The operators of two websites have agreed to settle claims with the Federal Trade Commission relating to allegations that they failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites. The FTC issued a statement on both cases, which can be found here.
One case was filed against the operator of i-Dressup.com, a website that allows users of all ages to play dress-up games, design clothes, and decorate personal online spaces. In order for users to gain access to the website’s features, they were required to register as members and submit personal information. If a user indicated he or she was under the age of 13 years, the registration field asked for a parent’s email address, and the website sent an email notice to the parental email address entered. Parents could either provide consent or decline to provide consent. If parents declined, the under-13-year-old users were provided a “Safe Mode” membership. The Department of Justice—on behalf of the FTC—alleged that i-Dressup.com violated the Children’s Online Privacy Protection Act (“COPPA”) by failing to obtain parental consent before collecting personal information from children under 13 and by failing to provide reasonable security for the data that i-Dressup collected. The FTC alleged that, even when the site was operated in Safe Mode, i-Dressup still collected personal information from children without parental consent. In addition to violating the parental consent requirements, the FTC alleged that i-Dressup and its operators also failed to comply with COPPA’s requirement to keep the data it collected secure. Specifically, the FTC alleges i-Dressup stored and transmitted its users’ personal information in plain text and failed to perform vulnerability testing of its network, implement an intrusion detection and prevention system, or monitor for potential security incidents. The FTC claimed that these deficiencies led to i-Dressup’s subsequent data incident.
As part of the proposed settlement with the FTC, i-Dressup and its owners have agreed to pay $35,000 in civil penalties. In addition, they are barred from selling, sharing, or collecting any personal information until they implement a comprehensive data security program to protect their users’ information. The settlement also requires that i-Dressup obtain independent biennial assessments and provide an annual certification of compliance to the FTC.
The other case was filed against the operator of the online rewards website ClixSense.com, a website that pays users to view advertisements, perform online tasks, and complete surveys. ClixSense collects the personal information of consumers who use the site. The FTC alleged that the website’s inadequate security allowed hackers to gain access to consumers’ sensitive information through the company’s network. The FTC asserted that the website’s operator deceived consumers by falsely claiming that ClixSense “utilizes the latest security and encryption techniques to ensure the security of your account information.” The FTC further alleged that ClixSense failed to implement minimal data security measures; failed to implement readily available measures to limit access between computers on ClixSense’s network; failed to change default login and password credentials for third-party company network resources; and maintained consumers’ personal information, including consumers’ names, dates of birth, answers to security questions, login and password credentials, and Social Security Numbers, in clear text.
As part of the proposed settlement, for any company he controls, ClixSense’s operator is required to implement a comprehensive information security program that protects the privacy, security, confidentiality, or integrity of personal information it collects. The settlement also requires that ClixSense obtain independent biennial assessments and provide an annual certification of compliance to the FTC.