The FTC recently issued a proposed consent order, finding that a California-based education technology provider violated the FTC Act because of its weak data security practices, exposing sensitive information about its employees and approximately 40 million customers through several data breaches. As part of the proposed consent order, the company, among other things, will be restricted in the types of data it can collect and retain, will be required to bolster its data security protocols, and must offer users multifactor authentication to secure their accounts.
The FTC stated that the multiple data breaches resulted from several poor data security practices, including (i) failing to use commercially reasonable security measures to protect data, such as not requiring employees to use multifactor authentication, allowing employees and contractors to use a single login to access databases, and failing to monitor its network for threats; (ii) storing personal data on a cloud storage database in plain text and with weak encryptions; and (iii) failing to provide adequate security training to employees/contractors and implement a written security policy until last year. The FTC stated that these security failures resulted in the theft of employees’ medical and financial data, including direct deposit information. Similarly, information about customers’ names, email addresses, passwords, dates of birth, parents’ income range, sexual orientation, and disabilities was stolen and subsequently found for sale online.
As part of the proposed settlement, the company will be required, among other things, to:
- Create and follow a data retention schedule for covered information;
- Provide a link on the company’s website that consumers can use to request access to or the deletion of their covered information;
- Offer and implement multifactor authentication methods for users;
- Notify impacted consumers that their information was exposed during a security breach;
- Mandate an information security program that includes several specific requirements enumerated by the FTC;
- Obtain initial and biennial information security assessments from a qualified, objective, independent third party; and
- Provide annual certifications to the FTC.
The FTC will publish the proposed consent order to the Federal Register, which will be subject to public comment for 30 days, after which the Commission will decide whether to finalize the consent order.