UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION
In the Matter of
GUESS?, INC., a corporation, and
GUESS.COM, INC., a corporation.
FILE NO. 022 3260
AGREEMENT CONTAINING CONSENT ORDER
The Federal Trade Commission has conducted an investigation
of certain acts and
practices of Guess?, Inc. and Guess.com, inc. ("proposed respondents"). Proposed
respondents, having been represented by counsel, are willing to enter into an
agreement containing a consent
order resolving the allegations contained in the attached draft complaint. Therefore,
IT IS HEREBY AGREED by and between Guess?, Inc. and Guess.com.inc., by their duly
authorized officers, and counsel for the Federal Trade Commission that:
1. Proposed respondent Guess?, Inc. is a Delaware corporation
with its principal office or place of business at 1444 S. Alameda Street, Los
Angeles, California 90021.
2. Proposed respondent Guess.com, inc. is a Delaware
corporation with its principal office or place of business at 1444 S. Alameda
Street, Los Angeles, California 90021. Guess.com, inc. is a wholly-owned subsidiary
of Guess?, Inc.
3. Proposed respondents admit all the jurisdictional facts set forth in
the draft complaint.
4. Proposed respondents waive:
A. any further procedural steps;
B. the requirement that the Commission's decision contain a statement of
findings of fact and conclusions of law; and
C. all rights to seek judicial review or otherwise to challenge or contest the
validity of the order entered pursuant to this agreement.
5. This agreement shall not become part of the public record of the proceeding unless
and until it is accepted by the Commission. If this agreement is accepted by the
Commission, it, together with the draft complaint, will be placed on the public
record for a period of sixty (60) days and information about it publicly released.
The Commission thereafter may either withdraw its acceptance of this agreement
and so notify proposed respondents, in which event it will take such action as it
may consider appropriate, or issue and serve its complaint (in such form as the
circumstances may require) and decision in disposition of the proceeding.
6. This agreement is for settlement purposes only and does not constitute an
admission by proposed respondents that the law has been violated as alleged in the
draft complaint, or that the facts as alleged in the draft complaint, other than the
jurisdictional facts, are true.
7. This agreement contemplates that, if it is accepted by the Commission, and if such
acceptance is not subsequently withdrawn by the Commission pursuant to the
provisions of Section 2.34 of the Commission's Rules, the Commission may,
without further notice to proposed respondents, (1) issue its complaint
corresponding in form and substance with the attached draft complaint and its
decision containing the following order in disposition of the proceeding, and (2)
make information about it public. When so entered, the order shall have the same
force and effect and may be altered, modified, or set aside in the same manner and
within the same time provided by statute for other orders. The order shall become
final upon service. Delivery of the complaint and the decision and order to
proposed respondents' addresses as stated in this agreement by any means
specified in Section 4.4(a) of the Commission's Rules shall constitute service.
Proposed respondents waive any right they may have to any other manner of
service. The complaint may be used in construing the terms of the order. No
agreement, understanding, representation, or interpretation not contained in the
order or in the agreement may be used to vary or contradict the terms of the order.
8. Proposed respondents have read the draft complaint and consent order. They
understand that they may be liable for civil penalties in the amount provided by law
and other appropriate relief for each violation of the order after it becomes final.
For purposes of this order, the following definitions shall apply:
1. "Personal information" shall mean individually identifiable information from or
about an individual consumer including, but not limited to: (a) a first and last name;
(b) a home or other physical address, including street name and name of city or
town; (c) an email address or other online contact information, such as an instant
messaging user identifier or a screen name that reveals an individual's email
address; (d) a telephone number; (e) a social security number; (f) credit and/or
debit card information, including credit and/or debit card number and expiration
date; (g) a persistent identifier, such as a customer number held in a "cookie" or
processor serial number, that is combined with other available data that
identifies an individual consumer; or (h) any other information from or about
consumer that is combined with (a) through (g) above.
2. Unless otherwise specified, "Respondents" shall
mean Guess?, Inc. and its successors and assigns, officers, agents, representatives,
Guess.com, inc. and its successors and assigns, officers, agents, representatives,
and employees, and both of them and their successors and assigns, officers,
agents, representatives, and employees.
3. "Commerce" shall mean as defined in Section 4 of the Federal Trade Commission
Act, 15 U.S.C. § 44.
IT IS ORDERED that Respondents, directly or through any corporation, subsidiary,
division, or other device, in connection with the online advertising, marketing, promotion, offering
for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any
manner, expressly or by implication, the extent to which Respondents maintain and protect the
security, confidentiality, or integrity of any personal information collected from or about
IT IS FURTHER ORDERED that Respondents, directly or through any corporation,
subsidiary, division, or other device, in connection with the online advertising, marketing,
promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall
establish and maintain a comprehensive information security program in writing that is reasonably
designed to protect the security, confidentiality, and integrity of personal information collected
from or about consumers. Such program shall contain administrative, technical, and physical
safeguards appropriate to Respondents' size and complexity, the nature and scope of
Respondents' activities, and the sensitivity of the personal information collected from or about
A. the designation of an employee or employees to coordinate and be
accountable for the information security program.
B. the identification of material internal and external risks to the security,
confidentiality, and integrity of personal information that could result in the
unauthorized disclosure, misuse, loss, alteration, destruction, or other
compromise of such information, and assessment of the sufficiency of any
safeguards in place to control these risks. At a minimum, this risk
assessment should include consideration of risks in each area of relevant
operation, including, but not limited to: (1) employee training and
management; (2) information systems, including network and software
design, information processing, storage, transmission, and disposal; and (3)
prevention, detection, and response to attacks, intrusions, or other systems
C. the design and implementation of reasonable safeguards to control the risks
identified through risk assessment, and regular testing or monitoring of the
effectiveness of the safeguards' key controls, systems, and procedures.
