Vous êtes sur la page 1sur 3

Federal Register / Vol. 73, No.

65 / Thursday, April 3, 2008 / Notices 18281

test or monitor the effectiveness of the to consumers’ information. The DATES: Comments must be received on
safeguards’ key controls, systems, and practices challenged in the cases have or before April 28, 2008.
procedures. included, but are not limited to: (1) ADDRESSES: Interested parties are
∑ Develop and use reasonable steps to creating unnecessary risks to sensitive invited to submit written comments.
select and retain service providers information by storing it on computer Comments should refer to ‘‘TJX, File No.
capable of appropriately safeguarding networks without a business need to do 072 3055,’’ to facilitate the organization
personal information they receive from so; (2) storing sensitive information on of comments. A comment filed in paper
the respondent, and require service networks in a vulnerable format; (3) form should include this reference both
providers by contract to implement and failing to use readily available security in the text and on the envelope, and
maintain appropriate safeguards. measures to limit access to a computer should be mailed or delivered to the
∑ Evaluate and adjust its information network through wireless access points following address: Federal Trade
security programs in light of the results on the network; (4) failing to adequately
of testing and monitoring, any material Commission/Office of the Secretary,
assess the vulnerability of a web Room 135–H, 600 Pennsylvania
changes to operations or business application and computer network to
arrangements, or any other Avenue, N.W., Washington, D.C. 20580.
commonly known or reasonably Comments containing confidential
circumstances that it knows or has foreseeable attacks; (5) failing to
reason to know may have material material must be filed in paper form,
implement simple, low-cost, and readily must be clearly labeled ‘‘Confidential,’’
impact on its information security available defenses to such attacks; and
program. and must comply with Commission
(6) failing to use readily available Rule 4.9(c). 16 CFR 4.9(c) (2005).1 The
Part II of the proposed order requires security measures to limit access
each respondent to obtain within 180 FTC is requesting that any comment
between computers on a network and filed in paper form be sent by courier or
days, and on a biennial basis thereafter between such computers and the
for a period of twenty (20) years, an overnight service, if possible, because
Internet. This proposed action against U.S. postal mail in the Washington area
assessment and report from a qualified, REI and Seisint is the first to challenge
objective, independent third-party and at the Commission is subject to
alleged security failures involving the delay due to heightened security
professional, certifying, among other
security of passwords. Passwords are a precautions. Comments that do not
things, that: (1) it has in place a security
critical part of a reasonable and contain any nonpublic information may
program that provides protections that
appropriate security program because instead be filed in electronic form by
meet or exceed the protections required
passwords are typically the first (and are following the instructions on the web-
by Part I of the proposed order; and (2)
often the only) method used to based form at http://
its security program is operating with
authenticate (or authorize) users to secure.commentworks.com/ftc-TJX. To
sufficient effectiveness to provide
access resources, such as programs and ensure that the Commission considers
reasonable assurance that the security,
databases, available on a computer an electronic comment, you must file it
confidentiality, and integrity of
network or online. on that web-based form.
consumers’ personal information has
The purpose of this analysis is to The FTC Act and other laws the
been protected.
Parts III through VII of the proposed facilitate public comment on the Commission administers permit the
order are reporting and compliance proposed order. It is not intended to collection of public comments to
provisions. Part III requires respondents constitute an official interpretation of consider and use in this proceeding as
to retain documents relating to their the proposed order or to modify its appropriate. All timely and responsive
compliance with the order. For most terms in any way. public comments, whether filed in
records, the order requires that the By direction of the Commission.
paper or electronic form, will be
documents be retained for a five-year Donald S. Clark considered by the Commission, and will
period. For the third-party assessments Secretary be available to the public on the FTC
and supporting documents, respondents [FR Doc. E8–6952 Filed 4–2–08: 8:45 am] website, to the extent practicable, at
must retain the documents for a period [BILLING CODE 6750–01–S]
www.ftc.gov. As a matter of discretion,
of three years after the date that each the FTC makes every effort to remove
assessment is prepared. Part IV requires home contact information for
dissemination of the order now and in FEDERAL TRADE COMMISSION individuals from the public comments it
the future to persons with receives before placing those comments
responsibilities relating to the subject [File No. 072 3055]
on the FTC website. More information,
matter of the order. Part V ensures including routine uses permitted by the
The TJX Companies, Inc.; Analysis of
notification to the FTC of changes in Privacy Act, may be found in the FTC’s
Proposed Consent Order to Aid Public
corporate status. Part VI mandates that privacy policy, at http://www.ftc.gov/
Comment
each respondent submit a compliance ftc/privacy.shtm.
report to the FTC within 180 days, and AGENCY: Federal Trade Commission. FOR FURTHER INFORMATION CONTACT:
periodically thereafter as requested. Part ACTION: Proposed Consent Agreement. Alain Sheer or Molly Crawford, FTC
VII is a provision ‘‘sunsetting’’ the order Bureau of Consumer Protection, 600
after twenty (20) years, with certain SUMMARY: The consent agreement in this
Pennsylvania Avenue, NW, Washington,
exceptions. matter settles alleged violations of
D.C. 20580, (202) 326–2252.
This is the Commission’s nineteenth federal law prohibiting unfair or
case to challenge the failure by a deceptive acts or practices or unfair 1 The comment must be accompanied by an
company to implement reasonable methods of competition. The attached explicit request for confidential treatment,
information security practices. Each of Analysis to Aid Public Comment
rwilkins on PROD1PC63 with NOTICES

