The Federal Trade Commission (FTC) recently issued a final order effectuating a consent agreement between the FTC and an online tax preparation service provider, settling allegations that the company violated federal rules on financial privacy and information security under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.
In its complaint, the FTC alleged that malicious hackers were able to gain full access to nearly 9,000 customer accounts at the company between October 2015 and December 2015. Using the information that they accessed, the hackers engaged in tax identity theft, resulting in an unknown number of fraudulent tax returns being filed. The FTC found that the company violated the GLBA Safeguards Rule, which requires financial institutions to implement safeguards to protect the security, confidentiality and integrity of customer information. The FTC also held that the company violated the GLBA Privacy Rule, which requires financial institutions to deliver privacy notices to customers.
In connection with the settlement, the company is prohibited from violating the Privacy Rule and the Safeguards Rule for 20 years. Further, the company is required to obtain biennial third-party assessments of its compliance with these rules for ten years.
A copy of the final order is available here.