The Federal Trade Commission settled two cases involving companies that failed to protect consumers' personal information, the agency announced Thursday.
Ceridian Corp. and Lookout Services Inc. had claimed they would take "reasonable measures to secure the consumer data they maintained" on nearly 65,000 employees but both failed to do so - a violation of federal law, according to charges brought by the FTC.
The companies kept large amounts of sensitive information about the employees of their business customers - including Social Security numbers.
Flaws were exposed when security breaches at both companies put the personal information of thousands of consumers at risk. The FTC challenged the companies' security practices as unfair and deceptive.
According to the FTC’s complaint against Ceridian, a provider to businesses of payroll and other human resource services, the company claimed that it kept "Worry-free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements."
However, the complaint alleged that Ceridian’s security did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network without a business need.
These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information – including Social Security numbers and direct deposit information – of approximately 28,000 employees of Ceridian’s small business customers.
Lookout Services, markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers.
According to the FTC’s complaint against Lookout, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a browser. The complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords and failed to provide adequate employee training.
As a result of these and other failures, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers for an estimated 37,000 consumers.
The settlement orders bar misrepresentations, including misleading claims about the privacy, confidentiality or integrity of any personal information collected from or about consumers. They require the companies to implement a comprehensive information security program and to obtain independent, third-party security audits every other year for 20 years.
To comment, contact Darren Waggoner at 815.463.9008 or darren.waggoner@sourcemedia.com.
