’ the order after
twenty (20) years, with certain
exceptions.
The purpose of the analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the proposed
order or to modify its terms in any way.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. 2010–7127 Filed 3–30–10: 1:29 pm]
BILLING CODE 6750–01–S
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Call for Co-Sponsors for Office of
Healthcare Quality’s Programs to
Strengthen Coordination and Impact
National Efforts in the Prevention of
Healthcare-Associated Infections
(HAIs)
AGENCY: Department of Health and
Human Services, Office of the Secretary,
Office of Public Health and Science,
Office of Healthcare Quality.
ACTION:
Notice.
SUMMARY: The U.S. Department of
Health and Human Services (HHS),
Office of Public Health and Science
(OPHS), Office for Healthcare Quality
(OHQ) announces the opportunity to
collaborate with the U.S. Department of
Health and Human Services (HHS). HHS
invites public and private professional
health related organizations to
participate as collaborating co-sponsors
in the development and implementation
of an innovative program that advances
the goals enumerated in the HHS Action
Plan to prevent Healthcare-Associated
Infections.
PO 00000
Frm 00060
Fmt 4703
Sfmt 4703
16125
DATES: Expressions of interest for FY
2010–11 must be received no later than
cob April 15, 2010.
ADDRESSES: Expressions of interest,
comments, and questions may be
submitted by e-mail to ohq@hhs.gov; by
regular mail to Office of Healthcare
Quality, Department of Health and
Human Services, 200 Independence
Ave., SW., Room 716G, Washington, DC
20201, or via fax to 202–401–9547.
FOR FURTHER INFORMATION CONTACT:
Daniel Gallardo via electronic mail to
Daniel.Gallardo@hhs.gov; or by phone
at 202–690–2470.
SUPPLEMENTARY INFORMATION:
Healthcare-associated infections (HAIs)
exact a significant toll on human life.
They are among the leading causes of
preventable death in the United States,
accounting for an estimated 1.7 million
infections and 99,000 associated deaths
in 2002. In hospitals, they are a
significant cause of morbidity and
mortality. In addition to the substantial
human suffering caused by healthcareassociated infections, the financial
burden attributable to the infections is
staggering. It is estimated that
healthcare-associated infections cause
$28 to $33 billion in excess healthcare
costs each year. For these reasons, the
prevention and reduction of healthcareassociated infections is a top priority for
the U.S. Department of Health and
Human Services (HHS).
The HHS Steering Committee for the
Prevention of Healthcare-Associated
Infections, led by Dr. Don Wright,
Deputy Assistant Secretary for
Healthcare Quality, was established in
July 2008. The Steering Committee was
charged with developing a
comprehensive strategy to prevent and
reduce healthcare-associated infections
and issuing a plan which establishes
national goals for healthcare-associated
infection prevention and outlines key
actions for achieving identified shortand long-term objectives. The plan,
released in January 2009 as the HHS
Action Plan, is also intended to enhance
collaboration with external stakeholders
to strengthen coordination and impact
of national efforts.
Therefore, OHQ is interested in
establishing partnerships with private
and public professional health
organizations in order to further the
efforts in the prevention of HealthcareAssociated Infections. As partners with
OHQ, professional health related
organizations can bring their ideas,
expertise, administrative capabilities,
and resources in the development of a
program(s) that promotes the reduction
and prevention of Healthcare-
E:\FR\FM\31MRN1.SGM
31MRN1
]]>Agencies
[Federal Register Volume 75, Number 61 (Wednesday, March 31, 2010)]
[Notices]
[Pages 16123-16125]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-7127]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 082 3153]
Dave & Buster's, Inc.; Analysis of Proposed Consent Order to Aid
Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order -- embodied in the consent
agreement -- that would settle these allegations.
DATES: Comments must be received on or before April 26, 2010.
