Information about http://www.ftc.gov/os/caselist/0523096/051201agree0523096.pdf
…
Tags: 43219, 5th avenue, allegations, america federal trade commission, columbus ohio, conclusions, consent order, draft complaint, dsw inc, federal trade commission, findings of fact and conclusions of law, judicial review, place of business, principal office, procedural steps, proceeding, public record, respondent, states of america, validity,Pages: 8
Language: english
Created: Thu Dec 1 09:06:27 2005
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
FILE NO. 052 3096
UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION
)
In the Matter of ) DOCKET NO.
)
DSW Inc., ) AGREEMENT CONTAINING
a corporation. ) CONSENT ORDER
)
)
The Federal Trade Commission has conducted an investigation of certain acts and
practices of DSW Inc., an Ohio corporation ("proposed respondent"). Proposed respondent,
having been represented by counsel, is willing to enter into an agreement containing a consent
order resolving the allegations contained in the attached draft complaint. Therefore,
IT IS HEREBY AGREED by and between DSW Inc., by its duly authorized officers, and
counsel for the Federal Trade Commission that:
1. Proposed respondent DSW Inc. is an Ohio corporation with its principal office or
place of business at 4150 East 5th Avenue, Columbus, Ohio 43219.
2. Proposed respondent admits all the jurisdictional facts set forth in the draft
complaint.
3. Proposed respondent waives:
A. any further procedural steps;
B. the requirement that the Commission's decision contain a statement of
findings of fact and conclusions of law; and
C. all rights to seek judicial review or otherwise to challenge or contest the
validity of the order entered pursuant to this agreement.
4. This agreement shall not become part of the public record of the proceeding
unless and until it is accepted by the Commission. If this agreement is accepted by the
Commission, it, together with the draft complaint, will be placed on the public record for a
period of thirty (30) days and information about it publicly released. The Commission thereafter
may either withdraw its acceptance of this agreement and so notify proposed respondent, in
which event it will take such action as it may consider appropriate, or issue and serve its
Page 1 of 8
complaint (in such form as the circumstances may require) and decision in disposition of the
proceeding.
5. This agreement is for settlement purposes only and does not constitute an
admission by proposed respondent that the law has been violated as alleged in the draft
complaint, or that the facts as alleged in the draft complaint, other than the jurisdictional facts,
are true.
6. This agreement contemplates that, if it is accepted by the Commission, and if such
acceptance is not subsequently withdrawn by the Commission pursuant to the provisions of
Section 2.34 of the Commission's Rules, the Commission may, without further notice to
proposed respondent, (1) issue its complaint corresponding in form and substance with the
attached draft complaint and its decision containing the following order in disposition of the
proceeding, and (2) make information about it public. When so entered, the order shall have the
same force and effect and may be altered, modified, or set aside in the same manner and within
the same time provided by statute for other orders. The order shall become final upon service.
Delivery of the complaint and the decision and order to proposed respondent's address as stated
in this agreement by any means specified in Section 4.4(a) of the Commission's Rules shall
constitute service. Proposed respondent waives any right it may have to any other manner of
service. The complaint may be used in construing the terms of the order. No agreement,
understanding, representation, or interpretation not contained in the order or in the agreement
may be used to vary or contradict the terms of the order.
7. Proposed respondent has read the draft complaint and consent order. It
understands that it may be liable for civil penalties in the amount provided by law and other
appropriate relief for each violation of the order after it becomes final.
DEFINITIONS
For purposes of this order, the following definitions shall apply:
1. "Personal information" shall mean individually identifiable information from or
about an individual consumer including, but not limited to: (a) a first and last name; (b) a home
or other physical address, including street name and name of city or town; (c) an email address or
other online contact information, such as an instant messaging user identifier or a screen name
that reveals an individual's email address; (d) a telephone number; (e) a Social Security number;
(f) credit and/or debit card information, including credit and/or debit card number, expiration
date, and data stored on the magnetic strip of a credit or debit card; (g) checking account
information, including the ABA routing number, account number, and check number; (h) a
driver's license number; or (i) any other information from or about an individual consumer that is
combined with (a) through (h) above.
Page 2 of 8
2. "Commerce" shall mean as defined in Section 4 of the Federal Trade Commission
Act, 15 U.S.C. § 44.
3. Unless otherwise specified, "respondent" shall mean DSW Inc., its successors and
assigns and its officers, agents, representatives, and employees.
I.
IT IS ORDERED that respondent, directly or through any corporation, subsidiary,
division, or other device, in connection with the advertising, marketing, promotion, offering for
sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of
service of this order, establish and implement, and thereafter maintain, a comprehensive
information security program that is reasonably designed to protect the security, confidentiality,
and integrity of personal information collected from or about consumers. Such program, the
content and implementation of which must be fully documented in writing, shall contain
administrative, technical, and physical safeguards appropriate to respondent's size and
complexity, the nature and scope of respondent's activities, and the sensitivity of the personal
information collected from or about consumers, including:
A. the designation of an employee or employees to coordinate and be
accountable for the information security program.
B. the identification of material internal and external risks to the security,
confidentiality, and integrity of personal information that could result in
the unauthorized disclosure, misuse, loss, alteration, destruction, or other
compromise of such information, and assessment of the sufficiency of any
safeguards in place to control these risks. At a minimum, this risk
assessment should include consideration of risks in each area of relevant
operation, including, but not limited to: (1) employee training and
management; (2) information systems, including network and software
design, information processing, storage, transmission, and disposal; and
(3) prevention, detection, and response to attacks, intrusions, or other
system failures.
C. the design and implementation of reasonable safeguards to control the
risks identified through risk assessment, and regular testing or monitoring
of the effectiveness of the safeguards' key controls, systems, and
procedures.
