You Are Viewing FTC

Proposed Changes to FTC COPPA Rule

Posted by fgilbert on August 1st, 2012

The FTC has issued a NPRM seeking comments on proposed changes to the COPPA Regulations. These changes are intended to take into account the evolution of web technologies, such as plug-ins and the use third party cookies and ad networks; they would also clarify some of the requirements for websites that contain child-oriented material that may appeal to both parents and children. This new NPRM pertains to changes to the COPPA Regulation that diverge from previously proposed changes that the FTC presented in its September 2011 proposal.

  • Expansion of the definitions of “operator” and “website or service directed to children”

The proposed changes to the definitions of “operator” and “website or online service directed to children” would clarify that an operator that integrates the services of third parties that collect personal information from visitors of its site or service would itself be considered a covered “operator” under the Rule. Further, an ad network or plug-in would also be subject to COPPA if it knows or has reason to know that it is collecting personal information through a child-directed site or service.

  • Clarification of the definition of “personal information”

The proposed change the definition of “personal information” would make it clear that a persistent identifier – e.g., a persistent cookie – would be deemed “personal information” subject to the Rule if it can be used to recognize a user over time or across different sites or services.

However, the use of tracking technologies or identifiers for authenticating users, improving navigation, for site analysis, maintaining user preferences, serving contextual ads, and protecting against fraud and theft would not be considered the collection of “personal information” if the collected data is not used or shared to contact a specific individual, e.g. for behaviorally-targeted advertising.

  • Mixed audience websites

The proposed changes would also clarify that mixed audience websites that contain child-oriented content and whose audience includes both young children and others, including parents, would be allowed to age-screen all visitors in order to provide COPPA’s protections only to users under age 13. However, those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience would still be required to treat all users as children

  • Text of the Notice of Proposed Rule Making

The text of the Notice of Proposed Rule Making is available at http://www.ftc.gov/os/2012/08/120801copparule.pdf

Remove any P2P Filesharing Software from your Network

Posted by fgilbert on June 7th, 2012

Remove any P2P filesharing software from your network or be prepared to enter into a 20-year relationship with the Federal Trade Commission. This is what will happen to EPN, Inc., a debt collection business based in Provo, Utah and to Franklin’s Budget Car Sales, Inc., of Statesboro, Georgia, a car dealership. In both cases, the P2P software caused sensitive personal information of thousands of consumers to be accessible to users of other computers connected to the same peer-to-peer network.

On June 7, 2012, the FTC published proposed settlement agreements with these two businesses because they had allowed peer-to-peer file sharing software to be installed on their network.

The FTC case against EPN, Inc. alleges that the lack of security measures at the company allowed the company’s COO to install P2P file-sharing software on the company’s network. As a result, sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients were available to any computer connected to the P2P network.

The case against Franklin’s Budget Car Sales, Inc. alleges that the installation of P2P software on the company’s network resulted in sensitive financial information of 95,000 consumers such as, names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers to be made available on the P2P network.

In both cases, the companies were charged with failure to observe commonly used best practices:

  • Failure to have an appropriate information security plan;
  • Failure to assess risks to the consumer information collected and stored online;
  • Failure to use reasonable measures to ensure security of the network, such as scanning its networks to identify any P2P file-sharing applications operating on them
  • Failure to adopt policies to prevent or limit unauthorized disclosure of information;
  • Failure to prevent, detect and investigate unauthorized access to personal information on the company’s networks;
  • Failure to adequately train employees;
  • Failure to employ reasonable measures to respond to unauthorized access to personal information.

Failure to implement reasonable and appropriate data security measures as described above was an unfair act or practice and violated federal law, namely Section 5 of the FTC Act. In addition, Franklin Car Sales, as a “financial institution” subject to the Gramm-Leach-Bliley Act (GLBA) was found to have violated both the GLBA Safeguards Rule and Privacy Rule by failing to provide annual privacy notices and a mechanism by which consumers could opt out of information sharing with third parties.

