On May 3, 2011, the Federal Trade Commission announced that it had reached settlements with Ceridian Corporation and Lookout Services, Inc. after alleging both companies had misrepresented the extent of their data security practices and subsequently failed to safeguard their customers’ information. According to the FTC’s press release, the settlements “are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain.”
The FTC’s complaint against Ceridian noted that Ceridian’s customers enter their employees’ personal information on its payroll website. In providing this service, Ceridian stated its data protection would match “industry best practices and federal, state and local regulatory requirements.” Despite this and other similar representations, the FTC alleged that Ceridian “stored personal information in clear, readable text indefinitely on its network without a business need” and “failed to employ reasonable measures to detect and prevent unauthorized access to personal information.” The FTC claimed that as a result, in December 2009, computer hackers were able to misappropriate the direct deposit information and Social Security numbers of roughly 28,000 employees of Ceridian’s customers.
Lookout, which assists employers verify their employees’ legal eligibility to work in the United States, claimed its internal protocols would “protect [its customers’] data from interception” and keep the “data reasonably secure from unauthorized access.” The FTC alleged in its complaint, however, that Lookout employed rudimentary data protection techniques and “allowed users to bypass the authentication procedures on Lookout’s website when they typed in a specific URL.” According to the FTC, an employee of one of Lookout’s customers was able to exploit these vulnerabilities “to gain access to the personal information of over 37,000 consumers” in October 2009 and December 2009.
As part of the consent orders, the FTC will prohibit both Ceridian and Lookout from making misleading claims regarding their privacy practices. In addition, each company must establish and maintain a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers,” and obtain “initial and biennial assessments” of the security program for 20 years.