BJ’s Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law

UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION

COMMISSIONERS: Deborah Platt Majoras, Chairman; Thomas B. Leary; Pamela Jones Harbour; Jon Leibowitz

In the Matter of BJ’S WHOLESALE CLUB, INC., a corporation.

DOCKET NO. C-4148

COMPLAINT

The Federal Trade Commission, having reason to believe that BJ’s Wholesale Club, Inc. (“Respondent”) has violated the provisions of the Federal Trade Commission Act, and it appearing to the Commission that this proceeding is in the public interest, alleges:

• Respondent BJ’s Wholesale Club, Inc. is a Delaware corporation with its principal office or place of business at One Mercer Road, Natick, Massachusetts 01760.

• The acts and practices of Respondent as alleged in this complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.

• Respondent operates approximately 150 warehouse clubs (“stores”) in 16 eastern states. Generally, only consumers who have purchased memberships from Respondent may make purchases at its stores. Approximately 8 million consumers currently have valid memberships. At its stores, Respondent sells memberships as well as approximately 7,500 brand-name food and general merchandise items, including office supplies and equipment, consumer electronics, prerecorded media, small appliances, auto accessories and tires, jewelry, health and beauty aids, household needs, computer software, books, greeting cards, apparel, toys, tools, and seasonal items. Members often pay for such purchases with credit cards and debit cards.

• Respondent uses computer networks to request and obtain authorization from the bank that issued the card (“issuing bank”) for credit card and debit card purchases at its stores. To obtain authorization, Respondent collects information from the customer, including customer name, card number and expiration date, and certain other information (collectively, “personal information”).

• For a purchase at a store, Respondent typically collects the information from the magnetic stripe of the credit or debit card and compiles it into an authorization request on the computer network located in the store (“in-store computer network”). Respondent then transmits the information from the in-store computer network to its central datacenter and from there through outside computer networks to the issuing bank. Respondent receives the issuing bank’s response through the same computer networks used to make the request.

• Respondent also uses its in-store computer networks to manage inventory. Using wireless inventory scanners (“scanners”), Respondent collects inventory information at its stores. Respondent operates wireless access points on its in-store computer networks through which scanners connect and transmit inventory information to in-store computer networks.

• From at least November 1, 2003, until February 2004, Respondent did not employ reasonable and appropriate measures to secure personal information collected at its stores. Among other things, Respondent (1) Did not encrypt the information while in transit or when stored on the in-store computer networks; (2) Stored the information in files that could be accessed anonymously -- that is, using a commonly known default user ID and password; (3) Did not use readily available security measures to limit access to its computer networks through wireless access points on the networks; (4) Failed to employ sufficient measures to detect unauthorized access or conduct security investigations; (5) Created unnecessary risks to the information by storing it for up to 30 days when it no longer had a business need to keep the information, and in violation of bank rules. As a result, a hacker could have used the wireless access points on an in-store computer network to connect to the network and, without authorization, access personal information on the network.

• Beginning in late 2003 and early 2004, banks began discovering fraudulent purchases that were made using counterfeit copies of credit and debit cards the banks had issued to customers. The customers had used their cards at Respondent’s stores before the fraudulent purchases were made, and personal information Respondent obtained from their cards was stored on Respondent’s computer networks. This same information was contained on counterfeit copies of cards that were used to make several million dollars in fraudulent purchases. In response, banks and their customers canceled and re-issued thousands of credit and debit cards that had been used at Respondent’s stores, and customers holding these cards were unable to use their cards to access credit and their own bank accounts.

• As described in Paragraphs 7 and 8 above, Respondent’s failure to employ reasonable and appropriate security measures to protect personal information and files caused or is likely to cause substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers. This practice was an unfair act or practice.

• The acts and practices of Respondent as alleged in this complaint constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).

THEREFORE, the Federal Trade Commission this twentieth day of September, 2005, has issued this complaint against Respondent.

By the Commission.

FILE NO. 0423160

AGREEMENT CONTAINING CONSENT ORDER

The Federal Trade Commission has conducted an investigation of certain acts and practices of BJ’s Wholesale Club, Inc., a Delaware corporation (“proposed respondent”). Proposed respondent, having been represented by counsel, is willing to enter into an agreement containing a consent order resolving the allegations contained in the attached draft complaint. Therefore,
 


• Proposed respondent BJ’s Wholesale Club, Inc. is a Delaware corporation with its principal office or place of business at One Mercer Road, Natick, Massachusetts 01760.
 
• Proposed respondent admits all the jurisdictional facts set forth in the draft complaint.
 