The proposed consent order against EPN and Franklin would require the companies to establish and maintain comprehensive information security programs, and cease any misrepresentation about their data handling practices. The settlement orders with the two companies are substantially similar. They:

  • Bar any future misrepresentations about the privacy, security, confidentiality, and integrity of any personal information;
  • Require the companies to establish and maintain a comprehensive information security program; and
  • Require the companies to undergo data security audits by independent auditors every other year for 20 years.

As always with FTC consent orders, each violation of such an order may result in a civil penalty of up to $16,000.

 

Posted in FTC

FTC v. Myspace

Posted by fgilbert on May 8th, 2012

On May 8, 2012, Myspace agreed to settle Federal Trade Commission charges that it misrepresented its protection of users’ personal information.

The two majors issues at stake were misrepresentation of privacy practices, and misrepresentation of compliance with Safe Harbor principles.

Misrepresentation of Privacy Practices

Myspace assigns a persistent unique identifier, called a “Friend ID,” to each profile created on Myspace. A user’s profile may publicly display the user’s name, age, gender, picture, hobbies, interests, and lists of users’ friends. 

The Myspace privacy policy promised that it would not share a user’s personally identifiable information, or use such information in a way that was inconsistent with the purpose for which it was submitted, without prior notice to, and consent from, the user. It also promised that the information used to customize ads would not identify users to third parties and would not share non-anonymized browsing activity.

The FTC charged that Myspace provided advertisers with the Friend ID of users who were viewing particular pages on the site. Advertisers could use the Friend ID to locate a user’s Myspace profile and obtain personal information publicly available on the profile. Advertisers also could combine the user’s real name and other personal information with additional information to link broader web-browsing activity to a specific individual.

Misrepresentation of Compliance with Safe Harbor Principles

Myspace certified that it complied with the U.S.-EU Safe Harbor principles, which include a requirement that consumers be given notice of how their information will be used and the choice to opt out.

The FTC alleged that the way in which Myspace handled personal information was inconsistent with its representations of compliance with the Safe Harbor principles.

Proposed Settlement

The proposed settlement order would:

  • Bar Myspace from misrepresenting the extent to which it 
protects the privacy of users’ personal information
  • Bar Myspace from misrepresenting the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework.
  • Require Myspace to establish a comprehensive privacy program designed to protect consumers’ information;
  • Require Myspace to obtain biennial assessments of its privacy program by independent, third party auditors for 20 years.
  • Expose Myspace to a civil penalty of up to $16,000 for each future violation, if any, of the consent order.

The proposed settlement is open for comments; it will be finalized and will become effective after the end of the comment period.

 

Posted in FTC

Mobile App Privacy Webinar on April 19, 2012

Posted by fgilbert on April 17th, 2012

On Thursday April 17, 2012, at 10am PT / 1pm ET, I will be moderating and presenting at a one-hour webinar organized by the Practising Law Institute: “A New Era for Mobile Apps?  What Companies Should Know to Respond to Recent Mobile Privacy Initiatives”.

The webinar will start with an overview of the technologies and ecosystem that surround the operation and use of mobile application, presented by Chris Conley, Technology and Civil Liberties Attorney, ACLU Northern California (San Francisco).

Patricia Poss, Chief, BCP Mobile Technology Unit, Federal Trade Commission (Washington DC) will then comment on the two reports recently published by the Federal Trade Commission:  “Mobile Apps for Children” (February 2012) and the final report “Protecting Consumer Privacy in an Era of Rapid Change”, which both lay out a framework for mobile players (March 2012).

I will follow with an overview of the recent agreement between the California State Attorney General and six major publishers of mobile apps, which sets up basic rules and structures for the publication and enforcement of mobile app privacy policies, and the Consumer Privacy Bill of Rights, which was unveiled by the White House in February 2012.  I will end with suggestions for implementing privacy principles in the mobile world.

To register for this webinar, please visit PLI website.

