In the Matter of Dave & Buster's, Inc., FTC File No. 082 3153 (March 25, 2010), the Federal
Trade Commission (FTC) has accepted a consent agreement from Dave &
Buster's, Inc. relating to alleged inadequate information security practices. The
FTC's case helps to set the minimum legal liability standards for information
security programs. In this Anlaysis, J. (Jay) T. Westermeier, of counsel at
Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, examines the FTC's complaint
and the FTC's consent agreement with Dave & Buster's. He writes:
Insufficient Information Security Practices
In the Complaint, the FTC
alleged that Dave & Buster's had engaged in a number of practices that,
taken together, failed to provide reasonable and appropriate security for
personal information on its computer networks. The FTC alleged that Dave &
Buster's failure to provide reasonable and appropriate information security
permitted the intruder to exploit the vulnerabilities described in the
Complaint as discussed below.
Detection, Prevention and Security Investigations
The FTC alleged that Dave
& Buster's had failed to employ sufficient measures to detect and prevent
unauthorized access to computer networks or to conduct security investigations.
The intruder was able to access the Dave & Buster's computer networks
repeatedly over a four-month period. The length of this undetected "breach"
period supports the FTC's allegation. While these alleged insufficient
practices are general in nature the FTC mentions specifically two measures that
could have been employed by Dave & Buster's that were not employed -- an
intrusion detection system and monitoring system logs. Since both of these
protective measures were mentioned specifically by the FTC, companies should
consider employing such measures in their information security programs.
. . . .
Information Security Program
The FTC's consent agreement
with Dave & Buster's follows the form of agreement the FTC has agreed to in
prior information security cases. The current agreement requires Dave &
Buster's to "establish and implement, and thereafter maintain, a comprehensive
information security program that is reasonably designed to protect the
security, confidentiality, and integrity of personal information collected from
or about consumers." In the consent agreement, the FTC requires the content and
implementation of this "comprehensive information program" be "fully documented
in writing" and that the program "contain administrative, technical and
physical safeguard's" appropriate to Dave & Buster's size and complexity,
the nature and scope of Dave & Buster's activities, and the sensitivity of
the personal information collected from or about consumers. The "comprehensive
information security program" required by the FTC must include five elements.
Designation of Responsible Employees
The first element in the
comprehensive information security program is the designation of an employee or
employees to coordinate and be accountable for the information security
the full version of Dave & Buster's FTC Consent Agreement Regarding
Information Security Practices with your lexis.com ID. Additional fees may be incurred.
(approx. 5 pages)
If you do not have a lexis.com ID, you can purchase the
Emerging Issues Analysis content through our lexisONE Research Packages