February 17, 2020

February 14, 2020

Subscribe to Latest Legal News and Analysis

FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach

The Federal Trade Commission (FTC) this week announced a consent order with TaxSlayer, LLC, an online tax preparation services provider, to settle claims that the company violated the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.

As part of the online tax preparation process, TaxSlayer customers are asked to provide a significant amount of sensitive personal information, including Social Security number, telephone number, address, income, marital status, family size, bank names, and bank accounts.

Between October and December 2015, hackers were able to access account information for approximately 8,800 TaxSlayer customers, resulting in an unknown number of false tax returns being filed.

The FTC alleged that TaxSlayer violated the GLBA Safeguards Rule by failing to: develop a written comprehensive security program (until November 2015); conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and implement information security safeguards that would help prevent a cyber attack. The FTC further claimed that TaxSlayer failed to implement adequate risk-based authentication measures, such as requiring consumers to choose strong passwords.

The FTC also alleged that TaxSlayer violated the GLBA Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and deliver the notice in a way that ensured the consumers received it.

In conjunction with announcing the TaxSlayer consent order, the FTC released a blog post containing “4 Gramm-Leach-Bliley tips to take from FTC’s TaxSlayer case.” In the post, the FTC advised companies to:

  • Assess whether a company is a “financial institution” subject to the GLBA;

  • Deliver GLBA privacy notices in a manner that consumers are reasonably expected to actually receive it (the FTC considers a link to a privacy policy on a company home page to be insufficient);

  • Use appropriate authentication procedures, which may include multi-factor authentication; and

  • Satisfy ongoing obligations under the GLBA Safeguards Rule by continuing to evaluate and adjust information security programs in light of changes to business operations, the results of monitoring or testing, or any other relevant factors.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Edward McAndrew, Ballard Spahr, Philidelphia, Washington DC, Data Security, Privacy
Partner

Edward J. McAndrew is a counselor, investigator, and trial lawyer who helps clients navigate life in the digital world. He is the Co-Practice Leader of the firm's Privacy and Data Security Group.

Named a "Cybersecurity and Data Privacy Trailblazer" by The National Law Journal, Mr. McAndrew advises clients on cybersecurity, digital privacy, cyber-incident response, social media, online speech, defamation, commercial, employment, intellectual property, corporate governance, regulatory, and criminal matters. He also advises clients on cyber-based national security issues, as...

202-661-7696
Kim Phan, Ballard Spahr Law Firm, Washington DC, Business and Finance Law Attorney
Of Counsel

Kim Phan writes and speaks frequently about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities. Ms. Phan counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and other federal and state privacy and data security statutes and regulations. Her work in this area encompasses strategic planning and guidance for companies to incorporate privacy and data security considerations throughout product development, marketing, and implementation. Ms. Phan also assists companies with data breach prevention and response, including establishing effective data security programs prior to a breach and the assessment of breach response obligations following a breach.

Ms. Phan has also done extensive e-commerce and mobile counseling with clients, including adapting an augmented reality mobile game for a retail client, conducting online behavioral advertising assessments of websites in order to update and enhance website privacy policies, and establishing employee training on social media interactions with consumers.

202-661-2286
Zaven Sargsian, Ballard Spahr Law Firm, Salt Lake City, Real Estate, Commercial Litigation Attorney
Associate

Zaven A. Sargsian is an associate in the Commercial Litigation Group. Mr. Sargsian is a pro bono volunteer at the Street Law Clinic and Family Law Clinic.

Judicial Externships

Hon. David Nuffer, U.S. District Court for the District of Utah, 2012-2013

Hon. Stephen L. Roth, Utah Court of Appeals, 2012

801-531-3036