For Release:
April 21, 2004
Tower Records Settles
FTC Charges
Security Flaw Allegedly Exposed
Customers’ Personal Information to Other Web Users
MTS, Inc., and Tower Direct, LLC, (“Tower”)
have agreed to settle Federal Trade Commission charges that
a security flaw in the Tower Web site exposed customers’
personal information to other Internet users, in violation
of Tower’s privacy policy representations and federal
law. The settlement will bar misrepresentations in the future,
require Tower to implement an appropriate security program,
and require audits of its Web site security every two years
by a qualified third-party security professional for ten years.
The FTC alleges that, at the www.TowerRecords.com
site, Tower’s privacy policy made claims such as “We
use state-of-the-art technology to safeguard your personal
information,” and “Your TowerRecords.com Account
information is password-protected. You and only you have access
to this information.” When Tower redesigned its site,
however, it introduced a security vulnerability that allowed
Web users to access Tower’s order history records and
view certain personal information about other Tower customers,
such as their names, billing and shipping address, e-mail
addresses, phone numbers, and their past Tower purchases.
The FTC complaint charges that the security
flaw was easy to prevent and fix, but that Tower failed to
implement appropriate checks and controls in the process of
writing and revising its Web applications; adopt and implement
policies and procedures to test the security of its Web site;
and provide appropriate training and oversight for its employees.
It charges that Tower’s privacy policy assurances were
therefore false and violated the FTC Act.
This is the agency’s fourth case
targeting companies that misrepresent the security of consumers’
personal information. “In a fast moving world of electronic
commerce, change is inevitable,” said Howard Beales,
Director of the FTC’s Bureau of Consumer Protection.
“Companies must have reasonable procedures in place
to make sure that changes do not create new vulnerabilities.
Just as consumers remodeling their homes would make sure that
the doors still have locks, companies should make sure that
sensitive data is still protected.”
The settlement bars Tower from misrepresenting
the extent to which it maintains and protects the privacy,
confidentiality, or security of personal information collected
from or about consumers. It also requires that Tower establish
and maintain a comprehensive information security program.
In addition, the company must have its security program certified
as meeting or exceeding the standards in the consent order
by an independent professional within six months, and every
other year thereafter for a period of ten years. The settlement
also contains record-keeping provisions to allow the FTC to
monitor compliance.
The Commission vote to accept the proposed
consent agreement was 5-0. The FTC will publish an announcement
regarding the agreement in the Federal Register shortly. The
agreement will be subject to public comment for 30 days, beginning
today and continuing through May 21, 2004, after which the
Commission will decide whether to make it final. Comments
should be addressed to the FTC, Office of the Secretary, Room
H-159, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
The FTC is requesting that any comment filed in paper form
near the end of the public comment period be sent by courier
or overnight service, if possible, because U.S. postal mail
in the Washington area and at the Commission is subject to
delay due to heightened security precautions.
NOTE: A consent agreement
is for settlement purposes only and does not constitute an
admission of a law violation. When the Commission issues a
consent order on a final basis, it carries the force of law
with respect to future actions. Each violation of such an
order may result in a civil penalty of up to $11,000.
Copies
of the complaint and consent agreement are available from
the FTC’s Web site at http://www.ftc.gov
and also from the FTC’s Consumer Response Center, Room
130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
The FTC works for the consumer to prevent fraudulent, deceptive,
and unfair business practices in the marketplace and to provide
information to help consumers spot, stop, and avoid them.
To file a complaint, or to get free information on any of
150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357),
or use the complaint form at http://www.ftc.gov.
The FTC enters Internet, telemarketing, identity theft, and
other fraud-related complaints into Consumer Sentinel, a secure,
online database available to hundreds of civil and criminal
law enforcement agencies in the U.S. and abroad.
MEDIA CONTACT:
Claudia Bourne Farrell
Office of Public Affairs
202-326-2181
STAFF CONTACT:
Laura Mazzarella or Jessica Rich
Bureau of Consumer Protection
202-326-3224
(FTC File No. 032-3209)
(http://www.ftc.gov/opa/2004/03/towerrecords.htm)
|
Related Documents:
In
the Matter of MTS, Inc., doing business as Tower Records/Books/Video,
a corporation, and Tower Direct, LLC, doing business as TowerRecords.com,
a corporation., File No. 032-3209
|