I would have thought information security would be incidental and only one of the hundreds of aspects of business that they might look at when safeguarding consumers transacting with businesses of all kinds -- many of which (say plumbing or construction or bakeries) may hardly have infosec at the forefront. There are far more prevalent poor business practices, of the routine type - say deficient services or false advertisements, that I believe go to BBB's attention.
I never came across BBB being quoted/cited in infosec and IT contexts -- it may be just my ignorance -- happy to be educated.
