On January 6, 2020, the Federal Trade Commission announced that it granted final approval to a settlement with InfoTrax Systems, L.C. and its former CEO, Mark Rawlins, related to allegations that InfoTrax failed to implement reasonable, low-cost and readily available security safeguards to protect the personal information the company maintained on behalf of its business clients.
Specifically, the FTC alleged that InfoTrax engaged in a number of unreasonable data security practices, including:
- failing to have a systematic process in place for inventorying and deleting consumers’ personal information that is no longer necessary;
- failing to implement safeguards to detect anomalous activity and/or cybersecurity events (e.g., failing to implement an intrusion prevention or detection system or use file integrity monitoring and data loss prevention tools, etc.); and
- storing consumer personal information, including sensitive personal information, in clear, readable text on the InfoTrax network.
According to the FTC complaint, InfoTrax’s alleged failure to put in place reasonable safeguards allowed a hacker to infiltrate its server and other websites maintained by the company on behalf of its clients more than 20 times from May 2014 until March 2016 and access the personal information of more than a million consumers, including Social Security numbers.
The Commission voted unanimously (5-0) to finalize the settlement order with InfoTrax and Rawlins. Among other requirements, such as recordkeeping and compliance monitoring, the FTC settlement order:
- prohibits InfoTrax from collecting, selling, sharing or storing personal information unless an information security program is implemented;
- requires InfoTrax to obtain third-party assessments of InfoTrax’s information security program every two years;
- requires InfoTrax to provide annual certifications to the FTC that the company has established, implemented and maintained the requirements of the settlement, that the company is not aware of any material noncompliance that has not been corrected or disclosed to the FTC, and that includes a brief description of any notifiable security incident involving personal information collected or received by InfoTrax that was, or is reasonably believed to have been accessed or acquired without authorization (“Covered Incident”); and
- requires InfoTrax to submit to the FTC Covered Incident reports detailing certain information within 10 days after the company notifies any U.S. federal, state or local government entity of the Covered Incident.