• FTC Settles Privacy Action With Tower Records
  • May 26, 2004
  • Law Firm: Graydon Head & Ritchey LLP - Cincinnati Office
  • On April 21, The Federal Trade Commission (FTC) announced that it had reached a settlement with Tower Records for security vulnerabilities the agency says exposed personal customer information online, in violation of representations made in the company's privacy policy.

    As part of the settlement, Tower Records agreed to take affirmative steps to protect their customers' personal data and to avoid making misrepresentations about its privacy policy. In addition, the Tower online record store will be required to implement an appropriate security program and to conduct, through a qualified third-party security professional, biennial audits of its Web site security.

    The Tower settlement is the fourth time in a little over two years that the FTC has initiated action against a company for misrepresenting the security of personal consumer information. The FTC had previously brought cases against Eli Lilly, Microsoft Corp., and Guess? Inc.

    Tower Records sells music and video recordings, books and other entertainment products through retail stores and through its Web site, TowerRecords.com. According to the FTC, in spite of Tower's privacy policy representations and its express assurances to prospective customers, there was a security flaw in the company's Web site that exposed customers' personal information to other Internet users. The security vulnerability was easy to prevent and fix, the agency stated.

    In December 2002, Tower introduced a redesigned version of its order status page. This redesign, the FTC alleged, introduced a security vulnerability that allowed Web users to access Tower's order history records and view certain personal information about other Tower customers -- such as their names, billing and shipping address, e-mail addresses, phone numbers and their past Tower purchases.

    The FTC charged that Tower failed to implement appropriate controls in revising its Web applications, use proper procedures to test the security of its Web site, and train and oversee its employees. The FTC contended that this failure made Tower's privacy policy assurances false and misleading in violation of FTC Act Section 5.

    The proposed consent order bars Tower from misrepresenting the extent to which it maintains and protects the privacy, confidentiality or security of personal information collected from or about consumers.

    The order requires Tower to establish and maintain a comprehensive information security program. Furthermore, within six months after issuance of the order, Tower is required to obtain certification of its security program as meeting or exceeding the standards set in the settlement by an independent professional. After the initial certification, Tower must obtain similar certification of its security program every other year during the 10-year term of the order.

    Standard record-keeping provisions are included in the proposed settlement to allow the FTC to monitor compliance.

    The moral of the story is simple. If you make promises about privacy, the FTC is ready to make sure you keep them.