Originally published by Ballard Spahr Andrews & Ingersoll, LLP, 1 April 2008.

9 May 2008. Businesses that collect consumers' personal information have been reminded again: Protect that information or face painful consequences.

Retailer TJX Cos. and data brokers Reed Elsevier (REI) and Seisint, in settlements with the Federal Trade Commission (FTC), agreed last week to have their security programs audited every other year for 20 years. The companies must retain independent, third-party security auditors to do the job. They also must implement stronger security programs and be subject to provisions that enable the FTC to monitor compliance.

TJX, which owns T.J. Maxx and other discount retail stores, in January 2007, disclosed that hackers had broken into its computer network, exposing at least 45 million credit cards to fraud. Banks that sued TJX estimated that more than 100 million cards were affected. Seisint, acquired by REI in 2004, allowed customers to use "easy-to-guess passwords" to enter its Accurint databases, the FTC stated. Identity thieves broke through the barriers.

In 2005, a shoe outlet and a wholesale club reached similar agreements with the FTC after security breaches. In addition to measures imposed by the FTC, at least 35 states have legislation in place regulating the handling of consumers' personal information -- commonly defined as a person's first and last names in combination with a Social Security, driver's license, credit or debit card number. Most impose penalties on businesses that fail to report security breaches. Businesses also must meet standards established by the payment card industry (PCI).

Ballard Spahr has counseled businesses of all sizes in how to securely maintain personal information and become PCI-compliant. To discuss this or related issues, including best business practices to avoid state and/or federal enforcement action resulting from data security breaches, please contact Ronald Sarachan, partner-in-charge, White Collar Litigation Group, at 215.864.8333.

Copyright © 2008 by Ballard Spahr Andrews & Ingersoll, LLP. all rights reserved.

Gina Maisto Smith is of counsel in the Litigation Department and a member of the White Collar Litigation Group, Health Care Group, Corporate Compliance and Investigations Group, the Medicare Part D Compliance Team and the Higher Education Industry Group in Ballard Spahr Andrews & Ingersoll, LLP.

Cecilia Isaacs-Blundin is an associate in the Litigation Department and a member of the White Collar Litigation Group in Ballard Spahr Andrews & Ingersoll, LLP.