Dave & Buster's FTC Consent Agreement Regarding Information Security Practices

Dave & Buster's FTC Consent Agreement Regarding Information Security Practices

In the Matter of Dave & Buster's, Inc., FTC File No. 082 3153 (March 25, 2010), the Federal Trade Commission (FTC) has accepted a consent agreement from Dave & Buster's, Inc. relating to alleged inadequate information security practices. The FTC's case helps to set the minimum legal liability standards for information security programs. In this Anlaysis, J. (Jay) T. Westermeier, of counsel at Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, examines the FTC's complaint and the FTC's consent agreement with Dave & Buster's. He writes:

Alleged Insufficient Information Security Practices

     In the Complaint, the FTC alleged that Dave & Buster's had engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks. The FTC alleged that Dave & Buster's failure to provide reasonable and appropriate information security permitted the intruder to exploit the vulnerabilities described in the Complaint as discussed below.

1. Detection, Prevention and Security Investigations

     The FTC alleged that Dave & Buster's had failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations. The intruder was able to access the Dave & Buster's computer networks repeatedly over a four-month period. The length of this undetected "breach" period supports the FTC's allegation. While these alleged insufficient practices are general in nature the FTC mentions specifically two measures that could have been employed by Dave & Buster's that were not employed -- an intrusion detection system and monitoring system logs. Since both of these protective measures were mentioned specifically by the FTC, companies should consider employing such measures in their information security programs.

     . . . .

Comprehensive Information Security Program

     The FTC's consent agreement with Dave & Buster's follows the form of agreement the FTC has agreed to in prior information security cases. The current agreement requires Dave & Buster's to "establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers." In the consent agreement, the FTC requires the content and implementation of this "comprehensive information program" be "fully documented in writing" and that the program "contain administrative, technical and physical safeguard's" appropriate to Dave & Buster's size and complexity, the nature and scope of Dave & Buster's activities, and the sensitivity of the personal information collected from or about consumers. The "comprehensive information security program" required by the FTC must include five elements.

1. Designation of Responsible Employees

     The first element in the comprehensive information security program is the designation of an employee or employees to coordinate and be accountable for the information security program.

Access the full version of Dave & Buster's FTC Consent Agreement Regarding Information Security Practices with your lexis.com ID. Additional fees may be incurred. (approx. 5 pages) 

If you do not have a lexis.com ID, you can purchase the Emerging Issues Analysis content through our lexisONE Research Packages