• Proposed respondent waives:
 
  • any further procedural steps;
 
  • the requirement that the Commission’s decision contain a statement of findings of fact and conclusions of law; and
 
  • all rights to seek judicial review or otherwise to challenge or contest the validity of the order entered pursuant to this agreement.
 
• This agreement shall not become part of the public record of the proceeding unless and until it is accepted by the Commission. If this agreement is accepted by the Commission, it, together with the draft complaint, will be placed on the public record for a period of thirty (30) days and information about it publicly released. The Commission thereafter
may either withdraw its acceptance of this agreement and so notify proposed respondent, in which event it will take such action as it may consider appropriate, or issue and serve its complaint (in such form as the circumstances may require) and decision in disposition of the proceeding.
 
• This agreement is for settlement purposes only and does not constitute an admission by proposed respondent that the law has been violated as alleged in the draft complaint, or that the facts as alleged in the draft complaint, other than the jurisdictional facts, are true.
 
• This agreement contemplates that, if it is accepted by the Commission, and if such acceptance is not subsequently withdrawn by the Commission pursuant to the provisions of Section 2.34 of the Commission’s Rules, the Commission may, without further notice to proposed respondent, (1) issue its complaint corresponding in form and substance with the attached draft complaint and its decision containing the following order in disposition of the proceeding, and (2) make information about it public. When so entered, the order shall have the same force and effect and may be altered, modified, or set aside in the same manner and within the same time provided by statute for other orders. The order shall become final upon service. Delivery of the complaint and the decision and order to proposed respondent’s address as stated in this agreement by any means specified in Section 4.4(a) of the Commission’s Rules shall constitute service. Proposed respondent waives any right it may have to any other manner of service. The complaint may be used in construing the terms of the order. No agreement, understanding, representation, or interpretation not contained in the order or in the agreement may be used to vary or contradict the terms of the order.
• Proposed respondent has read the draft complaint and consent order. It understands that it may be liable for civil penalties in the amount provided by law and other appropriate relief for each violation of the order after it becomes final.

ORDER

DEFINITIONS

For purposes of this order, the following definitions shall apply:
 

• “Personal information” shall mean individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name that reveals an individual’s email address; (d) a telephone number; (e) a Social Security number;
(f) credit and/or debit card information, including credit and/or debit card number, expiration date, and data stored on the magnetic stripe of a credit or debit card; (g) a persistent identifier, such as a customer number held in a “cookie” or processor serial number, that is combined with
other available data that identifies an individual consumer; or (h) any other information from or about an individual consumer that is combined with (a) through (g) above.
 
• Unless otherwise specified, “respondent” shall mean BJ’s Wholesale Club, Inc. and its successors and assigns, officers, agents, representatives, and employees.
 
• “Commerce” shall mean as defined in Section 4 of the Federal Trade Commission Act, 15 U.S.C. § 44.


I.

• the designation of an employee or employees to coordinate and be accountable for the information security program.
• the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.
• the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.
 
• the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.


II.

IT IS FURTHER ORDERED that respondent obtain an assessment and report (an “Assessment”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, within one hundred and eighty (180) days after service of the order, and biennially thereafter for twenty (20) years after service of the order that:
 

• sets forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;
 
• explains how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers;
 
• explains how the safeguards that have been implemented meet or exceed the protections required by Paragraph I of this order; and
 
• certifies that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and, for biennial reports, has so operated throughout the reporting period.


Each Assessment shall be prepared by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.
 


Respondent shall provide the first Assessment, as well as all: plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.



III. 

IT IS FURTHER ORDERED that respondent shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance, including but not limited to:

• for a period of five (5) years: any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and
 
• for a period of three (3) years after the date of preparation of each biennial Assessment required under Paragraph II of this order: all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relating to respondent’s compliance with Paragraphs I and II of this order for the compliance period covered by such biennial Assessment.


IV.

IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.



V.

IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty
(30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. *Provided, however*, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.

VI.

IT IS FURTHER ORDERED that respondent shall, within one hundred and eighty
(180) days after service of this order, and at such other times as the Commission may require, file with the Commission an initial report, in writing, setting forth in detail the manner and form in which it has complied with this order.

VII.

• any Paragraph in this order that terminates in less than twenty (20) years;
 
• this order’s application to any respondent that is not named as a defendant in such complaint; and
 
• this order if such complaint is filed after the order has terminated pursuant to this Paragraph.

Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Paragraph as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.
 


Signed this seventeenth day of May, 2005