In a settlement announced on Wednesday, the FTC has required Petco to establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. The deal includes auditing obligations that will apply to Petco for the next 20 years.
The pet supplier has also been prohibited from misrepresenting the extent to which it maintains and protects sensitive consumer information.
Petco has sold pet food and supplies to consumers through its on-line store since February 2001. According to the FTC, Petco made security claims on the site, such as:
"At PETCO.com, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorised access.
Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it."
According to the complaint, however, the web site was vulnerable to commonly known web-based application attacks, such as Structured Query Language (SQL) injection attacks.
The FTC alleged that Petco created these vulnerabilities in its web site by failing to implement reasonable and appropriate security measures to secure and protect sensitive consumer information, including simple, readily available defences that would have blocked such attacks.
The agency also charged that the sensitive information Petco obtained through its web site was not maintained in an encrypted format, as it claimed. As a result, a hacker was able to penetrate the Petco web site and access credit card numbers stored in unencrypted clear text.
Finally, the FTC charged that Petco's claims were deceptive and violated the Federal Trade Commission Act.
"Consumers have the right to expect companies to keep their promises about the security of the confidential consumer information they collect," said Lydia Parnes, Acting Director of the FTC's Bureau of Consumer Protection. "The FTC will hold companies to their word."
The settlement requires that Petco implement a comprehensive information security program for its web site and prohibits Petco from making further misrepresentations over the extent of its information security.
It requires that Petco arrange biennial audits of its security program by an independent third party certifying that Petco's security program is sufficiently effective to provide reasonable assurance that the security, confidentiality and integrity of consumers' personal information has been protected. The settlement also contains record keeping provisions to allow the FTC to monitor compliance.