ADDRESSES: Interested parties are invited to submit written comments
electronically or in paper form. Comments should refer to ``Dave &
Buster's, File No. 082 3153'' to facilitate the organization of
comments. Please note that your comment -- including your name and your
state -- will be placed on the public record of this proceeding,
including on the publicly accessible FTC website, at (https://www.ftc.gov/os/publiccomments.shtm).
Because comments will be made public, they should not include any
sensitive personal information, such as an individual's Social Security
Number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. Comments also
should not include any sensitive health information, such as medical
records or other individually identifiable health information. In
addition, comments should not include any ``[t]rade secret or any
commercial or financial information which is obtained from any person
and which is privileged or confidential. . . .,'' as provided in
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and Commission Rule
4.10(a)(2), 16 CFR 4.10(a)(2). Comments containing
[[Page 16124]]
material for which confidential treatment is requested must be filed in
paper form, must be clearly labeled ``Confidential,'' and must comply
with FTC Rule 4.9(c), 16 CFR 4.9(c).\1\
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See FTC Rule 4.9(c), 16 CFR
4.9(c).
---------------------------------------------------------------------------
Because paper mail addressed to the FTC is subject to delay due to
heightened security screening, please consider submitting your comments
in electronic form. Comments filed in electronic form should be
submitted by using the following weblink: (https://public.commentworks.com/ftc/daveandbusters) and following the
instructions on the web-based form. To ensure that the Commission
considers an electronic comment, you must file it on the web-based form
at the weblink: (https://public.commentworks.com/ftc/daveandbusters).
If this Notice appears at (https://www.regulations.gov/search/index.jsp), you may also file an electronic comment through that
website. The Commission will consider all comments that regulations.gov
forwards to it. You may also visit the FTC website at (https://www.ftc.gov/) to read the Notice and the news release describing it.
A comment filed in paper form should include the ``Dave & Buster's,
File No. 082 3153'' reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission, Office of the Secretary, Room H-135 (Annex D), 600
Pennsylvania Avenue, NW, Washington, DC 20580. The FTC is requesting
that any comment filed in paper form be sent by courier or overnight
service, if possible, because U.S. postal mail in the Washington area
and at the Commission is subject to delay due to heightened security
precautions.
The Federal Trade Commission Act (``FTC Act'') and other laws the
Commission administers permit the collection of public comments to
consider and use in this proceeding as appropriate. The Commission will
consider all timely and responsive public comments that it receives,
whether filed in paper or electronic form. Comments received will be
available to the public on the FTC website, to the extent practicable,
at (https://www.ftc.gov/os/publiccomments.shtm). As a matter of
discretion, the Commission makes every effort to remove home contact
information for individuals from the public comments it receives before
placing those comments on the FTC website. More information, including
routine uses permitted by the Privacy Act, may be found in the FTC's
privacy policy, at (https://www.ftc.gov/ftc/privacy.shtm).
FOR FURTHER INFORMATION CONTACT: Katrina Blodgett (202-326-3158),
Bureau of Consumer Protection, 600 Pennsylvania Avenue, NW, Washington,
D.C. 20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 the
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that
the above-captioned consent agreement containing a consent order to
cease and desist, having been filed with and accepted, subject to final
approval, by the Commission, has been placed on the public record for a
period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for March 25, 2010), on the World Wide Web, at (https://www.ftc.gov/os/actions.shtm). A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW, Washington,
D.C. 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order to Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from Dave & Buster's, Inc. (``Dave &
Buster's'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Dave & Buster's owns and operates 53 restaurant and entertainment
complexes in the United States. Consumers may pay for purchases at
these locations with credit and debit cards (collectively, ``payment
cards'') or cash. In conducting its business, Dave & Buster's routinely
collects information from consumers to obtain authorization for payment
card purchases, including the credit card account number, expiration
date, and an electronic security code for payment authorization. This
information is particularly sensitive because it can be used to
facilitate payment card fraud and other consumer fraud.
The Commission's complaint alleges that since at least April 2007,
Dave & Buster's engaged in a number of practices that, taken together,
failed to provide reasonable and appropriate security for personal
information on its computer networks. Among other things, Dave &
Buster's: (a) failed to employ sufficient measures to detect and
prevent unauthorized access to computer networks or to conduct security
investigations, such as by employing an intrusion detection system and
monitoring system logs; (b) failed to adequately restrict third-party
access to its networks, such as by restricting connections to specific
IP addresses or granting temporary, limited access; (c) failed to
monitor and filter outbound traffic from its networks to identify and
block export of sensitive personal information without authorization;
(d) failed to use readily available security measures to limit access
between in-store networks, such as by using firewalls or isolating the
payment card system from the rest of the corporate network; and (e)
failed to use readily available security measures to limit access to
its computer networks through wireless access points on the networks.
The complaint further alleges that between April 30, 2007 and
August 28, 2007, an intruder, exploiting some of these vulnerabilities,
connected to Dave & Buster's networks numerous times without
authorization, installed unauthorized software, and intercepted
personal information in transit from in-store networks to its credit
card processing company. The breach compromised approximately 130,000
unique payment cards used by consumers in the United States.
The proposed order applies to personal information Dave & Buster's
collects from or about consumers. It contains provisions designed to
prevent Dave & Buster's from engaging in the future in practices
similar to those alleged in the complaint.
Part I of the proposed order requires Dave & Buster's to establish
and maintain a comprehensive information
[[Page 16125]]
security program in writing that is reasonably designed to protect the
security, confidentiality, and integrity of personal information
collected from or about consumers. The security program must contain
administrative, technical, and physical safeguards appropriate to Dave
& Buster's size and complexity, the nature and scope of its activities,
and the sensitivity of the personal information collected from or about
consumers. Specifically, the order requires Dave & Buster's to:
Designate an employee or employees to coordinate and be
accountable for the information security program.
Identify material internal and external risks to the
security, confidentiality, and integrity of personal information that
could result in the unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.
Design and implement reasonable safeguards to control the
risks identified through risk assessment, and regularly test or monitor
the effectiveness of the safeguards' key controls, systems, and
procedures.
Develop and use reasonable steps to select and retain
service providers capable of appropriately safeguarding personal
information they receive from respondents, and require service
providers by contract to implement and maintain appropriate safeguards.
Evaluate and adjust its information security program in
light of the results of the testing and monitoring, any material
changes to its operations or business arrangements, or any other
circumstances that it knows or has reason to know may have a material
impact on the effectiveness of its information security program.
Part II of the proposed order requires that Dave & Buster's obtain
within 180 days, and on a biennial basis thereafter for ten (10) years,
an assessment and report from a qualified, objective, independent
third-party professional, certifying, among other things, that it has
in place a security program that provides protections that meet or
exceed the protections required by Part I of the proposed order; and
its security program is operating with sufficient effectiveness to
provide reasonable assurance that the security, confidentiality, and
integrity of consumers' personal information is protected.
Parts III through VII of the proposed order are reporting and
compliance provisions. Part III requires Dave & Buster's to retain
documents relating to its compliance with the order. For most records,
the order requires that the documents be retained for a five-year
period. For the third-party assessments and supporting documents, Dave
& Buster's must retain the documents for a period of three years after
the date that each assessment is prepared. Part IV requires
dissemination of the order now and in the future to principals,
officers, directors, and managers at corporate headquarters, regional
offices, and at each store having responsibilities relating to the
subject matter of the order. Part V ensures notification to the FTC of
changes in corporate status. Part VI mandates that Dave & Buster's
submit an initial compliance report to the FTC, and make available to
the FTC subsequent reports. Part VII is a provision ``sunsetting'' the
order after twenty (20) years, with certain exceptions.
The purpose of the analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed order or to modify its terms in any way.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. 2010-7127 Filed 3-30-10: 1:29 pm]
BILLING CODE 6750-01-S
