In 2005 the FTC handed down a judgment against BJ’s Wholesale Club. BJ’s was found to have “engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information.” The FTC ruled that BJ’s had failed to encrypt personal data transmitted over the Internet; had stored personal data after it no longer needed the information; used commonly known default passwords for access to files containing personal information; and did not use commercially available technology to secure wireless connections, detect intrusions or conduct security audits.

“We know security can’t be perfect, so we don’t expect perfection,” says Jessica Rich, assistant director of the Division for Privacy and Identity Protection at the FTC. “But companies need to try, and if you do that, you will be much better off.”

But for some, “trying” requires a lot more than receiving an “A” for effort. You better know what you are doing, says Joe Fantuzzi, CEO of the information security company Workshare. He says the FTC’s ruling against BJ’s was intended to send the message that if you claim to protect your customers’ personal data in your privacy statement (as BJ’s did), your security had better be up to the task.

“The point is that companies make risk management versus compliance management trade-offs all the time,” Fantuzzi says. “Just make sure you do your homework so you know you made the right trade-off.”

Allan Holmes is a Washington, D.C.-based freelancer and security expert.