On March 25, 2010, the Federal Trade Commission (“FTC”) announced that it had entered into a settlement with entertainment operator, Dave & Buster’s, Inc., for alleged violations of Section 5(a) of the FTC Act, and for “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks.”
The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices.
According to the FTC’s complaint, an unauthorized individual was able to gain access to Dave and Buster’s networks between the dates of April 30, 2007 and August 28, 2007 and intercept credit card and debit card information (and other personal information) from approximately 130,000 consumers. In addition, according to the FTC, the affected issuing banks have collectively claimed several hundred thousand dollars in fraudulent charges on some of these compromised consumer accounts.
The FTC’s complaint states that, upon its discovery of the data security breach, Dave and Buster’s notified law enforcement officials and credit card companies, and took remedial steps to prevent further unauthorized access by the intruder. However, the FTC’s complaint also alleges that it was Dave and Buster’s “failure to employ reasonable and appropriate security measures to protect personal information” that enabled the unauthorized access that caused the data breach. Among the failures cited by the FTC, Dave and Buster’s allegedly failed to employ an intrusion detection system, failed to monitor system logs, failed to use firewalls to limit access between in-store networks, failed to isolate the payment card system from the rest of the corporate network and failed to use other readily available security measures, such as limiting access to its computer networks through wireless access points on such networks.
The settlement agreement entered into between the FTC and Dave and Buster’s requires Dave and Buster’s, among other things, to establish, implement and maintain a comprehensive, written data security program that contains administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of personal consumer information. In additional Dave and Buster’s is required to obtain and endure an initial and biennial assessments (for a period of 10 years from the date of the order) from a qualified third-party regarding its implementation and maintenance of its program and safeguards in compliance with the settlement agreement.
The FTC’s news release announcing the settlement, along with the FTC’s complaint and the settlement agreement containing the consent order, can be accessed by clicking here.