Companies Settle After Compromising Privacy of 65,000 Consumers
Despite claims from Ceridian Corporation and Lookout Services Inc. that they took reasonable measures to secure sensitive personal information -- including Social Security numbers -- FTC lawsuits against the companies accused them of negligence whose "unfair and deceptive" security practices put the personal information of nearly 65,000 consumers at risk.The settlements with Ceridian and Lookout require both companies to implement comprehensive information security programs that will be subject to independent audits every other year to ensure compliance.
Ceridian, which provides corporate payroll and other human resource services to its customers, claimed it maintained "Worry-Free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements."
The FTC, however, accused Ceridian of inadequate security practices, including a failure to protect its network from foreseeable attacks and the indefinite storage of personal information in clear, readable text on its network without any compelling business need.
Ceridan's sloppy security procedures, the FTC charged, allowed a hacker to breach one of the company's web-based payroll processing applications in December 2009, compromising the personal information, such as Social Security numbers and direct deposit information, of approximately 28,000 employees of Ceridian's small-business customers.
The other defendant, Lookout, markets software that allows employers to comply with federal immigration laws by storing sensitive information including names, addresses, dates of birth and Social Security numbers.
Despite Lookout's claims that its system kept data reasonably secure from unauthorized access, the FTC's complaint said the company's lackadaisical safeguards permitted unauthorized access to sensitive employee information by typing a simple URL into a web browser -- without even requiring a user name or password.
The FTC also accused Lookout of failing to require strong passwords, periodic password changes or adequate employee training. As a result, an employee of one of Lookout's customers was able to access sensitive information in the company's database, including the Social Security numbers of some 37,000 consumers.
The settlement orders bar both companies from making misleading claims about the privacy, confidentiality or integrity of personal information collected from or about consumers. They also require Ceridan and Lookout to implement comprehensive information security programs and to obtain independent, third-party security audits every other year for the next 20 years.
The settlements represent the latest actions in the FTC's ongoing campaign to make sure companies safeguard consumers' personal information. To that end, the agency has sued 34 businesses since 2001 for failing to protect consumers' personal information.
During testimony Wednesday before the House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing and Trade, David Vladeck, director of the FTC's Bureau of Consumer Protection, cited both the Ceridan and Lookout settlements while underscoring the potential harm from negligent corporate security procedures.
"Data security is of critical importance," Vladeck told Congress. "If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace."