FTC Privacy Enforcement Update: Two Companies Allegedly Failed to Protect Sensitive Employee Data
On May 3, 2011, the Federal Trade Commission announced that Ceridian Corporation and Lookout Services, Inc. agreed to settle the FTC’s allegations that the companies failed to safeguard their business customers' employee personal information. Ceridian’s services include payroll processing, payroll-related tax filing, benefits administration and other human resource services for business customers. Lookout provides a web-based computer product that is designed to help employers comply with their obligations under federal law to complete and maintain a U.S. Citizenship and Immigration Services Form I-9 about each employee in order to verify that the employee is eligible to work in the United States.
The FTC alleged that the privacy and information security representations Ceridian disseminated thought the company’s website were false and misleading and, therefore, constituted unfair or deceptive acts or practices that violated Section 5(a) of the Federal Trade Commission Act. Specifically, the FTC alleged that Ceridian made the following representations regarding the privacy and confidentiality of the personal information the company collected:
Worry-free Safety & Reliability . . . When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.
With respect to its information security measures, the Ceridian stated:
Confidentiality and Privacy: [Ceridian] shall use the same degree of care as it uses to protect its own confidential information of like nature, but no less than a reasonable degree of care, to maintain in confidence the confidential information of the [customer].
The FTC alleged that these statements were false and misleading because Ceridian:
- Stored personal information in clear, readable text;
- Created unnecessary risks to personal information by storing it indefinitely on its network without a business need;
- Did not adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as “Structured Query Language” (“SQL”) injection attacks;
- Did not implement readily available, free or low-cost defenses to such attacks; and
- Failed to employ reasonable measures to detect and prevent unauthorized access to personal information.
The FTC alleged that hackers exploited these vulnerabilities by launching an SQL injection attack on the company's website and web application. The hackers gained access to Ceridian's network and obtained customers' employee data (including bank account numbers, Social Security numbers, and dates of birth). The breach affected the personal information of at least 27,673 individuals.
The FTC alleged similar privacy and security violations by Lookout. Specifically, the FTC alleged that Lookout made the following representations regarding the security of employee data the company maintained:
Although the data is entered via the web, your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access.... Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated
The FTC alleged that these representations were false and misleading and violated Section 5(a) of the FTC Act because Lookout:
- Failed to establish or enforce rules sufficient to make user credentials (i.e., user ID and password) hard to guess; for example, the company did not require its customers or employees to use complex passwords to access the product database;
- Failed to require periodic changes of user credentials for customers and employees with access to sensitive personal information;
- Failed to suspend user credentials after a certain number of unsuccessful login attempts;
- Did not adequately assess and address the vulnerability of the company's web application to widely-known security flaws, such as “predictable resource location,” which enables users to easily predict patterns and manipulate the uniform resource locators (“URLs”) to gain access to secure web pages;
- Allowed users to bypass the authentication procedures on Lookout’s website when
they typed in a specific URL;
- Failed to employ sufficient measures to detect and prevent unauthorized access to
computer networks, such as by employing an intrusion detection system and
monitoring system logs; and
- Created an unnecessary risk to personal information by storing passwords used to
access the product database in clear text.
The FTC alleged that these deficiencies enabled an employee of a Lookout customer to gain
access to the personal information of over 37,000 individuals (including names, addresses, dates of birth and Social Security numbers). The employee obtained a URL for a secure Lookout web page during a webinar for the company's I-9 compliance solution. She subsequently typed that URL into her browser and gained access to employee personal information without having to provide valid user credential. The employee also visited Lookout’s public-facing login web page for the company's product and successfully guessed and entered several different user IDs and passwords, including the user ID “test” and the password “test.” As a result, the employee was able to access the personal information of more than 11,000 individuals. Then, by making minimal and easy-to-guess changes to the URL, the employee gained access to the entire product database, which included the personal information of more than 37,000 individuals. The FTC alleged that because Lookout did not employ an intrusion detection system until October 2009, or adequately monitor system logs until December 2009, it was unknown if other unauthorized persons accessed the personal information in the company's database before that time.
The settlement orders bar the misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers (including customers' employees). The FTC also requires the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.
The comprehensive security program must contain administrative, technical and physical safeguards appropriate to each company's size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees.
Specifically, the consent orders require each company to:
- Designate an employee or employees to coordinate and be accountable for the information security program;
- Identify material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
- Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
- Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Ceridian, and require service providers by contract to implement and maintain appropriate safeguards; and
- Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.
The FTC's enforcement actions against Ceridian and Lookout likely signal a two-fold expansion of the Commission's privacy and data security enforcement activities: to smaller-scale violations and violations affecting employee data. The two actions are not typical for the FTC for several reasons. First, the incidents affected a relatively small number of individuals (with no hard evidence of malicious hacking at Lookout). In addition, the enforcement actions focused on the personal information of employees rather than consumers. While consumers are the focus of an overwhelming majority of the FTC's privacy and information security enforcement, the FTC has long viewed its Section 5 jurisdiction broadly. As early as 2000, the FTC took the position that it "has the same jurisdiction in the employment-related data situation as it would generally under Section 5 of the FTC Act … [A]ssuming a case met our existing criteria (unfairness or deception) for a privacy-related enforcement action, we could take action in the employment-related data situation." With Ceridian and Lookout settlements, the FTC seems to want to dispel the notion that it is focused solely on large scale, high profile privacy and information security violations affecting consumers. This is another reason to take a hard look at your company's privacy and information security compliance.