Shostack + Friends Blog Archive


The FTC and BJs Wholesale

The FTC has recently issued a consent order to BJ’s Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This is obvious from the continued growth of ID theft. It is obvious from FTC Chair Deborah Platt Majoras’ testimony before Congress, saying that a company should only have to notify customers of mistakes if the company thinks it could be a problem. Now, the companies in these cases have just, prima facie, demonstrated a lack of security competence. Which the FTC would like to allow them to compound, at your expense.

So BJs, under the consent decree is allowed to continue things like saying “PHOTO ID REQUIRED upon first visit” (from their “Join the Club” page) Or, from their new privacy policy, “We collect personally identifiable information (such as your name, Membership number, address, e-mail address, telephone number and driver’s license number).”

BJs has demonstrated that they could not protect this information. That’s why they’ve entered into a consent decree. So why not forbid them from collecting such information? Why not say “You can’t collect information beyond what is needed to execute a transaction?” If I show up and say my name is John Doe, and I’d like to pay cash, why can BJ’s turn me away?

Sure, they have a “business model” that they’d like to preserve. And they’ve demonstrated that they are not responsible with the data that they collect. The information they collect is issued by, and certified by, the government, and the FTC should say, “Sorry, you must be at least this competent to maintain a collection of this sort of data.”

A second problem with the consent decree is the use of a security auditor. The auditor will look at issues from the company’s perspective. But the issue here is externalities, where the company is making poor choices for their customers, not for themselves.

Finally, there is no requirement that the auditor’s report be made public, and given past comments by Majoras about “public confidence,” every reason to believe that they will be kept private, however bad they are.

If you’d like to preserve your business model, it can’t involve dumping toxic waste into the river. It also can’t involve mandatory collection of data you can’t protect.

(Via Daniel Solove, “Is the FTC Finally Getting Serious About Security?” )

2 comments on "The FTC and BJs Wholesale"

  • john edwards says:

    I’m pretty relaxed about data collection. I’m an 18 year old billionaire astronaut, called William Gaits, I live in Buckingham Palace, I got my PhD from Oxford University at Cambridge and I am a practising brain surgeon. the data miners seem quite happy with various bits of this cv. If a serious financial institution ever lost my real data I would run up a suitable debt, dump them, log my costs and time, and when they sued me I would counter claim.

Comments are closed.