What You Can Learn From FTC Data Security Actions Against Uber, TaxSlayer

September 19, 2017

This month’s Equifax data breach that exposed an estimated 143 million credit records showed how vulnerable non-public personal information with the threat of constant cyber attacks and phishing schemes. Enforcement actions levied over the summer by the Federal Trade Commission against Uber and TaxSlayer serve as significant reminders to financial institutions—including title insurance companies and agents—about their duty to disclose data-sharing practices to customers and to safeguard private and sensitive customer information.

On Aug. 15, Uber Technologies agreed to settle FTC charges over deceptive privacy and data security claims that the ride-sharing company “deceived consumers by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.”

Less than two weeks later, the FTC announced a consent order with TaxSlayer to settle claims that the online tax preparation services provider violated the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.

The Privacy Rule requires covered companies to provide notices to consumers that explain their privacy policies and practices. The Safeguards Rule mandates that financial institutions protect the security, confidentiality and integrity of customer non-public personal information by implementing and maintaining a comprehensive written information security program.

The FTC alleged that Uber’s failure to provide reasonable data security allowed a hacker to access personal information about Uber drivers in May 2014. The information included more than 100,000 drivers’ names and license numbers. The complaint alleges that Uber could have taken reasonable, low-cost measures that could have helped the company prevent the breach.

The FTC’s complaint also charges that Uber failed to live up to its promise to monitor driver and rider accounts for unauthorized access by Uber employees. Uber announced it would closely monitor and audit access to personal information in November 2014, after news reports alleged that Uber employees—without job-related reasons—were checking people’s trip records and other private information. The FTC alleges that Uber stopped the monitoring program months after starting it and then, for almost a year, didn’t follow up on warnings about improper access to people’s private information.

The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. According to the law firm Sidley Austin LLP, the settlement shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program.

Data Security Roadmap

Sidley Austin believes the FTC’s action against Uber provides a roadmap of certain reasonable security measures that the agency may expect companies to have in place, by specifically alleging Uber failed to:

  • restrict access rights by requiring programs and engineers with access to personal information to use distinct access keys (instead of allowing the use of a single key, which provided full administrative access rights and privileges to all data in the cloud);
  • restrict access to data based on employees’ job functions (i.e., “need to know”);
  • institute multi-factor authentication for access to the cloud storage;
  • implement reasonable security training or a written information security plan; and,
  • encrypt sensitive personal information stored in a centrally-accessible location (instead of storing the data in the cloud in clear, readable text, including in database back-ups).

“The FTC paid particular attention to the potential for preventing or mitigating failures by implementing ‘relatively low cost measures’ to reduce risk and protect consumer personal information stored in databases,” the law firm wrote. “The FTC’s recommended measures stress the importance of limiting access to data in accordance with employee roles and responsibility, multi-factor authentication, and encryption of sensitive data, even when stored at-rest or in back-up tapes.”

In the TaxSlayer case, the FTC alleged that between October and December 2015, hackers used a list validation attack to access account information for approximately 8,800 TaxSlayer customers. This resulted in an unknown number of false tax returns being filed. A list validation attack, also known as credential stuffing, is where hackers steal login credentials from one site and then—banking on the fact that some consumers use the same password on multiple sites—use them to access accounts on other popular sites.

The FTC alleged that TaxSlayer violated the GLBA Safeguards Rule by failing to: develop a written comprehensive security program (until November 2015); conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and implement information security safeguards that would help prevent a cyber attack. The FTC further claimed that TaxSlayer failed to implement adequate risk-based authentication measures, such as requiring consumers to choose strong passwords.

The FTC also alleged that TaxSlayer violated the GLBA Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and deliver the notice in a way that ensured the consumers received it.

Four Tips

In a blog post, Leslie Fair of the FTC provided the following on what the TaxSlayer case mean for other companies?

  1. You or your clients may be covered by GLB and not even know it. GLB’s definition of “financial institution” is broader than a lot of businesses think. Sure, it covers companies with vaults, tellers, and chained ballpoint pens that rarely work. But if you have clients in the tax planning or tax prep business, chances are they’re covered by the Gramm-Leach-Bliley Act, too. What steps have you taken to help them comply?
  2. Deliver your privacy notices. Reg P requires that you deliver your privacy notice in a way that consumers are reasonably expected to actually receive it. A link to your privacy policy on your home page is insufficient. There’s a model notice that identifies the information you’re required to provide.
  3. Use appropriate authentication procedures. The Safeguards Rule includes concrete guidance about crafting your information security program and the FTC’s complaint outlines instances where TaxSlayer’s authentication practices allegedly fell short. According to the FTC, the credential stuffing attack on TaxSlayer ended when the company implemented multi-factor authentication – requiring users to type in their usernames and passwords and then to authenticate their device by entering a code the company sent to their email or phone. Have your clients considered the security advantages of multi-factor authentication?

The Safeguards Rule doesn’t build in any laurel-resting time. Once covered companies have a written information security program in place, the Safeguards Rule includes ongoing obligations. For example, companies must evaluate and adjust their programs in light of changes to their business operations, the results of monitoring or testing, and other relevant factors. Your company or your clients may have put safeguards in place back in 2003 when GLB was the new kid on the block. But what have they done recently to keep their program current?

Contact ALTA at 202-296-3671 or [email protected].