HB Ad Slot
HB Mobile Ad Slot
FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach
Friday, September 1, 2017

The Federal Trade Commission (FTC) this week announced a consent order with TaxSlayer, LLC, an online tax preparation services provider, to settle claims that the company violated the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.

As part of the online tax preparation process, TaxSlayer customers are asked to provide a significant amount of sensitive personal information, including Social Security number, telephone number, address, income, marital status, family size, bank names, and bank accounts.

Between October and December 2015, hackers were able to access account information for approximately 8,800 TaxSlayer customers, resulting in an unknown number of false tax returns being filed.

The FTC alleged that TaxSlayer violated the GLBA Safeguards Rule by failing to: develop a written comprehensive security program (until November 2015); conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and implement information security safeguards that would help prevent a cyber attack. The FTC further claimed that TaxSlayer failed to implement adequate risk-based authentication measures, such as requiring consumers to choose strong passwords.

The FTC also alleged that TaxSlayer violated the GLBA Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and deliver the notice in a way that ensured the consumers received it.

In conjunction with announcing the TaxSlayer consent order, the FTC released a blog post containing “4 Gramm-Leach-Bliley tips to take from FTC’s TaxSlayer case.” In the post, the FTC advised companies to:

  • Assess whether a company is a “financial institution” subject to the GLBA;

  • Deliver GLBA privacy notices in a manner that consumers are reasonably expected to actually receive it (the FTC considers a link to a privacy policy on a company home page to be insufficient);

  • Use appropriate authentication procedures, which may include multi-factor authentication; and

  • Satisfy ongoing obligations under the GLBA Safeguards Rule by continuing to evaluate and adjust information security programs in light of changes to business operations, the results of monitoring or testing, or any other relevant factors.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins