On November 8, 2017, the FTC announced a settlement with Georgia-based online tax preparation service, TaxSlayer, LLC (“TaxSlayer”), regarding allegations that the company violated federal rules on financial privacy and data security. According to the FTC’s complaint, malicious hackers were able to gain full access to nearly 9,000 TaxSlayer user accounts between October 2015 and December 2015. The hackers allegedly used the personal information contained in the users’ accounts, including contact information, Social Security numbers and financial information, to engage in tax identify theft and obtain tax refunds through filing fraudulent tax returns. The FTC charged TaxSlayer with violating the Gramm-Leach-Bliley Act’s Safeguards Rule and Privacy Rule.

The Safeguards Rule requires financial institutions to implement appropriate safeguards, including a comprehensive written information security program, to protect the security, confidentiality and integrity of customer information. The Privacy Rule requires financial institutions to provide consumers with clear and conspicuous initial and annual privacy notices, which must include specified information about the institution’s personal information practices. The FTC alleged that TaxSlayer violated the Safeguards Rule by, among other things, failing to (1) implement a written information security program, (2) conduct a risk assessment and (3) implement information safeguards to control the risks to customer information from inadequate authentication. The FTC alleged that TaxSlayer violated the Privacy Rule by (1) hiding its privacy policy towards the end of a long License Agreement and not conveying the importance, nature and relevance of the privacy policy to its customers, and (2) failing to deliver the privacy policy so that each customer could reasonably be expected to receive actual notice (such as by requiring customers to acknowledge receipt of the initial notice as a necessary step to obtaining TaxSlayer’s services).

As part of the settlement, TaxSlayer is prohibited from violating the Safeguards Rule and the Privacy Rule for 20 years, and for 10 years must obtain biennial third-party assessments of its compliance with these rules.