The other shoe fell today for DSW, the national footwear discounter that admitted in March that hackers accessed more than three months’ worth of customer data.
In a settlement with the Federal Trade Commission (FTC), DSW agreed to implement a comprehensive security plan and to obtain independent audits by a third-party security firm every other year for 20 years.
The security program must include administrative, technical and physical safeguards.
Until at least March of this year, the FTC claims, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information.
The FTC said DSW’s failure to secure customers’ sensitive data constituted an unfair trade practice, because it caused substantial injury that was not unreasonably avoidable by consumers. The FTC further charged that offsetting benefits to consumers, such as credit, debit and check approvals, did not outweigh the consumer injuries.
According to the FTC, the DSW security lapse compromised 1.4 million customer credit and debit cards and 96,000 checking accounts. The FTC said that there have been fraudulent charges on some of the compromised accounts.
The FTC said DSW’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million.
As outlined in the FTC complaint, DSW uses computer networks to obtain authorization for credit card, debit card and check purchases at its stores and to track inventory. Columbus, Ohio-based DSW operates approximately 190 stores in 32 states. In 2004, the company generated $961 million in net sales and sold approximately 23.7 million pairs of shoes.