- FTC Settles Privacy Action With Tower Records
- May 26, 2004
- Law Firm: Graydon Head & Ritchey LLP - Cincinnati Office
The Tower settlement is the fourth time in a little over two years that the FTC has initiated action against a company for misrepresenting the security of personal consumer information. The FTC had previously brought cases against Eli Lilly, Microsoft Corp., and Guess? Inc.
In December 2002, Tower introduced a redesigned version of its order status page. This redesign, the FTC alleged, introduced a security vulnerability that allowed Web users to access Tower's order history records and view certain personal information about other Tower customers -- such as their names, billing and shipping address, e-mail addresses, phone numbers and their past Tower purchases.
The proposed consent order bars Tower from misrepresenting the extent to which it maintains and protects the privacy, confidentiality or security of personal information collected from or about consumers.
The order requires Tower to establish and maintain a comprehensive information security program. Furthermore, within six months after issuance of the order, Tower is required to obtain certification of its security program as meeting or exceeding the standards set in the settlement by an independent professional. After the initial certification, Tower must obtain similar certification of its security program every other year during the 10-year term of the order.
Standard record-keeping provisions are included in the proposed settlement to allow the FTC to monitor compliance.
The moral of the story is simple. If you make promises about privacy, the FTC is ready to make sure you keep them.