The Federal Trade Commission (FTC) has entered final decisions and orders resolving separate administrative complaints previously announced in May 2011 alleging that Ceridian Corporation and Lookout Services, Inc. had each engaged in "unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act" by "fail[ing] to provide reasonable and appropriate security for the personal information" on individuals that each company collected and maintained.
Ceridian markets "Powerpay," a Web-based payroll processing system. The Ceridian complaint alleged that hackers were able to access the bank account numbers, Social Security numbers and dates of birth of at least 27,673 individuals because Ceridian:
- stored personal information as unencrypted, clear text on its network;
- retained the information indefinitely on its network "without a business need";
- failed to adequately assess the vulnerability of its network to commonly known or reasonably foreseeable attacks;
- failed to implement readily available free or low-cost defenses against attacks; and
- failed to employ reasonable measures to prevent unauthorized access to personal information stored on its network.
Lookout markets "I-9 Solution," a Web-based immigration status verification database. The Lookout complaint alleged that an employee of a Lookout customer was able to gain access to the personal information of more than 37,000 consumers because Lookout failed to implement reasonable policies and procedures to protect the security of sensitive consumer information it collected and maintained. Specifically, the FTC alleged that Lookout:
- failed to establish and enforce user credential rules (user ID and password combinations) that were hard to guess;
- failed to require customers and employees with access to sensitive personal information to periodically change their user credentials;
- failed to suspend user credentials after unsuccessful login attempts;
- failed to adequately assess and address the vulnerability of its Web application to widely known security flaws;
- allowed users to bypass the authentication procedures to gain access to secure webpages by typing in a specific URL;
- failed to employ reasonable measures to detect and prevent unauthorized access; and
- created unnecessary risks by storing passwords in unencrypted, clear text.
In each of the complaints, the FTC quoted assurances of data security recited in each company’s printed advertising materials and websites. The FTC alleged that the data security assurances advertised by each company constituted a "deceptive act or practice" and that failure to implement reasonable and appropriate measures to prevent unauthorized access to sensitive personal information constituted an "unfair act or practice," all in violation of Section 5(a) of the Federal Trade Commission Act [15 USC §45(a)]. Section 5(a) "empowers" the FTC "to prevent persons, partnerships, or corporations [subject to its jurisdiction] * * * from using * * * unfair or deceptive acts or practices in or affecting commerce."
On announcing the proceedings in May 2011, the FTC simultaneously entered into proposed consent agreements with both companies. The FTC has now entered its final decisions and orders against Ceridian and Lookout that require each company to establish and implement comprehensive data security programs and submit reports from third-party consultants, assessing both the nature of the security measures being taken and their effectiveness, to the FTC for the next 20 years.
It is important to note that the FTC adopted a very broad definition of what constitutes “personal information” in the final decisions and orders:
"Personal information" shall mean individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver’s license number or other government-issued identification number; (g) a bank account, debit card, or credit card account number; (h) a persistent identifier, such as a customer number held in a "cookie" or processor serial number, that is combined with other available data that identifies an individual consumer; (i) a biometric record; or (j) any information that is combined with any of (a) through (i) above. For purposes of this provision, a "consumer" shall mean any person, including, but not limited to, any user of respondent’s services; any employee of respondent, or any individual seeking to become an employee, where "employee" shall mean an agent, servant, salesperson, associate, independent contractor, or other person directly or indirectly under the control of respondent.
Read together, the Ceridian and Lookout complaints proscribe a minimum standard for data security for companies subject to FTC jurisdiction. The FTC would require companies maintaining confidential "personal information" concerning their employees, customers or other individuals to:
- take affirmative steps to implement the company’s data security assurances given to customers, whether in printed materials or via the Internet, to protect sensitive, nonpublic personal information maintained on accessible computer networks;
- encrypt sensitive, nonpublic personal information concerning employees, customers or other individuals maintained on accessible computer networks;
- develop record-retention policies applicable to sensitive, nonpublic personal information maintained on accessible computer networks;
- prohibit the use of "weak" passwords such as "password," "123456," "qwerty" or the user’s own name;
- lock out users who use incorrect user ID and password combinations after as few as three attempts;
- require employees and customers who access sensitive, nonpublic personal information to change their passwords as frequently as every 90 days; and
- log all successful and unsuccessful attempts to access sensitive, nonpublic personal information.
Federal laws provide limited protections for personal financial and health information stored on computer networks. These laws have had little effect on third parties intent on deliberately obtaining unauthorized access to it. Importantly, federal law has not provided individuals whose financial or health information has been accessed by unauthorized hackers recourse against the owners and operators of the hacked computer networks and databases.
In recent years, most US states have enacted legislation requiring businesses that have suffered a breach of data security to provide notice to affected individuals and perhaps other protections as outlined in the specific statutory provisions. However, these state enactments are frequently notice statutes that alert individuals of the need to monitor unauthorized attempts to use their compromised information, but provide for damages only in the instance when the business fails to provide the required notices.
The Ceridian and Lookout final decisions and orders may significantly alter the legal landscape in those states where state consumer protection laws provide individuals a private right of action for monetary damages for "unfair or deceptive trade practices." While the final decisions and orders (and the settlement agreements preceding them) contain the familiar disclaimer that they do not constitute an admission by respective companies that the Federal Trade Commission Act has been violated as alleged, the FTC’s actions will be cited for the assertion that data insecurity constitutes an unfair or deceptive trade practice. The Ceridian and Lookout proceedings raise the financial stakes for companies whose networks are hacked.