advertisement
advertisement

SEC Statement On CVS Settlement

Written by StorefrontBacktalk Full Text Service
February 18th, 2007

072-3119
UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION
COMMISSIONERS: William E. Kovacic, Chairman
Pamela Jones Harbour
Jon Leibowitz
J. Thomas Rosch
) FILE NO.
In the Matter of )
)
CVS CAREMARK CORPORATION, ) AGREEMENT CONTAINING
a corporation, ) CONSENT ORDER
____________________________________)
The Federal Trade Commission (“Commission”) has conducted an investigation of
certain acts and practices of CVS Caremark Corporation (“proposed respondent”). Proposed
respondent, having been represented by counsel, is willing to enter into an agreement containing
a consent order resolving the allegations contained in the attached draft complaint. Therefore,
IT IS HEREBY AGREED by and between CVS Caremark Corporation, by its duly
authorized officers, and counsel for the Federal Trade Commission that:
1. Proposed respondent CVS Caremark Corporation is a Delaware corporation with its
principal office or place of business at One CVS Drive, Woonsocket, Rhode Island,
02895.
2. Proposed respondent admits all the jurisdictional facts set forth in the draft complaint.
3. Proposed respondent waives:
(a) Any further procedural steps;
(b) The requirement that the Commission’s decision contain a statement of findings
of fact and conclusions of law; and
(c) All rights to seek judicial review or otherwise to challenge or contest the validity
of the order entered pursuant to this agreement.
4. This agreement shall not become part of the public record of the proceeding unless and
until it is accepted by the Commission. If this agreement is accepted by the Commission,
it, together with the draft complaint, will be placed on the public record for a period of
-2-
thirty (30) days and information about it publicly released. The Commission thereafter
may either withdraw its acceptance of this agreement and so notify proposed respondent,
in which event it will take such action as it may consider appropriate, or issue and serve
its complaint (in such form as the circumstances may require) and decision in disposition
of the proceeding.
5. This agreement is for settlement purposes only and does not constitute an admission by
proposed respondent that the law has been violated as alleged in the draft complaint, or
that the facts as alleged in the draft complaint, other than the jurisdictional facts, are true.
Proposed respondent expressly denies the allegations set forth in the draft complaint,
except for the jurisdictional facts, and expressly denies that the law has been violated.
6. This agreement contemplates that, if it is accepted by the Commission, and if such
acceptance is not subsequently withdrawn by the Commission pursuant to the provisions
of Section 2.34 of the Commission’s Rules, the Commission may, without further notice
to proposed respondent: (1) issue its complaint corresponding in form and substance with
the attached draft complaint and its decision containing the following order in disposition
of the proceeding, and (2) make information about it public. When so entered, the order
shall have the same force and effect and may be altered, modified, or set aside in the
same manner and within the same time provided by statute for other orders. The order
shall become final upon service. Delivery of the complaint and the decision and order to
proposed respondent’s address as stated in this agreement by any means specified in
Section 4.4(a) of the Commission’s Rules shall constitute service. Proposed respondent
waives any right it may have to any other manner of service. The complaint may be used
in construing the terms of the order. No agreement, understanding, representation, or
interpretation not contained in the order or the agreement may be used to vary or
contradict the terms of the order.
7. Proposed respondent has read the draft complaint and consent order. It understands that
it may be liable for civil penalties in the amount provided by law and other appropriate
relief for each violation of the order after it becomes final.
ORDER
DEFINITIONS
For purposes of this order, the following definitions shall apply:
1. Unless otherwise specified, “store” shall mean each pharmacy entity or store location that
sells prescription medicines, drugs, devices, supplies, or services and/or non-prescription
products and services.
2. Unless otherwise specified, “LLC” shall mean a limited liability company: (a) that owns,
controls, or operates one or more stores (including, but not limited to, the companies
identified in attached Exhibit A), and (b) in which CVS Caremark Corporation is a
-3-
member, directly or indirectly.
3. Unless otherwise specified, “respondent” shall mean CVS Caremark Corporation, its
subsidiaries, divisions, affiliates, and LLCs, and its successors and assigns.
4. “Personal information” shall mean individually identifiable information from or about an
individual consumer including, but not limited to: (a) a first and last name; (b) a home or
other physical address, including street name and name of city or town; (c) an email
address or other online contact information, such as an instant messaging user identifier
or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver’s
license number or other government-issued identification number; (g) prescription
information, such as medication and dosage, and prescribing physician name, address,
and telephone number, health insurer name, insurance account number, or insurance
