Morrison & Foerster : Legal Updates & News : Legal Updates : Tower Records Consent Order Underscores Importance of Data Protection

For further information about the FTC's action, please contact one of the following attorneys:

L. Richard Fischer
Sherman Kahn
Charles H. Kennedy
Joan E. Warrington
Miriam Wugmeister

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: Entertainment Law Privacy and Data Security State and Local Tax Technology Transactions

Tower Records Consent Order Underscores Importance of Data Protection

April 2004

Once again, the Federal Trade Commission ("FTC" or "Commission") has concluded a proceeding against a company accused of failure to protect its customers' private information.

The latest FTC data protection action, announced on April 21, 2004, involves Tower Records (more specifically, MTS, Incorporated, a California corporation, doing business as Tower Records/Books/Video and Tower Direct, LLC, doing business as TowerRecords.com).

According to the FTC's complaint, Tower sold products through a website that collected certain information from visitors and purchasers, including names, billing addresses, shipping addresses, email addresses, telephone numbers, and all of the Tower products the users had purchased online since 1996. An application maintained on the website, called the "order status application," permitted consumers to access their Tower online purchase histories by supplying a unique order number assigned by Tower. By demanding input of the unique order number, Tower was able to authenticate the identity of persons seeking access to their purchase history information.

Apparently, Tower redesigned the "check out" portion of its site in late 2002 but failed to transfer all of the code associated with its authentication procedures to the redesigned check out pages. The resulting vulnerability lasted for only eight days, but during that time "personal information relating to approximately 5,225 customers was accessed by unauthorized users, and at least two Internet chat rooms contained postings about the vulnerability as well, as well as comments about some consumers' purchases." FTC Complaint at p. 3.

In its complaint against Tower, the FTC alleged that the eight-day security lapse in late 2002 violated Tower's posted privacy policy, which stated that "TowerRecords.com takes steps to ensure that your information is treated securely . . . [and] [o]nce we receive your transmission, we make our best effort to ensure its security on our systems." Id. Among other alleged lapses, the FTC claimed that Tower had failed to: "implement appropriate checks and controls on the process of writing and revising Web applications; adopt and implement policies and procedures regarding security tests for its Web applications; and provide appropriate training and oversight for their employees regarding Web application vulnerabilities and security testing." Id. at 3-4. According to the Commission, the alleged disparity between the assurances given in Tower's privacy policy, and the security failure experienced in late 2002, constituted "unfair or deceptive acts or practices" in violation of the Federal Trade Commission Act.

In order to settle the complaint, Tower entered into a long-term consent order of a kind that has become familiar to those who follow the FTC's campaign against imperfection in the pursuit of data security. Among other things, Tower has agreed to adopt and implement a comprehensive information security program, including an assessment of risks and appropriate corrective measures in the areas of employee training, employee management, information systems, and prevention, detection, and response to attacks, intrusions, or other system failures. Tower also must obtain an information security report from "a qualified, objective, independent third-party professional . . . within [180 days] after service of the [FTC's] order, and biannually thereafter for ten (10) years . . ." Like other orders of its kind entered into by the FTC in recent years, the Tower Records order will remain in effect for 20 years.

The Tower Records order, like the settlements previously entered into between the FTC and Eli Lilly, Microsoft, and Guess! Jeans, is a reminder to all American businesses of the harsh standard applied by the FTC in data security cases. (For a review of those cases and their implications for American business, see Charles H. Kennedy and Joan E. Warrington, "Regulators Are Watching Your Data Security," Privacy and Information Law Report, Vol. 4, Issue 1 (Glasser Legal Works, September, 2003).) The Tower Records case also reflects the FTC's determination to ignore disclaimers of liability in corporate privacy policies. In fact, the Tower privacy policy expressly stated that "TowerRecords.com cannot ensure or warrant the security or services [sic], and you do so at your own risk." Although this disclaimer language seems plain enough, the FTC nonetheless claimed that the privacy policy in which that language appeared made an enforceable commitment to protect the security of user information.

In view of the stringent data privacy standard the FTC seems determined to enforce, all businesses that collect customer information should study the Tower consent decree and take steps to implement its provisions in their own enterprises.