FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach
Friday, September 1, 2017
data privacy, FTC, GLBA

Related Practices & Jurisdictions
Print Mail Download i

The Federal Trade Commission (FTC) this week announced a consent order with TaxSlayer, LLC, an online tax preparation services provider, to settle claims that the company violated the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.

As part of the online tax preparation process, TaxSlayer customers are asked to provide a significant amount of sensitive personal information, including Social Security number, telephone number, address, income, marital status, family size, bank names, and bank accounts.

Between October and December 2015, hackers were able to access account information for approximately 8,800 TaxSlayer customers, resulting in an unknown number of false tax returns being filed.

The FTC alleged that TaxSlayer violated the GLBA Safeguards Rule by failing to: develop a written comprehensive security program (until November 2015); conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and implement information security safeguards that would help prevent a cyber attack. The FTC further claimed that TaxSlayer failed to implement adequate risk-based authentication measures, such as requiring consumers to choose strong passwords.

The FTC also alleged that TaxSlayer violated the GLBA Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and deliver the notice in a way that ensured the consumers received it.

In conjunction with announcing the TaxSlayer consent order, the FTC released a blog post containing “4 Gramm-Leach-Bliley tips to take from FTC’s TaxSlayer case.” In the post, the FTC advised companies to:

  • Assess whether a company is a “financial institution” subject to the GLBA;

  • Deliver GLBA privacy notices in a manner that consumers are reasonably expected to actually receive it (the FTC considers a link to a privacy policy on a company home page to be insufficient);

  • Use appropriate authentication procedures, which may include multi-factor authentication; and

  • Satisfy ongoing obligations under the GLBA Safeguards Rule by continuing to evaluate and adjust information security programs in light of changes to business operations, the results of monitoring or testing, or any other relevant factors.

Copyright © by Ballard Spahr LLP

Current Legal Analysis

More from Ballard Spahr LLP

FinCEN Deputy Director Stresses Technological Innovation, Virtual Currency Enforcement and the U.S. Culture of Compliance
by: Brian N. Kearney
The EU’s Efforts to Combat Money Laundering, the Financing of Terrorism and Corruption Seem to Overlook a Very American Approach: Prosecute People
by: Peter D. Hardy , Mary Treanor
California Legislature Adopts Five Amendments to CCPA, But Largely Rejects Industry Efforts
by: Gregory Szewczyk
Should the Financial Industry Be Detecting Future Mass Shooters?
by: Peter D. Hardy , Mary Treanor
Trump Administration to Discharge the Federal Student Loan Debt of Totally and Permanently Disabled Veterans
by: Stacy H. Rubin
FinCEN Advisory Highlights Money Laundering Risks Related to Fentanyl Trafficking
by: Terence M. Grugan
CFPB’s First Remittance Transfer Rule Enforcement Action
by: Bowen "Bo" Ranney , James Kim
FinCEN Announces New “Global Investigations Division” Focused on Foreign Money Laundering Threats
by: Peter D. Hardy
DOL Seeks to Improve Employers’ FMLA Forms
by: Brian D. Pedrow , David S. Fryman
The Federal Reserve’s Entry into Real-Time Payments
by: Christopher D. Ford , Judy Mok

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins