FTC Settles Complaint Against Technology Company Whose Allegedly Lax Information Security Policies Resulted in Data Breach

The FTC recently announced a proposed settlement with a Utah-based technology company for alleged violations of the FTC Act, including failures to implement reasonable information security safeguards which led to a security breach.  The company, which neither admitted nor denied the allegations in the FTC’s Complaint, provides “backend” operations systems and online distributor tools for the direct sales industry, with its primary clients operating in multi-level marketing industry.

Numerous problems with safeguarding client data were alleged by the FTC including the company’s failures to (i) secure inventory and delete personal information it no longer needed; (ii) conduct code review of its software and testing of its network; (iii) detect malicious file uploads; (iv) adequately segment its network; and (v) implement cybersecurity safeguards to detect unusual activity on its network.

In the security breach, an external intruder exploited vulnerabilities in the company’s server and website, loaded malware, and took control of the company’s files and data.  Undetected, external access to the company’s server occurred repeatedly over a two-year period, and permitted the intruder to access the personal information of approximately one million customers, including their names, physical and email addresses, telephone numbers, SSNs, passwords, and credit card information.

The terms of the proposed settlement require the company to cease collecting, selling, sharing, or storing personal information until it implements a comprehensive information security program.  Additionally, under the terms of the settlement, the company must participate in third-party assessments of its security policies and procedures, submit annual certifications, and meet other reporting, monitoring, and recordkeeping requirements related to its information security programs.