Two recent settlements from companies that the FTC alleged failed to protect employees’ and business customers’ sensitive information highlights the FTC’s ongoing efforts to ensure that entities reasonably and appropriately protect sensitive information. According to the FTC, the entities involved in the recent settlement agreements claimed that they could provide other businesses with methods to protect and secure employees’ sensitive information.
For example, one of the entities—Ceridian Corporation—claimed that its security programs provided “Worry-free Safety and Reliability” and were designed in accordance with industry standards and best practices, and federal, state, and local requirements. Despite these promises, however, the FTC alleged that Ceridian did not adequately protect information from reasonably foreseeable attacks and stored personal information in an unsecured, unencrypted manner without a legitimate business need. According to the FTC, these lapses lead to a security breach that comprised approximately 28,000 employees of Ceridian’s business customers.
The other entity, Lookout Service, Inc., claimed that its security systems would keep data “reasonably secure from unauthorized access,” but did not take adequate measures to provide the promised security. The FTC’s complaint alleged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. Lookout experienced a data breach affecting the sensitive date, including Social Security numbers, of approximately 37,000 consumers.
The settlements require the companies to enact comprehensive information security programs and to obtain independent audits of the programs every other year for 20 years.