D. the evaluation and adjustment of respondent's information security
program in light of the results of the testing and monitoring required by
subparagraph C, any material changes to respondent's operations or
business arrangements, or any other circumstances that respondent knows
Page 3 of 8
or has reason to know may have a material impact on the effectiveness of
its information security program.
II.
IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph I of
this order, respondent shall obtain initial and biennial assessments and reports ("Assessments")
from a qualified, objective, independent third-party professional, using procedures and standards
generally accepted in the profession. The reporting period for the Assessments shall cover:
(1) the first one hundred and eighty (180) days after service of the order for the initial
Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the
order for the biennial Assessments. Each Assessment shall:
A. set forth the specific administrative, technical, and physical safeguards
that respondent has implemented and maintained during the reporting
period;
B. explain how such safeguards are appropriate to respondent's size and
complexity, the nature and scope of respondent's activities, and the
sensitivity of the nonpublic personal information collected from or about
consumers;
C. explain how the safeguards that have been implemented meet or exceed
the protections required by Paragraph I of this order; and
D. certify that respondent's security program is operating with sufficient
effectiveness to provide reasonable assurance that the security,
confidentiality, and integrity of nonpublic personal information is
protected and has so operated throughout the reporting period.
Each Assessment shall be prepared and completed within sixty (60) days after the end of the
reporting period to which the Assessment applies by a person qualified as a Certified Information
System Security Professional (CISSP); a person qualified as a Certified Information Systems
Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the
SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or
organization approved by the Associate Director for Enforcement, Bureau of Consumer
Protection, Federal Trade Commission, Washington, D.C. 20580.
Respondent shall provide the initial Assessment, as well as all: plans, reports, studies, reviews,
audits, audit trails, policies, training materials, and assessments, whether prepared by or on
behalf of respondent, relied upon to prepare such Assessment to the Associate Director for
Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C.
20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial
Page 4 of 8
Assessments shall be retained by respondent until the order is terminated and provided to the
Associate Director of Enforcement within ten (10) days of request.
III.
IT IS FURTHER ORDERED that respondent shall maintain, and upon request make
available to the Federal Trade Commission for inspection and copying, a print or electronic copy
of each document relating to compliance with the terms and provision of this order, including but
not limited to:
A. for a period of five (5) years: any documents, whether prepared by or on
behalf of respondent, that contradict, qualify, or call into question
respondent's compliance with this order; and
B. for a period of three (3) years after the date of preparation of each biennial
Assessment required under Paragraph II of this order: all plans, reports,
studies, reviews, audits, audit trails, policies, training materials, and
assessments, whether prepared by or on behalf of respondent, relating to
respondent's compliance with Paragraphs I and II of this order for the
reporting period covered by such biennial Assessment.
IV.
IT IS FURTHER ORDERED that, for a period of ten (10) years after the date of service
of this order, respondent shall deliver a copy of this order to all current and future principals,
officers, directors, and managers, and to all current and future employees, agents, and
representatives having supervisory responsibilities with respect to the subject matter of this order.
Respondent shall deliver this order to such current personnel within thirty (30) days after the date
of service of this order, and to such future personnel within thirty (30) days after the person
assumes such position or responsibilities.
V.
IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty
(30) days prior to any change in the corporation that may affect compliance obligations arising
under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other
action that would result in the emergence of a successor corporation; the creation or dissolution
of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the
proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided,
however, that, with respect to any proposed change in the corporation about which respondent
learns less than thirty (30) days prior to the date such action is to take place, respondent shall
notify the Commission as soon as is practicable after obtaining such knowledge. All notices
required by this Paragraph shall be sent by certified mail to the Associate Director, Division of
Page 5 of 8
Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C.
20580.
VI.
IT IS FURTHER ORDERED that respondent shall, within one hundred eighty (180) days
after service of this order, and at such other times as the Federal Trade Commission may require,
file with the Commission an initial report, in writing, setting forth in detail the manner and form
in which it has complied with this order.
VII.
This order will terminate twenty (20) years from the date of its issuance, or twenty (20)
years from the most recent date that the United States or the Federal Trade Commission files a
complaint (with or without an accompanying consent decree) in federal court alleging any
violation of the order, whichever comes later; provided, however, that the filing of such a
complaint will not affect the duration of:
A. Any Paragraph in this order that terminates in less than twenty (20) years;
B. This order's application to any respondent that is not named as a defendant in
such complaint; and
C. this order if such complaint is filed after the order has terminated pursuant to this
Paragraph.
Provided, further, that if such complaint is dismissed or a federal court rules that the
respondent did not violate any provision of the order, and the dismissal or ruling is either not
appealed or upheld on appeal, then the order will terminate according to this Paragraph as though
the complaint had never been filed, except that the order will not terminate between the date such
complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date
such dismissal or ruling is upheld on appeal.
By the Commission.
Signed this ___ day of _________________, 2005
DSW INC.
Page 6 of 8
By: ___________________________________
DSW INC.
___________________________________
WILLIAM C. MACLEOD
Collier Shannon Scott, PLLC
Counsel for respondent DSW Inc.
___________________________________
JAMES E. PHILLIPS
BENITA KAHN
Vorys, Sater, Seymour and Pease LLP
Counsel for respondent DSW Inc.
FEDERAL TRADE COMMISSION
__________________________________
JESSICA RICH
MOLLY CRAWFORD
LARA KAUFMANN
Counsel for the Federal Trade Commission
Page 7 of 8
APPROVED:
______________________________
JOEL WINSTON
Associate Director
Division of Financial Practices
______________________________
LYDIA B. PARNES
Director
Bureau of Consumer Protection
Page 8 of 8