Promises and problems in electronic records management

by on July 6, 2009 · 0 Comment POSTED IN: HR Info Center

Adequate security levels are implicit in all electronic records management

Now, the question of course was well, could a company avoid getting in trouble with the FTC despite not making any promises to the public about data security in their electronic records management?

The answer to that turned out to be no. The BJ’s case was revolutionary. What happened in the BJ’s case is that the FTC took action against the company that made no promises to the public about data security in their electronic records management. The BJ’s is a bulk grocery retailer similar to Costco. They had wireless networks in their stores to transmit credit card data that was being authorized, for instance, when it was being swiped. As it registers it would be transmitted to other computers and back and forth.

The wireless network was not, according to the FTC, secured and they were using default passwords and IDs which made it easy and actually allowed criminals sitting outside of the store to skim that credit card data and turn around and used it – sell it for identity theft purposes.

BJ’s did not make any promises to customers about its data security practices in its store but the FTC said, “Look, it doesn’t matter. If you’re not providing adequate data security, you’re engaged in an unfair business practice in regards to your electronic records management and we can come after you anyway”.

And this ended up with BJ’s entering into a 20 year consent decree with the FTC and it’s getting a lot of bad publicity as well a out of it.

So the key idea here though is that there are no laws or regulations stating that BJ’s had to take all of the different security measures the FTC felt they should have taken.

The idea with simply that BJ’s had to take adequate data security practices. And that really puts the burden on the company to figure out what adequate measures are. It’s not just following the letter of the law, because certainly the laws can’t keep up with technology developments. It’s really a standard of reasonableness with electronic records management

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply


Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.