FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach
The Federal Trade Commission (FTC) this week announced a consent order with TaxSlayer, LLC, an online tax preparation services provider, to settle claims that the company violated the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.
As part of the online tax preparation process, TaxSlayer customers are asked to provide a significant amount of sensitive personal information, including Social Security number, telephone number, address, income, marital status, family size, bank names, and bank accounts.
Between October and December 2015, hackers were able to access account information for approximately 8,800 TaxSlayer customers, resulting in an unknown number of false tax returns being filed.
The FTC alleged that TaxSlayer violated the GLBA Safeguards Rule by failing to: develop a written comprehensive security program (until November 2015); conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and implement information security safeguards that would help prevent a cyber attack. The FTC further claimed that TaxSlayer failed to implement adequate risk-based authentication measures, such as requiring consumers to choose strong passwords.
The FTC also alleged that TaxSlayer violated the GLBA Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and deliver the notice in a way that ensured the consumers received it.
In conjunction with announcing the TaxSlayer consent order, the FTC released a blog post containing “4 Gramm-Leach-Bliley tips to take from FTC’s TaxSlayer case.” In the post, the FTC advised companies to:
Assess whether a company is a “financial institution” subject to the GLBA;
Use appropriate authentication procedures, which may include multi-factor authentication; and
Satisfy ongoing obligations under the GLBA Safeguards Rule by continuing to evaluate and adjust information security programs in light of changes to business operations, the results of monitoring or testing, or any other relevant factors.