On November 8, the Federal Trade Commission announced that it had approved a final order settling claims arising out of a data breach at Georgia-based tax preparation firm TaxSlayer, LLC.

In late 2015, hackers hit TaxSlayer with a “list validation” or “credential stuffing” attack.  With that type of attack, hackers attempt to use login credentials stolen from one site to access accounts on another site.  List-validation attacks are effective because consumers often use the same login credentials on multiple sites.  Indeed, the hackers who hit TaxSlayer were able to access the accounts of almost 9,000 of TaxSlayer’s customers.  They then used the data they accessed to commit tax identity fraud – filing fake tax returns with altered bank routing numbers and pocketing consumers’ refunds.

The FTC’s Complaint

In its complaint, the FTC alleged that TaxSlayer violated three rules based on the Gramm-Leach-Bliley Act—the Privacy Rule, Regulation P, and the Safeguards Rule.

The Privacy Rule, which was promulgated by the FTC, and Regulation P, which was promulgated by the CFPB, are two iterations of the same underlying rule.  They require financial institutions to provide consumers with an initial privacy notice, followed by annual privacy notices.  Under these rules, a financial institution must provide consumers with a “clear and conspicuous” notice that “accurately reflects [its] privacy policies and practices.”  Additionally, the financial institution must provide the notice to consumers in a manner such that the consumer “can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.”

According to the FTC, TaxSlayer violated the Privacy Rule and Regulation P in two ways:  (1) by allegedly failing to provide a clear and conspicuous notice, because TaxSlayer placed its Privacy Policy “towards the end of a long License Agreement,” such that the notice “did not convey the importance, nature, and relevance” of the Privacy Policy to consumers; and (2) by allegedly failing to provide the notice in a manner such that consumers could reasonably be expected to receive it, because TaxSlayer “did not require customers to acknowledge receipt of the initial notice as a necessary step to obtaining a particular financial product or service.”

The Safeguards Rule, which was promulgated by the FTC, requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive information security program.  The information security program must be written in one or more readily accessible parts.  It must also contain administrative, technical, and physical safeguards that are appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it stores.

According to the FTC, TaxSlayer violated the Safeguards Rule in three ways:  (1) by failing to have a written information security program until November 2015; (2) by failing to conduct a risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; and (3) by failing to implement information safeguards to control the risks to customer information from inadequate authentication (like list-validation attacks).

The Settlement

As part of the settlement with the FTC, TaxSlayer agreed to not violate the Privacy Rule, Regulation P, or the Safeguards Rule for twenty years; agreed to have a third party audit its compliance program at least once every two years for the next ten years; and agreed to provide the FTC with compliance-monitoring submissions for the next twenty years.

The FTC’s press release is available here.

The TaxSlayer case and settlement underscore how important it is for companies to regularly review their privacy policies and notices, to adopt and implement information security policies and safeguards, and to critically assess information security risks.