During a couple of weeks of extraordinary announcements of concerted attacks successfully carried out against CardServices, the FDIC, every organization in the UK, and of course the Israel Trojan fiasco it may have been easy to overlook the consent agreement that the FTC has arranged with BJ Wholesale. If you read the documents on the FTC's web site you may quickly come to the same conclusion that I did. This is the single most important legal action in security to date. The repercussions will be greater than HIPPA, Sarbanes-Oxley, or GLB.
The FTC has used its existing authorization to prosecute a company for unacceptable security precautions regarding the way it handled customer data at its stores. The consent agreement requires BJ Wholesale to do what arguably they should have been doing all along:
Designate an employee or employees to coordinate and be accountable for the information security program. • Identify material internal and external risks to the security, confidentiality, and integrity of consumer information that could result in unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. • Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures. • Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that BJ’s knows or has to reason to know may have a material impact on the effectiveness of its information security program. Part II of the proposed order requires that BJ’s obtain within 180 days, and on a biennial basis thereafter, an assessment and report from a qualified, objective, independent third-party professional, certifying, among other things, that: (1) BJ’s has in place a security program that provides protections that meet or exceed the protections required by Part I of the proposed order, and (2) BJ’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of consumers’ personal information has been protected.
This is a clear signal to *every* enterprise to look at its own security practices and beef them up to meet the new levels of threat that are now becoming painfully evident.