Description

The operator of a Georgia-based online tax preparation service has agreed to settle Federal Trade Commission allegations that it violated federal rules on financial privacy and security.

In its complaint against TaxSlayer, LLC, the FTC alleged that malicious hackers were able to gain full access to nearly 9,000 TaxSlayer accounts between October 2015 and December 2015. The hackers used the information they accessed to engage in tax identity theft, which allowed them to obtain tax refunds by filing fraudulent tax returns, according to the complaint.

The FTC charged that TaxSlayer violated the Gramm-Leach-Bliley Acts Safeguards Rule, which requires financial institutions to implement safeguards to protect the security, confidentiality and integrity of customer information, and the Privacy Rule, which requires financial institutions to deliver privacy notices to customers.

Tax preparation services are responsible for very sensitive information, so its critical they implement appropriate safeguards to protect that information, said Tom Pahl, Acting Director of the FTCs Bureau of Consumer Protection. TaxSlayer didnt have an adequate risk assessment plan, and hackers took over user accounts and committed identity theft.

The FTC alleged that TaxSlayer violated the Safeguards Rule by failing to develop a written comprehensive security program until November 2015; to conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and to implement information security safeguards that would help prevent a cyberattack.

For example, TaxSlayer failed to implement adequate risk-based authentication measures that would have helped reduce the chances of an attack from hackers who had used stolen credentials to try to gain access to TaxSlayer customer accounts, according to the complaint. The FTC also alleged that the company did not require consumers to choose strong passwords, exposing customers to the risk that attackers could guess commonly used passwords to access their TaxSlayer accounts.

The FTC also alleged that the company violated the Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and to deliver it in a way that ensured that customers received it.

This case also demonstrates the importance of password protection, said Pahl. Hackers took advantage of people who re-used passwords from other sites, and the attack ended when TaxSlayer eventually required people to use multi-factor authentication.

As part of the settlement with the FTC, the company is prohibited from violating the Privacy Rule and the Safeguards Rule of the Gramm-Leach-Bliley Act for 20 years. Consistent with several past cases involving violations of Gramm-Leach-Bliley Act Rules, the company is required for 10 years to obtain biennial third-party assessments of its compliance with these rules.

The Commission vote to issue the administrative complaint and to accept the consent agreement was 2-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through September 29, 2017, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically by following the instructions in the Invitation To Comment part of the Supplementary Information section.

NOTE: The Commission issues an administrative complaint when it has reason to believe that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $40,654.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook , follow us on Twitter , read our blogs and subscribe to press releases for the latest FTC news and resources.

Comments
Order by: 
Per page:
 
  • There are no comments yet
   Comment Record a video comment
 
 
 
     
Related Feed Entries
The timepiece displays the time by pulling its thermoelastic membrane into the cavities beneath the clock's face.Source: Wired - Emerging technologies News
Its worldbuilding is expansive and its detective is hard-boiledit's sci-fi noir turned up to 11.Source: Wired - Emerging technologies News
The Opportunity rover has been exploring Mars for 14 years. But that doesn't mean it can't put Curiosity's social media skills to shame. Source: Wired - Emerging technologies News
The most chilling aspect of that blockbuster Mueller indictment? The bureaucracy behind Russia's onslaught.Source: Wired - Emerging technologies News
The Department of Defense released two videos of so-called UFOs. Or did it?Source: Wired - Emerging technologies News
Rate
0 votes
Info
Michael Blair
Time is your GREATEST asset
29.08.2017 (29.08.2017)
10 Views
0 Subscribers
Recommend
Tags