The FTC alleged that, despite claims by the companies that they maintained adequate data security, they in fact maintained large amounts of sensitive information about the employees of business customers, including social security numbers, and failed to employ reasonable and appropriate security measures to protect the data. This lead to data breaches at both companies, the FTC said.
As part of the settlements, the FTC is requiring that Ceridian, a human resources firm, and Lookout Services, an immigration law services firm, implement information security programs and conduct independent security audits ever other year for 20 years. The settlement orders also bar the companies from misrepresenting the privacy, confidentiality, or integrity of personal information collected from or about consumers.
The FTC alleged that Ceridian “did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network without a business need.” These security lapses allowed a hacker to breach one of Ceridian’s web-based payroll processing applications in December 2009 and to compromise the personal data – including social security numbers and direct deposit information – of 28,000 employees of Ceridian’s small business customers.
Regarding Lookout Services, the FTC charged that the company failed to provide adequate data security, allowing unauthorized access to sensitive employee information without the need to enter a username or password, by simply typing a URL into a web browser.
In addition, the FTC complaint said that Lookout “failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training.” As a result, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the social security numbers of about 37,000 consumers.