Wednesday, September 6, 2017

Tax prep service settles FTC charges of privacy and security violations

By J. Preston Carter, J.D., LL.M.

TaxSlayer, LLC, a Georgia-based online tax preparation service agreed to settle Federal Trade Commission charges that it violated the Gramm-Leach-Bliley Act financial privacy and security rules. The FTC alleged that TaxSlayer violated the Safeguards Rule (16 CFR Part 314), which requires financial institutions to protect the security, confidentiality, and integrity of customer information, and the Privacy Rule (12 CFR Part 1016), which requires financial institutions to deliver privacy notices to customers.

In its complaint, the FTC alleged that hackers gained access to nearly 9,000 TaxSlayer accounts between October 2015 and December 2015 and used the information they accessed to engage in tax identity theft, which allowed them to obtain tax refunds by filing fraudulent tax returns, according to the complaint.

Safeguards Rule violations. According to the FTC, TaxSlayer failed to: develop a written comprehensive security program until November 2015; conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; implement information security safeguards that would help prevent a cyber attack; implement adequate risk-based authentication measures; and require consumers to choose strong passwords.

Privacy Rule violations. The FTC also alleged that the company violated the Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and to deliver it in a way that ensured that customers received it.

Settlement. As part of the settlement with the FTC, the company is prohibited from violating the Privacy Rule and the Safeguards Rule for 20 years. Consistent with several past cases involving violations of Gramm-Leach-Bliley Act Rules, the company is required to obtain biennial third-party assessments of its compliance with these rules for 10 years.

"Tax preparation services are responsible for very sensitive information, so it’s critical they implement appropriate safeguards to protect that information," said Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection. "TaxSlayer didn’t have an adequate risk assessment plan, and hackers took over user accounts and committed identity theft."

Pahl added that the case "also demonstrates the importance of password protection. Hackers took advantage of people who re-used passwords from other sites, and the attack ended when TaxSlayer eventually required people to use multi-factor authentication."

For more information about financial privacy and cybersecurity, subscribe to the Banking and Finance Law Daily.