policy number; (h) a bank account, debit card, or credit card account number; (i) a
persistent identifier, such as a customer number held in a “cookie” or processor serial
number, that is combined with other available data that identifies an individual consumer;
(j) a biometric record; or (k) any information that is combined with any of (a) through (j)
above. For the purpose of this provision, a “consumer” shall include an “employee,” and
an individual seeking to become an employee, where “employee” shall mean an agent,
servant, salesperson, associate, independent contractor, and other person directly or
indirectly under the control of respondent.
5. “Commerce” shall mean as defined in Section 4 of the Federal Trade Commission Act,
15 U.S.C. § 44.
I.
IT IS ORDERED that respondent, and its officers, agents, representatives, and
employees, directly or through any corporation, subsidiary, limited liability company, division,
or other device, in connection with the advertising, marketing, promotion, offering for sale, or
sale of any product or service, in or affecting commerce, shall not misrepresent in any manner,
expressly or by implication, the extent to which it maintains and protects the privacy,
confidentiality, security, or integrity of personal information collected from or about consumers.
II.
IT IS FURTHER ORDERED that respondent, and its officers, agents, representatives,
and employees, directly or through any corporation, subsidiary, limited liability company,
division, or other device, in connection with the advertising, marketing, promotion, offering for
sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of
service of this order, establish and implement, and thereafter maintain, a comprehensive
information security program that is reasonably designed to protect the security, confidentiality,
and integrity of personal information collected from or about consumers. Such program, the
content and implementation of which must be fully documented in writing, shall contain
administrative, technical, and physical safeguards appropriate to respondent’s size and
-4-
complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal
information collected from or about consumers, including:
A. the designation of an employee or employees to coordinate and be accountable for
the information security program.
B. the identification of material internal and external risks to the security,
confidentiality, and integrity of personal information that could result in the unauthorized
disclosure, misuse, loss, alteration, destruction, or other compromise of such information,
and assessment of the sufficiency of any safeguards in place to control these risks. At a
minimum, this risk assessment should include consideration of risks in each area of
relevant operation, including, but not limited to: (1) employee training and management;
(2) information systems, including network and software design, information processing,
storage, transmission, and disposal; and (3) prevention, detection, and response to attacks,
intrusions, or other systems failures.
C. the design and implementation of reasonable safeguards to control the risks
identified through risk assessment, and regular testing or monitoring of the
effectiveness of the safeguards’ key controls, systems, and procedures.
D. the development and use of reasonable steps to select and retain service providers
capable of appropriately safeguarding personal information they receive from respondent,
and requiring service providers by contract to implement and maintain appropriate
safeguards.
E. the evaluation and adjustment of respondent’s information security
program in light of the results of the testing and monitoring required by subpart C,
any material changes to respondent’s operations or business arrangements, or any
other circumstances that respondent knows or has reason to know may have a
material impact on the effectiveness of its information security program.
III.
IT IS FURTHER ORDERED that, in connection with their compliance with Part II of
this order, respondent, and its officers, agents, representatives, and employees, shall obtain initial
and biennial assessments and reports (“Assessments”) from a qualified, objective, independent
third-party professional, who uses procedures and standards generally accepted in the profession.
The reporting period for the Assessments shall cover: (1) the first year after service of the order
for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after
service of the order for the biennial Assessments. Each Assessment shall:
A. set forth the specific administrative, technical, and physical safeguards that
respondent has implemented and maintained during the reporting period;
B. explain how such safeguards are appropriate to respondent’s size and
-5-
complexity, the nature and scope of respondent’s activities, and the sensitivity of the
personal information collected from or about consumers;
C. explain how the safeguards that have been implemented meet or exceed the
protections required by the Part II of this order; and
D. certify that respondent’s security program is operating with sufficient effectiveness
to provide reasonable assurance that the security, confidentiality, and integrity of personal
information is protected and has so operated throughout the reporting period.
Each Assessment shall be prepared and completed within sixty (60) days after the end of the
reporting period to which the Assessment applies by a person qualified as a Certified Information
System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a
