Ceridian Corp. and Lookout Services settled with the Federal Trade Commission over charges that sensitive information – including Social Security numbers – of almost 65,000 consumers was compromised despite promises by the companies to take reasonable measures to secure the data.

Both companies’ security practices were unfair and deceptive, the agency alleged, because despite their claims, they failed to employ “reasonable and appropriate security measures” to protect data about the employees of their business customers.

Specifically, Ceridian claimed it had “Worry-free Safety and Reliability” and that “When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” The company is a service provider that offers payroll processing, benefits administration, and other human resources services to small businesses.

But in reality, the company engaged in security lapses like storing personal information in clear, readable text on its own network for an indefinite period and failed to protect its network from what the agency said were reasonably foreseeable attacks with readily available, free, or low-cost defenses to attack, according to the complaint. A security breach in December 2009 resulted in the compromise of personal information of more than 27,000 employees of Ceridian’s customers.

Lookout Services, which offers a product that helps businesses to comply with federal immigration laws, stores the names, addresses, birthdates, and Social Security numbers of clients. Despite claims of data security such as “Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated software tools,” employee information could be accessed without a username or password by typing in a “relatively simple” URL, the FTC said. The company also failed to adequately train its employees and to mandate practices that would have strengthened its security, like periodic changes of passwords. A subsequent breach – where an employee of a Lookout customer accessed the sensitive information in its database – compromised roughly 37,000 consumers’ Social Security numbers.

Under the terms of the settlements, the companies will be required to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. According to the consent order, such a program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers.”

Both defendants will also be subject to monitoring and audit requirements for the next 20 years.

The settlements are open to comment for 30 days before being finalized.

To read the complaint against Ceridian, click here.

To read the proposed consent order, click here.

To read the complaint against Lookout, click here.

To read the proposed consent order, click here.

Why it matters: The settlements reinforce the importance of data security as a priority for the FTC. Days later, David Vladeck, Director of the FTC’s Bureau of Consumer Protection, testified before the House Subcommittee on Commerce, Manufacturing and Trade and referenced the settlements as part of the agency’s recommendation that Congress pass data-breach notification legislation. “The FTC is committed to a comprehensive, three-pronged effort to promote data security that includes law enforcement, consumer education, and data collection and analysis,” he testified, noting that the agency has brought 34 cases against businesses that allegedly failed to protect consumers’ personal information, including those against Ceridian and Lookout.