FTC Announces Another Data Hack Settlement
A Utah-based technology company has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to implement reasonable security safeguards that resulted in a hacker accessing personal consumer information.
According to the FTC, the corporate defendant provides back-end operation services to multi-level marketers, including compensation, inventory, orders, accounting, training and data security, as well as operating its clients’ website portals. The complaint against the company and its former CEO alleges that they failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintains on behalf of its clients.
This allegedly includes failing to: (i) inventory and delete personal information it no longer needed; (ii) conduct code review of its software and testing of its network; (iii) detect malicious file uploads; (iv) adequately segment its network; and (v) implement cybersecurity safeguards to detect unusual activity on its network.
The FTC also alleged that the company stored consumers’ personal information (e.g., SSN, payment card information, bank account information and user names and passwords) in clear, readable text on its network.
“Service providers like [defendant] don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said FTC attorney Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”
As a result of the company’s alleged security failures, a hacker purportedly infiltrated the company’s server, along with websites maintained by the company on behalf of clients, more than 20 times. The FTC alleges that the company was made aware of the intrusions when it was alerted that its servers had reached maximum capacity, and that the alert was due to a data archive file created by the hacker who had allegedly infiltrated its network. The security failures not only affected its network but also the websites of its clients, the FTC alleges.
The FTC has stated that the personal information that the intruder obtained can be used to commit identity theft and fraud, and that the company’s alleged failure to provide reasonable security for personal data in its care violated the FTC’s prohibition against unfair practices.
As part of the proposed settlement, the defendants are prohibited from collecting, selling, sharing or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.
In addition, the proposed settlement requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. Finally, the order grants the FTC the authority to approve the assessor for each two-year assessment period.
If you are interested in learning more about this topic and data privacy and security compliance, contact a qualified FTC defense attorney with experience defending agency CID investigations and lawsuits.
Here, the FTC voted to an administrative complaint and to accept the proposed consent agreement. Commissioner Christine S. Wilson released a concurring statement. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final.
Informational purposes only. Not legal advice. May be considered attorney advertising.