person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit,
Network, Security (SANS) Institute; or a qualified person or organization approved by the
Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission,
Washington, D.C. 20580.
Respondent shall provide the initial Assessment to the Associate Director for Enforcement,
Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten
(10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be
retained by respondent until the order is terminated and provided to the Associate Director for
Enforcement within ten (10) days of request.
IV.
IT IS FURTHER ORDERED that respondent shall maintain and, upon request, make
available to the Federal Trade Commission for inspection and copying:
A. for a period of five (5) years, a print or electronic copy of each document relating
to compliance, including, but not limited to, documents, prepared by or on behalf of
respondent, that contradict, qualify, or call into question respondent’s compliance with
this order; and
B. for a period of three (3) years after the date of preparation of each Assessment
required under Part III of this order, all materials relied upon to prepare the Assessment,
whether prepared by or on behalf of respondent, including, but not limited to, all plans,
reports, studies, reviews, audits, audit trails, policies, training materials, and assessments,
and any other materials relating to respondent’s compliance with Parts II and III of this
order, for the compliance period covered by such Assessment.
V.
IT IS FURTHER ORDERED that respondent CVS Caremark Corporation shall deliver a
copy of this order to all its current and future subsidiaries (including LLCs and each store that is
-6-
owned, controlled, or operated by respondent or an LLC), current and future principals, officers,
directors, and managers, and to all current and future employees, agents, and representatives
having responsibilities relating to the subject matter of this order. Respondent shall deliver this
order to such current subsidiaries and personnel within sixty (60) days after service of this order,
and to such future subsidiaries and personnel within sixty (60) days after the respondent acquires
the subsidiary or the person assumes such position or responsibilities.
VI.
IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty
(30) days prior to any change in respondent that may affect compliance obligations arising under
this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action
that would result in the emergence of a successor company; the creation or dissolution of a
subsidiary (including an LLC), parent, or affiliate that engages in any acts or practices subject to
this order; the proposed filing of a bankruptcy petition; or a change in respondent’s name or
address. Provided, however, that, with respect to any proposed change in respondent about which
respondent learns less than thirty (30) days prior to the date such action is to take place,
respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.
All notices required by this Part shall be sent by certified mail to the Associate Director, Division
of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C.
20580.
VII.
IT IS FURTHER ORDERED that respondent shall, within ninety (90) days after service
of this order, and at such other times as the Federal Trade Commission may require, file with the
Commission a report, in writing, setting forth in detail the manner and form in which it has
complied with this order.
VIII.
This order will terminate twenty (20) years from the date of its issuance, or twenty (20)
years from the most recent date that the United States or the Federal Trade Commission files a
complaint (with or without an accompanying consent decree) in federal court alleging any
violation of the order, whichever comes later; provided, however, that the filing of such a
complaint will not affect the duration of:
A. Any Part in this order that terminates in less than twenty (20) years;
B. This order’s application to any respondent that is not named as a defendant in such
complaint; and
C. This order if such complaint is filed after the order has terminated pursuant to this
Part.
-7-
Provided, further, that if such complaint is dismissed or a federal court rules that respondent did
not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld
on appeal, then the order will terminate according to this Part as though the complaint had never
been filed, except that the order will not terminate between the date such complaint is filed and
the later of the deadline for appealing such dismissal or ruling and the date such dismissal or
ruling is upheld on appeal.
CVS CAREMARK CORPORATION
Dated: _______ By:_________________________
DIANE NOBLES
Senior Vice President and Chief Compliance Officer
CVS Caremark Corporation
Dated: _______ By:_________________________
ANTHONY E. DIRESTA
Reed Smith L.L.P.
Counsel for respondent CVS Caremark Corporation
FEDERAL TRADE COMMISSION
Dated: _______ By:_________________________
LORETTA H. GARRISON
KRISTIN K. COHEN
ALAIN SHEER
Counsel for the Federal Trade Commission
APPROVED:
______________________________
JESSICA RICH
Assistant Director
Division of Privacy and Identity Protection
Bureau of Consumer Protection
-8-
_________________________________
JOEL WINSTON
Associate Director
Division of Privacy and Identity Protection
Bureau of Consumer Protection
_______________________________
EILEEN HARRINGTON
(Acting) Director
Bureau of Consumer Protection


advertisement

Comments are closed.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.