On March 25, Dave & Buster’s (D&B), which operates 53 restaurant and entertainment complexes across the country, entered into a consent decree with the FTC stemming from a 2007 breach of its network through which a hacker obtained information identifying approximately 130,000 payment cards when in transit to D&B’s payment card processors.
In this case, the FTC focused on the importance of intrusion detection systems, protecting sensitive information in transit, and securing wireless access points. And, in an important development in FTC practice, the Commission criticized D&B for failure to monitor and filter outbound traffic to block the export of sensitive information. While many firms voluntarily use data loss prevention software to detect and block the transmission of sensitive personal information from their systems, such as through employee e-mail, this is the first time that the FTC has claimed that those storing sensitive information might be required, under Section 5 of the FTC Act, to monitor outbound traffic. In other words, the FTC has gotten more specific about what security measures are required to avoid a finding of an unfair consumer practice under Section 5. The significance of this new consent decree is that companies are now on notice that they could invite FTC scrutiny if a breach could have been detected and cured by the use of data loss prevention software.
In the Complaint leading to the consent decree, D&B was cited for:
- failing to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by employing an intrusion detection system and monitoring system logs;
- failing to adequately restrict third-party access to its networks, such as by restricting connections to specified IP addresses or granting temporary, limited access;
- failing to monitor and filter outbound traffic from its networks to identify and block export of sensitive personal information without authorization;
- failing to use readily available security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network; and
- failing to use readily available security measures to limit access to its computer networks through wireless access points on the network.
In the consent decree, D&B agreed to establish a comprehensive information security program and to obtain independent, professional audits of the program biennially for ten years.
The FTC has long pursued consent decrees against companies that suffer breaches of personal or payment card information left unprotected due to lax security standards. The requirement that D&B institute a comprehensive information security program is par for the course, as is the biennial audit requirement. In fact, though D&B does not have any Massachusetts locations, if it maintains in its databases the credit card information of any Massachusetts resident it is already subject to a requirement that it implement a comprehensive information security program under the state’s data security standards, which became effective March 1, 2010.
But, again, the significance of this consent decree is the new requirement to monitor outbound computer traffic as a means of detecting the unauthorized export of PII.