The U.S. Federal Trade Commission will require two companies — one providing payroll and human resources services and another providing immigration law compliance services — to undergo independent security audits for 20 years after data breaches exposed the personal information of 65,000 employees of the two companies’ business partners.
The FTC, in proposed settlements announced Tuesday, will require payroll and HR firm Ceridian and immigration law services firm Lookout Services to implement comprehensive information security programs and to obtain independent security audits every other year for 20 years.
Both companies promised their business customers they took reasonable measures to protect the data they maintained, but during recent data breaches, thieves were able to gain access to personal records, including Social Security numbers, the FTC said in a press release.
Neither company responded immediately to requests for comments on the proposed settlements.
Ceridian, a provider to businesses of payroll and other human resource services, promised that it maintained “worry-free safety and reliability,” the FTC said. The company also said it maintained a comprehensive security program using “industry best practices.”
But the company, based in Minneapolis did not adequately protect its network from reasonably foreseeable attacks, and it stored personal information in clear, readable text on its network, the FTC said. The company failed to take “readily available, free or low-cost defenses” against SQL injection attacks, the FTC said in its complaint against the company.
In December 2009, an intruder breached one of Ceridian’s Web-based payroll processing applications. The personal information, including Social Security numbers and direct deposit information, of nearly 28,000 employees of Ceridian’s small-business customers was compromised in the attack, the FTC said.
The second company, Lookout Services of Bellaire, Texas, markets a product that allows businesses to comply with federal immigration laws. The product stores employee information including names, addresses, dates of birth and Social Security numbers.
Lookout promised that its system kept data reasonably secure, but unauthorized access to sensitive employee information could allegedly be gained without the need for a user name or password, the FTC said. Since 2006, Lookout said in promotional materials: “Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated software tools.”
But Lookout did not employ intrusion detection system until October 2009 and did not adequately monitor logs until December 2009, the FTC said in its complaint against the company.
In October and December 2009, an employee of a Lookout customer was able to gain access to the product’s database by typing a URL into a Web browser, the FTC said in its complaint. The intruder was able to gain access to personal information, including Social Security numbers, of about 37,000 consumers, the FTC said.
Lookout also failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training, the FTC alleged.
The settlements orders bar the companies from making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected about consumers. The proposed settlements are open to public comment until June 2.
In March, FTC proposed a similar settlement in response to Google exposing personal information of Gmail users when it rolled out its Buzz social-networking service.