D. the evaluation and adjustment of Respondents' information security
program in light of the results of the testing and monitoring required by
subparagraph C, any material changes to Respondents' operations or
business arrangements, or any other circumstances that Respondents know
or have reason to know may have a material impact on the effectiveness of
their information security program.
IT IS FURTHER ORDERED that Respondents obtain an assessment and report from a
qualified, objective, independent third-party professional, using procedures and standards generally
accepted in the profession, within one (1) year after service of the order, and biannually
A. sets forth the specific administrative, technical, and physical safeguards
that Respondents have implemented and maintained during the reporting
B. explains how such safeguards are appropriate to Respondents' size and
complexity, the nature and scope of Respondents' activities, and the
sensitivity of the personal information collected from or about consumers;
C. explains how the safeguards that have been implemented meet or exceed
the protections required by Paragraph II of this order; and
D. certifies that Respondents' security program is operating with sufficient
effectiveness to provide reasonable assurance that the security,
confidentiality, and integrity of personal information is protected and, for
biannual reports, has so operated throughout the reporting period.
Each assessment and report required by this Paragraph shall be prepared by a person qualified as a
Certified Information System Security Professional (CISSP) or holding Global Information
Assurance Certification from the SysAdmin, Audit, Network, Security Institute; or by a similarly
qualified person or organization approved by the Associate Director for Enforcement, Bureau of
Consumer Protection, Federal Trade Commission. Respondents shall provide the first assessment
and report to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal
Trade Commission, Washington, D.C. 20580, within ten (10) days after it is prepared. All
subsequent biannual reports shall be retained in accordance with Paragraph IV. B. of this order
and provided to the Associate Director of Enforcement upon request.
IT IS FURTHER ORDERED that Respondents shall maintain, and upon request make
available to the Federal Trade Commission for inspection and copying, a print or electronic copy
of each document relating to compliance, including but not limited to:
A. for a period of five (5) years:
1. a sample copy of each different print, broadcast, cable, or Internet
advertisement, promotion, information collection form, Web page, screen,
email message, or other document containing any representation regarding
Respondents' online collection, use, and security of personal information
from or about consumers. Each Web page copy shall be dated and contain
the full URL of the Web page where the material was posted online.
Electronic copies shall include all text and graphics files, audio scripts, and
other computer files used in presenting the information on the Web.
Provided, however, that after creation of any Web page or screen in
compliance with this order, Respondents shall not be required to retain a
print or electronic copy of any amended Web page or screen to the extent
that the amendment does not affect Respondents' compliance obligations
under this order, and
2. any documents, whether prepared by or on behalf of Respondents, that
contradict, qualify, or call into question Respondents' compliance with this
B. for a period of three (3) years after the date of preparation of each previous
assessment and report required under Paragraph III of this order, and for the initial
assessment and report, from the date the order is entered until two years following
preparation of the assessment and report: all reports, studies, reviews, audits, audit
trails, security assessments, risk assessments, policies, training materials, logs
(from devices that detect or prevent attacks such as firewalls and intrusion
detection systems), and plans (including the assessments and reports required
under Paragraph III), whether prepared by or on behalf of Respondents, relating to
Respondents' compliance with Paragraphs II and III of this order.
IT IS FURTHER ORDERED that Respondents shall deliver a copy of this order to all
current and future principals, officers, directors, and managers, and to all current and future
employees, agents, and representatives having managerial responsibilities relating to the subject
matter of this order. Respondents shall deliver this order to such current personnel within thirty
(30) days after service of this order, and to such future personnel within thirty (30) days after the
person assumes such position or responsibilities.
IT IS FURTHER ORDERED that Respondents shall notify the Commission at least thirty
(30) days prior to any change in either corporation that may affect compliance obligations arising
under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other
action that would result in the emergence of a successor corporation; the creation or dissolution
of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the
proposed filing of a bankruptcy petition; or a change in either corporate name or address.
Provided, however, that, with respect to any proposed change in either corporation about which
either Respondent learns less than thirty (30) days prior to the date such action is to take place,
Respondents shall notify the Commission as soon as is practicable after obtaining such
knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate
Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission,
Washington, D.C. 20580.
IT IS FURTHER ORDERED that Respondents shall, within one hundred and twenty (120)
days after service of this order, and at such other times as the Commission may require, file with
the Commission an initial report, in writing, setting forth in detail the manner and form in which
they have complied with this order.
This order will terminate twenty (20) years from the date of its issuance, or twenty (20)
years from the most recent date that the United States or the Federal Trade Commission files a
complaint (with or without an accompanying consent decree) in federal court alleging any
violation of the order, whichever comes later; provided, however, that the filing of such a
complaint will not affect the duration of:
A. any Paragraph in this order that terminates in less than twenty (20) years;
B. this order's application to any respondent that is not named as a defendant
in such complaint; and
C. this order if such complaint is filed after the order has terminated pursuant
to this Paragraph.
Provided, further, that if such complaint is dismissed or a federal court rules that the Respondents
did not violate any provision of the order, and the dismissal or ruling is either not appealed or
upheld on appeal, then the order will terminate according to this Paragraph as though the
complaint had never been filed, except that the order will not terminate between the date such
complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date
such dismissal or ruling is upheld on appeal.
Signed this __ day of __________________, 2003
O'Melveny & Myers LLP
Counsel for Respondents
Counsel for the Federal