 

ID Theft Consumer Complaints to FTC Declining

Posted by fgilbert on February 28th, 2012

The Federal Trade Commission annual report on complaints filed by consumers, released on February 28, 2012, provides a list of the top consumer complaints received by the agency in 2011. For the 12th year in a row, identity theft complaints topped the list.

Of more than 1.8 million complaints filed in 2011, 279,156 or 15 percent, were identity theft complaints. In the past three years, the number of identity theft complaints has significantly declined: from 20% in 2009 to 15% in 2011.

The report also indicates that the number of complaints for credit card fraud has declined by 3 percentage points since 2009, from 17 percent in 2009 to 14 percent in 2011. It is clear that, despite their shortcomings, the security breach disclosure laws have contributed to raising companies and consumers’ awareness, and to identifying security incidents faster and more easily. As a result, credit card companies have been in a better position to promptly block stolen cards or credit card numbers.

On the other hand, the number of identity theft complaints related to tax- or wage-related fraud has doubled since 2009, jumping from 12.7% percent to 24.1 percent in 2011. This area clearly needs more attention. Proper measures need to be identified to reduce this type of fraud.

Complaints Number Percent
Identify Theft 279,156 15 percent
Debt Collection 180,928 10 percent
Prizes, Sweepstakes, and Lotteries 100,208 6 percent
Shop-at-Home and Catalog Sales 98,306 5 percent
Banks and Lenders 89,341 5 percent
Internet Services 81,805 5 percent
Auto Related Complaints 77,435 4 percent
Imposter Scams 73,281 4 percent
Telephone and Mobile Services 70,024 4 percent
Advance-Fee Loans and Credit Protection/Repair 47,414 3 percent

The 103 page Report breaks out complaint data on a state-by-state basis and contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. Florida, Georgia, and California have received the highest number of identity theft complaints (computed per capita), while Maine, and North & South Dakota received the smallest number of identity theft complaints.

Posted in FTC

FTC issues Report on Kids Privacy & Mobile Apps

Posted by fgilbert on February 16th, 2012

On February 16, 2012, the FTC released a new Report on Privacy issues in Mobile Apps. There are good lessons to be drawn from the document, both for mobile apps developers and for companies that operate websites. What is true for mobile apps is generally also true for websites.

Among other things, the report recommends:

  • Everyone – stores, developers and third parties providing services – should play an active role in providing key information to parents.
  • Information about data practices should be provided in simple and short disclosures.
  • It should be clear whether the app connects with social media
  • It should be clear whether it contains ads.
  • Third parties that collect data also should disclose their privacy practices.
  • App stores also should take responsibility for ensuring that parents have basic information.

The full report is available at: http://www.ftc.gov/opa/2012/02/mobileapps_kids.shtm


Never too Small to Face an FTC COPPA Action

Posted by fgilbert on November 9th, 2011

Some companies think that they are small and can fly under the radar, and need not worry about compliance.  They should rethink their analysis of their legal risks after the recent FTC action against a small social networking site.

On November 8, 2011 the FTC announced a proposed settlement with the social networking site www.skidekids.com, which collected personally information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.

In this case, the personal information of 5,600 children was illegally collected. This was much less than the violations identified in some of the recent FTC COPPA enforcement actions. For example, the 2006 action against Xanga revealed that Xanga had collected 1.7 million records, the 2008 action against Sony, that Sony had collected 30,000 records, and the 2011 action against W3 Innovations identified 50,000 illegally collected records.

The Problem

The social networking site Skid-e-kids targeted children ages 7-14 and allowed them to register, create and update profile information, create public posts, upload pictures and videos, send messages to other Skid-e-kids members, and “friend” them.

According to the FTC complaint, the website owner – a sole proprietor – was prosecuted for:

  • Failing to provide sufficient notice of its personal data handling practices on its website;
  • Failing to provide direct notice to parents about these practices; and
  • Failing to obtain verifiable parental consent.

