Wake Up Call For Businesses After FTC Hits TaxSlayer With 20-year ‘Privacy Probation’
© Ice Miller LLP
Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe NowMany business owners outside the traditional financial services sector see the "Gramm-Leach-Bliley Act" (GLBA or “the Act”)[1] and think: "Bank rule! Not me!" But keep reading… even if your company is not a bank, it may be subject to important GLBA provisions that require "financial institutions" to safeguard customers’ nonpublic personal information (NPI) and be transparent about their information-sharing practices. Failure to comply can result in harm to customers and significant Federal Trade Commission (FTC) enforcement, as online tax preparer TaxSlayer, LLC (TaxSlayer) recently learned.
For more information click here.
But first, are you covered? The FTC cautions that you may be subject to the GLBA and not know it.[2] Any business significantly engaged in "financial activities" is a GLBA "financial institution," and as a result, has defined data privacy and security responsibilities.[3] Because financial activities subject to the Act are broad in scope, many businesses that would not ordinarily think of themselves as a financial institution are surprised – if not shocked – to discover they qualify. Examples of nontraditional "financial institutions" include check-cashing services, mortgage brokers, payday lenders, and professional tax preparers, among others.[4]
There are many reasons to care whether your business is subject to the GLBA. However, given the unending proliferation of news-making data breaches, one of the most important is the need to comply with the Act’s Privacy Rule[5] and Safeguards Rule.[6] The Privacy Rule requires a financial institution to provide accurate, clear, and conspicuous notice of its privacy practices to all customers, and also to non-customer consumers from whom it collects and shares NPI.[7] It must also notify consumers of their right to opt-out of most disclosures of NPI to nonaffiliated third parties.[8] To comply with the Safeguards Rule, a financial institution must develop, implement, and maintain a comprehensive written information security program with administrative, physical, and technical safeguards to keep customer information safe and confidential.[9] Examples of "safeguards" include analyzing internal and external risks to data; evaluating existing security controls and implementing others as needed to reduce identified risks to a reasonable and acceptable level; training employees (including management); detecting, preventing, and responding to systems failures; and properly managing service providers.[10]
Failure to comply with the Privacy Rule and Safeguards Rule can mean significant fallout for your customers and your business. The FTC has embedded within the Safeguards Rule the concept of "substantial harm or inconvenience" to customers whose NPI is wrongfully accessed or used.[11] This, in turn, can lead to financial and reputational harm to the financial institution— not the least of which can result from FTC investigation and enforcement. Online tax preparation service TaxSlayer recently learned this the hard way.
According to the FTC’s complaint against TaxSlayer, hackers gained full access to nearly 9,000 customer accounts for a two-month period in 2015 and used the information they obtained to commit identity theft and file fraudulent tax returns. The Agency alleged TaxSlayer violated the Safeguards Rule by failing to do a number of things: develop a timely comprehensive security program, perform a risk assessment to identify vulnerabilities and threats to data security, and put safeguards in place to prevent cyberattacks. For example, the FTC claims TaxSlayer failed to implement appropriate authentication practices to reduce risk from stolen credentials, and did not require customers to use strong passwords to reduce the risk from wrongdoers guessing commonly-used or other weak passwords. The Agency also alleged TaxSlayer violated the Privacy Rule by failing to provide and deliver an appropriate privacy notice.
The FTC approved a settlement with TaxSlayer in early November. For the next 10 years, the Company must submit to independent biennial assessments of its administrative, physical, and technical data security safeguards. The FTC also imposed a 20-year moratorium on Privacy Rule and Safeguards Rule violations. In short: TaxSlayer is on "privacy probation"[12] for nearly a quarter century!
The FTC offers businesses four takeaways from this TaxSlayer case: (1) you may be covered by the GLBA and not know it; (2) you must deliver privacy notices such that consumers are reasonably likely to receive them; (3) you must employ strong authentication methods to keep wrongdoers out of your consumer data (such as two-factor authentication); and (4) you must rethink and revise your security management program in response to testing, monitoring, changed business conditions, and other factors affecting risk to data.[13]
Ice Miller has professionals with experience to help clients of all types assess their status and duties under the GLBA. We can help covered businesses implement policies, procedures, and practices to bolster GLBA compliance.
For more information, contact Kim Metzger, Stephen Reynolds, Matt Diaz or another member of our Data, Security and Privacy Team.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[1] Also known as the Financial Services Modernization Act of 1999, Public Law 106-102, 113 Stat. 1338 (enacted November 12, 1999).
[2] 4 Gramm-Leach-Bliley tips to take from FTC’s TaxSlayer case. Fed. Trade. Comm’n.
[3] 16 C.F.R. § 313.3(k)(1). For purposes of the GLBA, "financial activities" are defined in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Id.
[4] 16 C.F.R. § 313.3(k)(2).
[5] Privacy of Consumer Financial Information Rule, 16 C.F.R. Pt. 313.
[6] Standards for Safeguarding Customer Information, 16 C.F.R. Pt. 314.
[7] 16 C.F.R. § 313.4(a). Nonpublic personal information is "[p]ersonally identifiable financial information." (16 C.F.R. § 313.3(n)). It includes information a person gives you to obtain a financial product or service, information you get about a person from a transaction involving your financial product or service, and information you get about a person in connection with providing a financial product or service. How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, Fed. Trade. Comm’n.
[8] 16 C.F.R. §§ 313.6(a)(6), 313.10(a).
[9] 16 C.F.R. § 314.3.
[10] 16 C.F.R. § 314.4.
[11] 16 C.F.R. § 314.3(b)(3).
[12] Paul McNamara, FTC puts Google on 20 years of ‘privacy probation’, NetworkWorld (Mar. 30, 2011), click here.
[13] 4 Gramm-Leach-Bliley tips to take from FTC’s TaxSlayer case. Fed. Trade. Comm’n.