including the factual and legal basis for the request,


the Commission’s cases to date has describes both the allegations in the and must identify the specific portions of the
alleged that a number of security draft complaint and the terms of the comment to be withheld from the public record.
The request will be granted or denied by the
practices, taken together, failed to consent order—embodied in the consent Commission’s General Counsel, consistent with
provide reasonable and appropriate agreement—that would settle these applicable law and the public interest. See
security to prevent unauthorized access allegations. Commission Rule 4.9(c), 16 CFR 4.9(c).

VerDate Aug<31>2005 18:19 Apr 02, 2008 Jkt 214001 PO 00000 Frm 00025 Fmt 4703 Sfmt 4703 E:\FR\FM\03APN1.SGM 03APN1
18282 Federal Register / Vol. 73, No. 65 / Thursday, April 3, 2008 / Notices

SUPPLEMENTARY INFORMATION: Pursuant payment card authorization; (2) bank provisions designed to prevent TJX from
to section 6(f) of the Federal Trade routing, account, and check numbers engaging in the future in practices
Commission Act, 38 Stat. 721, 15 U.S.C. and, in some instances, driver’s license similar to those alleged in the
46(f), and § 2.34 of the Commission number and date of birth for personal complaint.
Rules of Practice, 16 CFR 2.34, notice is check verification; and (3) name, Part I of the proposed order requires
hereby given that the above-captioned address, and drivers’ license or military TJX to establish and maintain a
consent agreement containing a consent or state identification number comprehensive information security
order to cease and desist, having been (‘‘personal ID numbers’’) for unreceipted program in writing that is reasonably
filed with and accepted, subject to final returns (collectively, ‘‘personal designed to protect the security,
approval, by the Commission, has been information’’). This information is confidentiality, and integrity of personal
placed on the public record for a period particularly sensitive because it can be information collected from or about
of thirty (30) days. The following used to facilitate payment card fraud consumers. The security program must
Analysis to Aid Public Comment and other consumer harm. contain administrative, technical, and
describes the terms of the consent The Commission’s proposed physical safeguards appropriate to TJX’s
agreement, and the allegations in the complaint alleges that since at least July size and complexity, the nature and
complaint. An electronic copy of the 2005, TJX engaged in a number of scope of its activities, and the sensitivity
full text of the consent agreement practices that, taken together, failed to of the personal information collected
package can be obtained from the FTC provide reasonable and appropriate from or about consumers. Specifically,
Home Page (for March 27, 2008), on the security for personal information on its the order requires TJX to:
World Wide Web, at http://www.ftc.gov/ computer networks. Among other ∑ Designate an employee or
os/2008/03/index.htm. A paper copy things, TJX: (a) created an unnecessary employees to coordinate and be
can be obtained from the FTC Public risk to personal information by storing accountable for the information security
Reference Room, Room 130–H, 600 it on, and transmitting it between and program.
Pennsylvania Avenue, NW, Washington, within, in-store and corporate networks ∑ Identify material internal and
D.C. 20580, either in person or by in clear text; (b) did not use readily external risks to the security,
calling (202) 326–2222. available security measures to limit confidentiality, and integrity of personal
Public comments are invited, and may wireless access to its networks, thereby information that could result in the
be filed with the Commission in either allowing an intruder to connect unauthorized disclosure, misuse, loss,
paper or electronic form. All comments wirelessly to in-store networks without alteration, destruction, or other
should be filed as prescribed in the authorization; (c) did not require compromise of such information, and
ADDRESSES section above, and must be network administrators and other users assess the sufficiency of any safeguards
received on or before the date specified to use strong passwords or to use in place to control these risks.
in the DATES section. different passwords to access different ∑ Design and implement reasonable
programs, computers, and networks; (d) safeguards to control the risks identified
Analysis of Agreement Containing through risk assessment, and regularly
failed to use readily available security
Consent Order to Aid Public Comment test or monitor the effectiveness of the
measures to limit access among
The Federal Trade Commission has computers and the internet, such as by safeguards’ key controls, systems, and
accepted, subject to final approval, a using a firewall to isolate card procedures.
consent agreement from The TJX authorization computers; and (e) failed ∑ Develop and use reasonable steps to
Companies, Inc. (‘‘TJX’’). to employ sufficient measures to detect retain service providers capable of
The proposed consent order has been and prevent unauthorized access to appropriately safeguarding personal
placed on the public record for thirty computer networks or to conduct information they receive from
(30) days for receipt of comments by security investigations, such as by respondents, require service providers
interested persons. Comments received patching or updating anti-virus software by contract to implement and maintain
during this period will become part of or following up on security warnings appropriate safeguards, and monitor
the public record. After thirty (30) days, and intrusion alerts. their safeguarding of personal
the Commission will again review the The complaint alleges that the breach information.
agreement and the comments received, compromised tens of millions of ∑ Evaluate and adjust its information
and will decide whether it should payment cards as well as the personal security program in light of the results
withdraw from the agreement and take information of approximately 455,000 of the testing and monitoring, any
appropriate action or make final the consumers who had made unreceipted material changes to its operations or
agreement’s proposed order. returns. The complaint further alleges business arrangements, or any other
According to the Commission’s that issuing banks have claimed tens of circumstances that it knows or has
complaint, TJX is an off-price retailer millions of dollars in fraudulent charges reason to know may have a material
selling apparel and home fashions in on some of these payment card impact on the effectiveness of their
over 2,500 stores worldwide. Consumers accounts. Issuing banks also have information security program.
may pay for purchases at these stores cancelled and re-issued millions of Part II of the proposed order requires
with credit and debit cards (collectively, payment cards, and according to the that TJX obtain, covering the first 180
‘‘payment cards’’), cash, or personal complaint, consumers holding these days after the order is served, and on a
checks. In selling its products, TJX cards were unable to use them to access biennial basis thereafter for twenty (20)
routinely uses its computer networks to their credit and bank accounts until years, an assessment and report from a
collect personal information from they received the replacement cards. qualified, objective, independent third-
consumers to obtain authorization for Additionally, the complaint alleges that party professional, certifying, among
payment card purchases, verify personal some consumers have obtained or will other things, that (1) it has in place a
rwilkins on PROD1PC63 with NOTICES

