The Federal Trade Commission charged Lookout Services Inc. and Ceridian Corporation with failing to keep their clients' data secure, after breaches at the firms compromised sensitive information, including Social Security numbers, of almost 65,000 people, the agency announced yesterday in a statement. Both companies have settled.
The FTC's complaint against Lookout Services, a software company that helps employers comply with federal immigration laws, pointed to language about the company's data protection policy on its Website which was alleged to be inconsistent with the company's actual behavior. In other words, compliance oversight wasn't up to par with compliance in practice.
In particular, the FTC said Lookout:
- failed to implement reasonable policies and procedures for the security of sensitive consumer information;
- failed to establish or enforce rules sufficient to make user credentials (i.e., user ID and password) hard to guess;
- failed to require periodic changes of user credentials;
- failed to suspend user credentials after a certain number of unsuccessful login attempts;
- did not adequately assess and address the vulnerability of Lookout's Web application to widely known security flaws;
- allowed users to bypass the authentication procedures on Lookout's Website when they typed in a specific URL;
- failed to employ sufficient measures to detect and prevent unauthorized access to computer networks, such as by employing an intrusion detection system and monitoring system logs; and
- created an unnecessary risk to personal information by storing passwords used to access the I-9 database in clear text
These behaviors, taken together, prove that the company “failed to provide reasonable and appropriate security for personal information on Lookout's networks,” said the regulatory body in a document.
In the complaint against Ceridian, a payroll service provider, the FTC found a discrepancy between the language on the company's Website about protecting clients' personal information and “a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal information it collected and maintained.”
In particular, the FTC said Ceridian had:
- stored personal information in clear, readable text;
- created unnecessary risks to personal information by storing it indefinitely on its network without a business need;
- did not adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as ‘Structured Query Language' injection attacks;
- did not implement readily available, free or low-cost defenses to such attacks; and
- failed to employ reasonable measures to detect and prevent unauthorized access to personal information
“In truth and in fact, respondent did not implement reasonable and appropriate measures to protect personal information against unauthorized access,” said agency in its complaint against Ceridian. Therefore, the “representations” cited on its site about data security “were, and are, false or misleading,” according to the document.
The FTC is expected to publish the consent agreements in the Federal Register soon. Lookout's proposed consent agreement is already on the agency's Website. The agency is accepting public comment on them through June 2. Comments can bee submitted using the web links: https://ftcpublic.commentworks.com/ftc/lookout and https://ftcpublic.commentworks.com/ftc/ceridian.