April 2010
Lexis Nexis® Emerging Issues Analysis
Authored by J. (Jay) T. Westermeier
The Federal Trade Commission ("FTC") has accepted a consent agreement from Dave & Buster's, Inc. relating to alleged inadequate information security practices.1 The FTC reported that this consent agreement is their 27th consent agreement regarding information security practices. In this article we will examine the FTC's complaint against Dave & Buster's and the FTC's consent agreement resulting from the complaint. The FTC's case against Dave & Buster's helps to set the minimum legal liability standards for information security programs. Below we will emphasize the most instructive aspects of this consent agreement.
Dave & Buster's is headquartered in Dallas, Texas, and owns and operates 53 restaurants and entertainment complexes in the United States under the names Dave & Buster's, Dave & Buster's Grand Sports Café and Jillians. According to the FTC Complaint against Dave & Buster, between April 30, 2007 and August 28, 2007 an intruder connected to Dave & Buster's computer networks numerous times without authorization, installed unauthorized software, and intercepted personal information in transit from in-store networks to Dave & Buster's credit card processing company.
FTC:WATCH identified the intruder as Albert Gonzalez. According to FTC:WATCH, Gonzalez and two foreign co-defendants would drive past retailers along U.S. 1 in Miami with a laptop computer. They would exploit vulnerable wireless signals at these retailers to access without authorization of the retailer's computer networks. They would then install sniffer programs that captured credit and debit card numbers as this personal information moved through Dave & Buster's computer systems.2
The Dave & Buster's information security breach compromised approximately 130,000 credit or debit cards used by consumers in the United States. As of the date the FTC issued its complaint against Dave & Buster's issuing banks for the payment cards implicated by the data breach had collectively claimed several hundred thousand dollars in fraudulent charges on some of these implicated accounts.
In the Complaint, the FTC alleged that Dave & Buster's had engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks. The FTC alleged that Dave & Buster's failure to provide reasonable and appropriate information security permitted the intruder to exploit the vulnerabilities described in the Complaint as discussed below.
1. Detection, Prevention and Security Investigations. The FTC alleged that Dave & Buster's had failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations. The intruder was able to access the Dave & Buster's computer networks repeatedly over a four-month period. The length of this undetected "breach" period supports the FTC's allegation. While these alleged insufficient practices are general in nature the FTC mentions specifically two measures that could have been employed by Dave & Buster's that were not employed - an intrusion detection system and monitoring system logs. Since both of these protective measures were mentioned specifically by the FTC, companies should consider employing such measures in their information security programs.
2. Access Restrictions. The FTC also alleged that Dave & Buster's had failed to restrict third party access to its networks adequately. Several measures the FTC suggested to restrict third party access are to restrict connections to specified IP addresses or grant access on a temporary, limited basis. These methods for restricting third party access should be considered in connection with information security programs.
3. Monitoring Outbound Traffic. The FTC also alleged that Dave & Buster's failed to monitor and filter outbound traffic from its networks to block and filter the unauthorized export of sensitive personal information. Monitoring outgoing traffic should be used where applicable to prevent the unauthorized export of protected information.
4. Separation of Systems. The FTC also alleged that Dave & Buster's failed to use "readily available" security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network. Firewalls are a proven "readily available" strategy that should be used to limit access. Similarly, critical systems that do not require connectivity should be isolated to reduce the risks resulting from connectivity. These strategies should be considered in your information security programs.
5. Limiting Access. The FTC also alleged that Dave & Buster's failed to use "readily available security measures" to limit access to its computer network through wireless access points on the networks. Again, the FTC finds Dave & Buster's failure to use "readily available" information security measures under the circumstances to be insufficient.
The FTC's consent agreement with Dave & Buster's follows the form of agreement the FTC has agreed to in prior information security cases. The current agreement requires Dave & Buster's to "establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers." In the consent agreement, the FTC requires the content and implementation of this "comprehensive information program" be "fully documented in writing" and that the program "contain administrative, technical and physical safeguards" appropriate to Dave & Buster's size and complexity, the nature and scope of Dave & Buster's activities, and the sensitivity of the personal information collected from or about consumers. The "comprehensive information security program" required by the FTC must include five elements.
1. Designation of Responsible Employees. The first element in the comprehensive information security program is the designation of an employee or employees to coordinate and be accountable for the information security program.
2. Risk Analysis. The second element is "the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks." The FTC further specifies that "[a]t a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other system "failures." For retailers like Dave & Buster's one of the most important relevant operation areas is to Dave & Buster's customer payment card systems which was the focal point of the breach in this case.
3. Reasonable Safeguards. The third element relates to the design and implementation of reasonable safeguards to control the risks identified through the risk assessment process and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems and procedures. It is important to stress "reasonable." The controls, systems and procedures should be cost effective. Typically, the FTC finds fault with companies that fail to use controls that are proven and well established in the marketplace.
4. Service Providers. The fourth element pertains to service providers. Under this element the FTC requires Dave & Buster's to use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Dave & Buster's and requiring service providers by contract to implement and maintain appropriate safeguards. Information security risks have become so serious that information service provider contracts and other applicable contracts must deal effectively with information security risks.
5. Evaluation and Adjustment. Dave & Buster's is required to evaluate and adjust its information security program in light of the (i) results of the testing and monitoring operations, (ii) any material changes to Dave & Buster's operations or business arrangements, or (iii) any other circumstances that Dave & Buster's knows or has reason to know may have a material impact on the effectiveness of its information security program.
The FTC also required Dave & Buster's to engage an independent third-party professional to conduct an initial assessment and thereafter biennial assessments for ten (10) years. The assessment shall, among other requirements, "certify that Dave & Buster's security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period."
The Dave & Buster's complaint and resulting consent agreement are very instructive. They help define legal liability standards applicable to establishing, implementing and maintaining a legally sufficient comprehensive information security program. Information security programs should be documented in writing and cover, at a minimum, the elements required by the FTC in their comprehensive information security program.
Endnotes
1 In the Matter of Dave & Buster's, Inc., FTC File No. 082 3153 (March 25, 2010).
2 "Hacker gets decades in prison for cybercrime: Company must tighten security after break-in," FTC:WATCH No. 760 at p. 10 (March 29, 2010).
Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.
June 10-12, 2024
San Francisco
Lecture
Patent Protection for Software-Related Inventions in Europe and the USA Training Course
June 5, 2024
Hybrid
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.
We use cookies on this website to provide you with the best user experience. By accepting cookies, you agree to our use of cookies. Please note that if you opt not to accept or if you disable cookies, the “Your Finnegan” feature on this website will be disabled as well. For more information on how we use cookies, please see our Privacy Policy.
Finnegan is thrilled to announce the launch of our new blog, Ad Law Buzz, devoted solely to breaking news, developments, trends, and analysis in advertising law.