checks, and process merchandise have to obtain new personal ID security program that provides
returned without receipts (‘‘unreceipted numbers, such as new drivers’ licenses. protections that meet or exceed the
returns’’). Among other things, it The proposed order applies to protections required by Part I of the
collects: (1) account number, expiration personal information TJX collects from proposed order; and (2) its security
date, and an electronic security code for or about consumers. It contains program is operating with sufficient

VerDate Aug<31>2005 17:19 Apr 02, 2008 Jkt 214001 PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 E:\FR\FM\03APN1.SGM 03APN1
Federal Register / Vol. 73, No. 65 / Thursday, April 3, 2008 / Notices 18283

effectiveness to provide reasonable By direction of the Commission. the United States. Over the past decade,
assurance that the security, however, the dramatic influx of patients
Donald S. Clark
confidentiality, and integrity of into EDs has seriously challenged the
consumers’ personal information is Secretary ability of these departments to deliver
protected. [FR Doc. E8–6950 Filed 4–2–08: 8:45 am] timely, quality, and safe emergency
Parts III through VII of the proposed [BILLING CODE 6750–01–S] healthcare services. Moreover, with
order are reporting and compliance most emergency departments operating
provisions. Part III requires TJX to retain at or over capacity it may prove difficult
documents relating to its compliance DEPARTMENT OF HEALTH AND for them to respond to the surge in
with the order. For most records, the HUMAN SERVICES emergency room demand created by
order requires that the documents be natural and man-made disasters.
retained for a five-year period. For the Agency for Healthcare Research and Development of increasingly refined
third-party assessments and supporting Quality and validated triage methods is one
documents, TJX must retain the potential key to addressing
documents for a period of three years Agency Information Collection
overcrowding by speeding up the care
after the date that each assessment is Activities: Proposed Collection;
delivery to the most acute ED patients
prepared. Part IV requires dissemination Comment Request
while helping hospitals assess, carefully
of the order now and in the future to AGENCY: Agency for Healthcare Research allocate and plan the amount of human
principals, officers, directors, and and Quality, HHS. and other resources needed to care for
managers having responsibilities ACTION: Notice. all patients.
relating to the subject matter of the In response to a need to standardize
order. Part V ensures notification to the SUMMARY: This notice announces the the triage process and improve the flow
FTC of changes in corporate status. Part intention of the Agency for Healthcare of patients, Richard C. Wuerz, MD,
VI mandates that TJX submit an initial Research and Quality (AHRQ) to request (Department of Emergency Medicine at
compliance report to the FTC, and make that the Office of Management and the Brigham and Women’s Hospital and
available to the FTC subsequent reports. Budget (OMB) approve the proposed the Harvard Medical School) and David
Part VII is a provision ‘‘sunsetting’’ the information collection project: R. Eitel, MD, (Department of Emergency
order after twenty (20) years, with ‘‘Assessment of the Emergency Severity Medicine, The York Hospital WellSpan
certain exceptions. Index (ESI).’’ In accordance with the Health System) initiated development of
This is the Commission’s twentieth Paperwork Reduction Act of 1995, the Emergency Severity Index (ESI) in
case to challenge the failure by a Public Law 104–13 (44 U.S.C. 1995. The ESI is unique in its focus on
company to implement reasonable 3506(c)(2)(A)), AHRQ invites the public
information security practices. Each of appropriate resource allocation and its
to comment on this proposed consideration of necessary resource
