We are seeing more and more private litigation and regulatory enforcement actions around the issue of what constitutes "reasonable security." This week we see another. Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information. Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain. The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards.