September 1, 2017

FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach

Ballard Spahr LLP

+ Follow Contact

Send

Embed

Ballard Spahr LLP

The Federal Trade Commission (FTC) this week announced a consent order with TaxSlayer, LLC, an online tax preparation services provider, to settle claims that the company violated the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.

As part of the online tax preparation process, TaxSlayer customers are asked to provide a significant amount of sensitive personal information, including Social Security number, telephone number, address, income, marital status, family size, bank names, and bank accounts.

Between October and December 2015, hackers were able to access account information for approximately 8,800 TaxSlayer customers, resulting in an unknown number of false tax returns being filed.

The FTC alleged that TaxSlayer violated the GLBA Safeguards Rule by failing to: develop a written comprehensive security program (until November 2015); conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and implement information security safeguards that would help prevent a cyber attack. The FTC further claimed that TaxSlayer failed to implement adequate risk-based authentication measures, such as requiring consumers to choose strong passwords.

The FTC also alleged that TaxSlayer violated the GLBA Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and deliver the notice in a way that ensured the consumers received it.

In conjunction with announcing the TaxSlayer consent order, the FTC released a blog post containing “4 Gramm-Leach-Bliley tips to take from FTC’s TaxSlayer case.” In the post, the FTC advised companies to:

Assess whether a company is a “financial institution” subject to the GLBA;
Deliver GLBA privacy notices in a manner that consumers are reasonably expected to actually receive it (the FTC considers a link to a privacy policy on a company home page to be insufficient);
Use appropriate authentication procedures, which may include multi-factor authentication; and
Satisfy ongoing obligations under the GLBA Safeguards Rule by continuing to evaluate and adjust information security programs in light of changes to business operations, the results of monitoring or testing, or any other relevant factors.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Ballard Spahr LLP

Contact + Follow

Edward McAndrew

+ Follow

Zaven Sargsian

+ Follow

less

Published In:

Consent Order

+ Follow

Data Breach

+ Follow

Federal Trade Commission (FTC)

+ Follow

Financial Institutions

+ Follow

Gramm-Leach-Blilely Act

+ Follow

Personally Identifiable Information

+ Follow

Tax Fraud

+ Follow

Tax Preparers

+ Follow

Tax Returns

+ Follow

Antitrust & Trade Regulation

+ Follow

Consumer Protection

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

Tax

+ Follow

less

Ballard Spahr LLP on:

FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach

Latest Posts

Written by:

Published In:

Ballard Spahr LLP on:

"My best business intelligence, in one easy email…"