In addition, these practices were found to be misleading and deceptive, which in turn was deemed to violate Section 5 of the FTC Act.

The site online privacy statement claimed that the site requires child users to provide a parent’s valid email address in order to register on the website and that it uses this information to send parents a message that can be used to activate the Skid-e-kids account, to notify the parent about its privacy practices, and that it can use the contact information to send the parent communications about features of the site.

According to the FTC, however, Skid-e-kids, actually registered children on the website without collecting a parent’s email address or obtaining permission for their children to participate. Children who registered were able to provide personal information, including their date of birth, email address, first and last name, and city.

The Proposed Settlement

The proposed Consent Decree and Settlement Order against Jones O. Godwin, sole owner of the site www.skidekids.com is available at http://www.ftc.gov/os/caselist/1123033/111108skidekidsorder.pdf. The proposed settlement would:

  • Bar Skid-e-Kids from future violations of COPPA and misrepresentations about the collection and use of children’s information.
  • Require the deletion of all information collected from children in violation of the COPPA Rule;
  • Require that the site post a clear and conspicuous link to www.onguardonline.gov, the FTC site focusing on the protection of children privacy, and that the site privacy statement as well as the privacy notice for parents also contain a reference to the On Guard Online site;
  • Require that, for 5 years, the company engaged qualified privacy professionals to conduct annual assessments of the effectiveness of its privacy controls or become a member in good standing of a COPPA Safe Harbor program approved by the FTC;
  • Require that, for 8 years, records be kept to demonstrate compliance with the above.

A lenient fine … subject to probation

An interesting aspect of the proposed settlement is that the settlement, in effect, imposes only a $1,000 fine to the defendant. The fine is to be paid within five days of the entry of the order. However, if Skid-e-Kids fails to comply with some of the requirements of the Settlement, it will have to pay the full $100,000 fine that is provided for in the settlement.

Specifically, a $100,000 will be assessed if:

  • The defendant fails (a) to have initial and annual privacy assessment (for a total of 5 annual assessments) conducted by a qualified professional approved by the FTC and identifying the privacy controls that have been implemented, how they have been implemented and certifying that the controls are sufficiently effective; or (b) to become a member in good standing of a COPPA Safe Harbor program approved by the FTC for 5 years; or
  • The disclosures made about the defendant’s financial condition are materially inaccurate or contain material misrepresentations.

The Lesson for Site with Children Content

This new case is a reminder that the COPPA Rule contains specific requirements that must be followed, no matter the size of the site, when intending to collect children personal information. The COPPA rule defines procedures and processes that must be followed rigorously.

Among other things, the COPPA Rule requires websites that are directed to children and general audience websites that have actual knowledge that they are collecting children information to:

  • Place on its website a conspicuous link to its privacy statement;
  • Provide specified information in the website privacy statement, describe in clear terms what personal information of children is collected, how it used, and explain what rights children and parents have to review and delete this information;
  • Provide a notice directly to the parents, which must include the website privacy statement, and inform the parents that their consent is required for the collection and use of the children’s information by the site, and how their consent can be obtained;
  • Obtain verifiable consent from the parents before collecting or using the children’s information;
  • Give parents the option to agree to the collection and use of the children’s information without agreeing to the disclosure of this information to third parties.

In addition, we suggest also including, clearly and conspicuously, (a) in the website privacy statement; (b) in the notice to parents; and (c) at each location where personal information is collected a notice that invites the user to visit the On Guard Online website of the Federal Trade Commission for tips on protecting children’s privacy online: www.onguardonline.gov/topics/kids-privacy.aspx.

 

 

 

Lessons Learned from the Google FTC Settlement

Posted by fgilbert on October 25th, 2011

The Decision and Order settling charges by the Federal Trade Commission that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010 became final as of October 24, 2011. Google is barred from future privacy misrepresentations, is required to implement a comprehensive privacy program, and must submit to independent privacy audits every other year, for the next 20 years.

