BJ’s Wholesale Club, Inc. (“BJ’s”) was found to have violated the FTC Act by not providing adequate security for its customer data. This case represents the first time that the FTC has alleged a violation of Section 5 of the FTC Act solely for a business’s failure to maintain appropriate safeguards of sensitive personal information. By contrast, previous FTC data security cases have focused on a representation about security in a business’s privacy policy or other consumer communication, demonstrated that the representation was false, and alleged that the business had therefore engaged in deception in violation of Section 5. These deception allegations were noticeably absent in this case.