The settlement requires Tower to implement an appropriate security program, prohibits the company from misrepresenting the adequacy of its security in its privacy policy, and requires the company to carry out web site security audits every two years, for ten years.
The charges relate to an incident in autumn 2002, when Tower Records, owned by MTS Incorporated, made changes to its web site, but forgot to update an element of the site that allows users to check the status of their order.
As a result, users were able to view the orders of other web site customers simply by changing the order number on the order status page. Hackers would therefore be able to access information about other customers, including their names, billing and shipping address, e-mail addresses, phone numbers, and their past Tower purchases.
The FTC argued that this was in breach of claims made on the web site privacy policy that "We use state-of-the-art technology to safeguard your personal information," and "Your TowerRecords.com Account information is password-protected. You and only you have access to this information."
The FTC complaint also charged that the security flaw was easy to prevent and to fix, but that Tower failed: to implement appropriate checks and controls in the process of writing and revising its web applications; to adopt and implement policies and procedures to test the security of its web site; and to provide appropriate training for its employees.
The complaint concluded that Tower's privacy policy assurances were therefore false and violated the Federal Trade Commission Act.
The settlement, announced yesterday, bars Tower from misrepresenting the extent to which it maintains and protects the privacy, confidentiality, or security of personal information collected from or about consumers.
It also requires that Tower establish and maintain a comprehensive information security program. In addition, the company must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within six months, and every other year thereafter for a period of ten years. The settlement also contains record-keeping provisions to allow the FTC to monitor compliance.
The settlement, known as a consent agreement, does not amount to an admission of liability by Tower Records, but if breached it may result in a fine of up to $11,000 for each violation.
In a statement, Tower emphasised that the incident had not resulted in the disclosure of any personal financial information and had been immediately corrected.
"We take the privacy and security of personal information collected from our customers very seriously, and have cooperated fully and worked closely with the FTC to ensure that we protect our customers to the best of our ability," said Bill Baumann, chief information officer of Tower.