The finalization of the Order gave me an opportunity to refresh my recollections about the terms of the settlement, and reflect upon them.  There are, indeed, many lessons to learn from the FTC – Google settlement:

What is a Comprehensive Privacy Program

The Google settlement order is the first one where the FTC requires a company to implement a comprehensive privacy program to protect the privacy of consumers’ personal information. As a result, there is now FTC guidance on the components of a comprehensive privacy program: from designating an individual responsible for the program, to identifying and assessing the risks that could result from the unauthorized collection, use or disclosure of personal information, to designing and implementing reasonable privacy controls and procedures, and training the personnel and supervising service providers.

What Personal Information is to be Protected

The Google settlement applies to “covered information.” The size of the universe of personal information to be protected is significant. It is much broader than “sensitive information” i.e. social security numbers, credit card and financial information, identity information, and the like, a limited, narrow group of personal information that too many view as the only personal information that must be protected. The “covered information” (or protected information) in the Google order encompasses all of the information that is collected from or about an individual, including, but not limited to, an individual’s:

  • First and last name;
  • Home or other physical address, including street name and city or town;
  • Email address or other online contact information, such as a user identifier or screen name;
  • Persistent identifier, such as IP address;
  • Telephone number, including home telephone number and mobile telephone number;
  • List of contacts;
  • Physical location; or
  • Any other information from or about an individual consumer that is combined with the above.

In other words, if you collect it, you have to protect it. This is a reminder that personal information need not be confidential, secret, or strategic to require protection.

How to Make a Material Change to a Policy

There is also specific guidance on how to implement a change in policy with respect to the sharing of personal information. If the personal data handling practices that were in effect when the company collected personal information change, the company must:

  • Obtain express, affirmative users’ consent before sharing their information with third parties, and
  • Prominently disclose, separate from any privacy policy, terms of use or similar document:  that the user’s information will be disclosed to one or more third parties; the identity or specific categories of such third parties; and the purpose(s) for sharing this information.

Safe Harbor Promises Must be Kept

The Google settlement order is also the first time that the FTC has alleges violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework. Safe Harbor promises must be kept. It not enough to fill out a form and ignore the commitments made.

Privacy Promises Must be Kept

Misrepresenting the extent to which the privacy and confidentiality of personal information is maintained is not acceptable. A company may not misrepresent the purposes for which it collects and uses the information, and the extent to which consumers may exercise control over the collection, use, or disclosure of personal information. When promises are made, they must be kept.

If one Product fails, the Entire Company will Bear the Consequences

Finally, the FTC Settlement does not cover just the Google Buzz and Gmail products. It applies broadly to all products and services of Google. For a large company like Google, the repercussions of a single error are extensive and significant. Do not assume that a little mistake can only have little consequences.

Now, Google has twenty years to think about what it could have done better, and how it could have avoided to be elected to the FTC’s Hall of Shame. May the lessons from the FTC Google settlement order be learned by other companies.

 

Posted in FTC

FTC proposes changes to the COPPA Rule

Posted by fgilbert on September 15th, 2011

On September 15, 2011, the Federal Trade Commission published for comments its proposed amendment to the current COPPA Rule, which is codified as 16 CFR Part 312. This proposed amendment is based on the information and comments collected during several public round tables and other consultations with the public and stakeholders in 2010. The text of the Proposed Amendment can be found at http://www.ftc.gov/os/2011/09/110915coppa.pdf. Written comments must be received on or before November 28, 2011.

The Commission proposes modifications to the Rule in the following areas:

  • Definitions;
  • Parental notice and consent mechanisms;
  • Confidentiality and security;
  • Self-regulatory safe harbor programs.

What Will Not Change

While the proposed amendment would make some significant changes in some areas, a number of issues that had raised questions will not be affected. For example:

  • The definition of “child” will not change. The Rule will continue to protect children under 13, and not minors or other teens.
  • The amendment does not propose a clarification of what constitutes “actual knowledge” that a site is collecting information of children. This is unfortunate, since this question is the source of many problems for companies.

Several Revised Definitions

The proposed amendment would modify and clarify a number of definitions of crucial terms. Some of these clarifications will likely be welcomed by the service providers. Other changes significantly expand the scope of the defined terms, to take into account the changes and advances in technology and online practices. For example, the proposed amendment addresses the now ubiquitous use of behavioral targeting and location information. Several definitions are affected.

Definition of “Personal Information”

The proposed amendment would expand the definition of “personal information.” The new definition would include a customer identification number held in a cookie, an IP address, a processor or device number, or a unique device identifier that is used for functions other than internal operations of the website. Among other things, this addition would cover tracking cookies used for behavioral advertising.

The proposed amendment would also add geolocation information as well as photographs, videos and audio files that contain a child’s image or voice to the definition of personal information protected under COPPA.

Definition of “Collection”

The new definition of “collection” would clarify that the Rule covers the online collection of personal information both when an operator requires the personal information and when the operator merely prompts or encourages a child to provide such information.

The revised definition would permit a website operator to allow children to participate in interactive communities without parental consent, provided that the operator take reasonable measures to delete “all or virtually all” children’s personal information before it is made public, and to delete it from its records.

Definition of “Release of Personal Information”

The amendment would define the term “release” of personal information separately from the definition of “disclosure.” A “release” would be the sharing selling, renting, or transfer of personal information to a third party.

Definition of “Online Contact Information”

The definition of “Online Contact Information” would be expanded to include instant message user identifier, VoIP identifier, and video chat user identifier.

Parents’ Notice and Consent Requirements

The amendment would provide much needed improvements to the rules that pertain to giving notice to parents and custodians and obtaining their consent.

Methods to be Used to Provide Parental Notice

COPPA requires that the parents be notified both on the operator’s website and in a notice delivered directly to the parent whose child seeks to register on the site or service. The proposed amendment would streamline the parental notice requirement. Key information would be presented to parents succinctly in a “just-in-time” notice, in addition to being presented in a privacy policy.

There are also proposed changes to the content of the notice. For example, all operators of a website would have to provide contact information including name, physical and email address, and telephone numbers. In addition, the amendment would streamline the content requirements for the notice.

Parental Consent Mechanisms

The proposed amendment would add new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database.

Concurrently, the proposed amendment would eliminate the “email – plus” method of parental consent which allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.

Confidentiality and Security Requirements

The amendment would strengthen the existing confidentiality and security requirements and would introduce new data retention and disposal requirements.

Data Retention and Deletion

The amendment would introduce a data retention and deletion requirement, which would require the data to be retained only for as long as is necessary to fulfill the purposes for which it was collected. In addition, the proposed amendment would require the operator of a website or service to delete the child’s personal information by taking reasonable measures to protect against unauthorized access to, or use of the information in connection with its disposal.

Service Providers

The amendment proposes adding a requirement that operators ensure that service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it.

This requirement is consistent with similar requirements that are in place in most – if not all – laws, regulations, rulings, and standards that address the protection of personal information. In all cases, the data custodian who gives access to personal information to a third party is responsible for ensuring that the third party protects the data with privacy, confidentiality, and security measures at least as stringent as those that the data custodian is required to use.

Safe Harbor

Finally, the amendment would strengthen the COPPA Safe Harbor Programs. It would modify the criteria for approval of self-regulatory guidelines and introduce new reporting and record keeping requirements. The amendment would require the Safe Harbor Programs to audit their members at least annually and report periodically to the Commission the results of these audits.

Comments Invited

The FTC has invited comments to the proposed amendment. These comments must be received by November 28, 2011.

