FTC settlement with Dave & Buster’s shows broad range of security failures

In a notice published yesterday, the Federal Trade Commission (FTC) announced the terms of a settlement to which entertainment chain Dave & Buster’s agreed stemming from FTC charges that the company failed to adequately protect customer credit card information, allowing hackers to compromise the credit card information of over 130,000 customers resulting in hundreds of thousands of dollars in fraudulent charges. The wording of the settlement statement faults Dave & Buster’s for its alleged failure to make use of “readily available” security measures to protect its network from unauthorized access or to take “reasonable steps” to secure personal information collected from customers. These charges are the latest in a series of more than two dozen cases involving faulty data security practices, where the administrative complaints lodged by the FTC provide relevant examples of the legal principle of “due care.” We touched earlier this week on the concepts of due care and legal defensibility, and FTC actions such as the one against Dave & Buster’s follow the nearly 80-year-old federal legal precedent established by the decision in the T.J. Hooper case (60 F.2d 737 (1932)), specifically that failure to use available protective measures translates into legal liability for any damages incurred.

Based on the FTC’s allegations and the fact that the compromised data was credit card information, it is entirely likely that Dave & Buster’s were also in violation of the Payment Card Industry Data Security Standard (PCI DSS). which includes specific requirements for cardholder data protection which must be followed by merchants accepting credit card transactions. The PCI Security Standards Council maintains the requirements framework for DSS and other security standards, while compliance with and enforcement of the standards is typically handled by payment card industry brands (Visa, MasterCard, Discover, American Express, etc.). Compliance (or the lack thereof) with PCI DSS or other security standards or regulations is outside the scope of FTC jurisdiction, so it remains to be seen if Dave & Buster’s will face any further sanctions. Under the terms of the settlement agreement, the company agreed not only to establish and maintain a security program to protect personal information, but also to biennial independent security audits for 10 years to monitor compliance with the settlement.