[BreachExchange] FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Tue Sep 5 20:12:12 EDT 2017 

http://www.jdsupra.com/legalnews/ftc-settles-glba-enforcement-action-83668/

The Federal Trade Commission (FTC) this week announced a consent orderwith
TaxSlayer, LLC, an online tax preparation services provider, to settle
claims that the company violated the Gramm-Leach-Bliley Act (GLBA)
Safeguards Rule and Privacy Rule.

As part of the online tax preparation process, TaxSlayer customers are
asked to provide a significant amount of sensitive personal information,
including Social Security number, telephone number, address, income,
marital status, family size, bank names, and bank accounts.

Between October and December 2015, hackers were able to access account
information for approximately 8,800 TaxSlayer customers, resulting in an
unknown number of false tax returns being filed.

The FTC alleged that TaxSlayer violated the GLBA Safeguards Rule by failing
to: develop a written comprehensive security program (until November 2015);
conduct a risk assessment to identify reasonably foreseeable internal and
external risks to security; and implement information security safeguards
that would help prevent a cyber attack. The FTC further claimed that
TaxSlayer failed to implement adequate risk-based authentication measures,
such as requiring consumers to choose strong passwords.

The FTC also alleged that TaxSlayer violated the GLBA Privacy Rule by
failing to provide its customers with a clear and conspicuous initial
privacy notice and deliver the notice in a way that ensured the consumers
received it.

In conjunction with announcing the TaxSlayer consent order, the FTC
released a blog post containing “4 Gramm-Leach-Bliley tips to take from
FTC’s TaxSlayer case.” In the post, the FTC advised companies to:

Assess whether a company is a “financial institution” subject to the GLBA;

Deliver GLBA privacy notices in a manner that consumers are reasonably
expected to actually receive it (the FTC considers a link to a privacy
policy on a company home page to be insufficient);

Use appropriate authentication procedures, which may include multi-factor
authentication; and

Satisfy ongoing obligations under the GLBA Safeguards Rule by continuing to
evaluate and adjust information security programs in light of changes to
business operations, the results of monitoring or testing, or any other
relevant factors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170905/fe32656e/attachment.html>

More information about the BreachExchange mailing list