Conclusion

The proposed amendment to the COPPA rule provides numerous significant additions and clarifications to the existing Rule. It takes into account changes in practices and technologies to adapt to the new forms of using online services. It also takes into account some of the obstacles encountered and questions asked by online services – and their advisors – when trying to implement some of the provisions of COPPA. While the amendment would improve and simplify the procedures to be used to notify parents and obtain their consent, it remains to be seen whether companies will be able to provide elegant and reliable methods for signing up children with their parents’ consent.

Failure to Protect against SQL Injection Attack deemed an “Unfair Practice”

Posted by fgilbert on May 4th, 2011

A proposed Federal Trade Commission consent order applicable to Ceridian Corporation, establishes that failure to protect against potential SQL injection attacks is an “unfair practice” actionable under Section 5 of the FTC Act. Despite representations that it maintained “worry-free safety and reliability” and that it had a security program designed in accordance with the ISO 27000 standard, the company’s security system had several flaws. Among other things, Ceridian failed to use readily available defenses to SQL attacks. When a successful SQL attack caused the exposure of sensitive personal information of nearly 28,000 individuals, the FTC initiated an enforcement action.  This action lead to the development of the proposed FTC consent order, which was published on May 3, 2011.

Ceridian operates the Powerpay website, and provides payroll processing, payroll-related tax filing, benefits administration, and other human resource services. Customers enter their employees’ personal information, Social Security numbers, dates of birth, home addresses, bank account and other information on the website. This information is transmitted to Ceridian’s computer network, where payroll amounts are computed, payroll checks are processed, and direct deposits initiated.

Ceridian stored personal information in clear, readable text for an indefinite period of time, and failed to employ reasonable measures to detect and prevent unauthorized access to personal information. Hackers executed an SQL injection attack on the Ceridian system. These deficiencies allowed the SQL injection attack to succeed, and the personal information of individuals to be exposed.

The proposed FTC consent order is consistent with prior consent orders issued in similar circumstances. What makes the Ceridian case interesting is the list of acts and deficiencies that the FTC identifies as having created vulnerabilities and that should have been avoided. The FTC complaint against Ceridian notes in particular the following security deficiencies:

  • Storing information in clear, readable text;
  • Storing information indefinitely, and for longer than needed;
  • Failure to assess the vulnerability of the system to known or reasonably foreseeable attacks such as SQL injection attacks;
  • Failure to use readily available, free, or low-cost defenses to SQL attacks; and
  • Failure to employ reasonable measures to detect and prevent unauthorized access to personal information.

This list provides examples of the minimum measures that the FTC expects from a security system intended to protect personal information such as financial information or social security numbers. Of note, in particular, is the need to have in place systems and defenses that resist SQL injection attacks and other known or reasonably foreseeable attacks.
The proposed consent decree establishes a 20-year supervision period, during which Ceridian will be required to obtain and provide, or make available to the FTC, on a biennial basis, an assessment and report from a qualified third-party professional, certifying that it has in place a security program that meets or exceeds specified requirements, and that provides reasonable assurance that the security, confidentiality, and integrity of personal information in the company’s custody is protected. The security program must contain administrative, technical, and physical safeguards appropriate to Ceridian’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Ceridian to:

  • Designate one or several employees to coordinate and be accountable for the information security program;
  • Identify material risks to the security, confidentiality, and integrity of personal information and assess the sufficiency of any safeguards in place to control these risks;
  • Design and implement reasonable safeguards to control these risks;
  • Regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
  • Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information of Ceridian’s clients;
  • Require service providers by contract to implement and maintain appropriate safeguards; and
  • Evaluate and adjust its information security programs in light of the results of testing and monitoring, and of any material changes to operations or business arrangements.

For over 10 years the Federal Trade Commission has had an active, leading role in defining the basic requirements for the collection, use, storage, disclosure and protection of personal information. During this period, the consent decrees issued by the Federal Trade Commission have identified the security practices that the FTC deems unacceptable. These consent decrees provide a clear view on the expectation of the regulators.  With Ceridian, it is now established that protecting against SQL injection attacks is an essential, basic, requirement for a reasonable information security program.

Posted in FTC