the Commission’s cases to date has information collection.
alleged that a number of security utilization in assigning acuity. To
This proposed information collection encourage adoption of the ESI, AHRQ
practices, taken together, failed to was previously published in the Federal
provide reasonable and appropriate developed an implementation handbook
Register on January 22nd, 2008 and (Emergency Severity Index, Version 4)
security to prevent unauthorized access allowed 60 days for public comment. No
to consumers’ information. The and companion DVDs. These materials
comments were received. The purpose are intended to provide hospitals and
practices challenged in the cases have of this notice is to allow an additional
included, but are not limited to: (1) triage nurses with background on why
30 days for public comment. they might want to implement the ESI
creating unnecessary risks to sensitive
DATES: Comments on this notice must be as a triage tool, and offers
information by storing it on computer
received by May 5, 2008. recommendations on the
networks without a business need to do
so; (2) storing sensitive information on ADDRESSES: Written comments should implementation process and staff
networks in a vulnerable format; (3) be submitted to: AHRQ’s OMB Desk training.
failing to use readily available security Officer by fax at (202) 395–6974 This project will assess the product’s
measures to limit access to a computer (attention: AHRQ’s desk officer) or by e- acceptance by emergency departments
network through wireless access points mail at OIRA_submission@omb.eop.gov and others involved in addressing
on the network; (4) failing to adequately (attention: AHRQ’s desk officer). Copies medical surges to better understand the
assess the vulnerability of a web of the proposed collection plans, data usefulness of the ESI compared to other
application and computer network to collection instruments, and specific similar tools. It will focus on the
commonly known or reasonably details on the estimated burden can be satisfaction with the product’s
foreseeable attacks; (5) failing to obtained from the AHRQ Reports presentation, content, and clarity; extent
implement simple, low-cost, and readily Clearance Officer. to which the product has improved
available defenses to such attacks; (6) FOR FURTHER INFORMATION CONTACT: emergency services and surge
failing to use readily available security Doris Lefkowitz, AHRQ Reports preparation; and the improvements
measures to limit access between Clearance Officer, (301) 427–1477, or by users would like to see in the next
computers on a network and between e-mail at doris.lefkowitz@ahrq.hhs.gov. version of this product. This will be
such computers and the internet, and (7) SUPPLEMENTARY INFORMATION: accomplished through (1) developing
failing to use strong passwords to and implementing an electronic and
authenticate (or authorize) users to ‘‘Proposed Project—Assessment of the paper-based survey targeting emergency
access programs and databases on Emergency Severity Index (ESI)’’ department professionals assessing the
computer networks or online. AHRQ is proposing to examine uptake satisfaction with the ESI’s content,
rwilkins on PROD1PC63 with NOTICES

The purpose of the analysis is to aid and use of an emergency room triage clarity and actual use of the system in
public comment on the proposed order. tool, the Emergency Severity Index everyday emergency departments, and
It is not intended to constitute an (ESI). The hospital emergency (2) convening focus groups of ED
official interpretation of the proposed department (ED) represents a critical professionals to identify characteristics
order or to modify its terms in any way. point in care delivery for patients across that might predict uptake and use of this

VerDate Aug<31>2005 18:19 Apr 02, 2008 Jkt 214001 PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 E:\FR\FM\03APN1.SGM 03APN1