If you or your clients are in the tax preparation field, there are three letters you should focus on. OK, I-R-S may be the first thing on your mind. But as the FTC’s proposed settlement with TaxSlayer suggests, don’t forget those other important letters: G-L-B.
Under the Gramm-Leach-Bliley Act, “financial institutions” – more on what that means in a moment – must comply with the Privacy Rule and the Safeguards Rule. The Privacy Rule requires covered companies to provide notices to consumers that explain their privacy policies and practices. (The Privacy Rule has been around since 2001. In the wake of the Dodd-Frank Act, the Consumer Financial Protection Bureau became responsible for implementing the Rule. In 2014 the CFPB puts its version in place, called Reg P.)
The Safeguards Rule mandates that financial institutions protect the security, confidentiality, and integrity of customer information by implementing and maintaining a comprehensive written information security program. A cut-and-paste job won’t do. The program has to include administrative, technical, and physical safeguards appropriate to the business’ size, the nature and scope of its activities, and the sensitivity of the customer information at issue. For example, companies have to conduct an assessment of how customers’ information could be at risk and then implement safeguards to address those risks.
Now back to what the FTC says TaxSlayer did – and didn’t do – that violated the Rules. TaxSlayer offers consumers tax preparation and filing services that are both web-based and available through the company’s app. Of course, to file a tax return, consumers have to input pretty much everything other than their blood type and favorite flavor of ice cream. We’re talking name, Social Security number, phone number, address, income, marital status, spouse, kids, debts, health insurance, bank names, account numbers, etc.
For a two-month period in 2015, TaxSlayer was subject to a list validation attack, which allowed remote attackers to access the accounts for about 8,800 TaxSlayer users. (A list validation attack, also known as credential stuffing, is where hackers steal login credentials from one site and then – banking on the fact that some consumers use the same password on multiple sites – use them to access accounts on other popular sites.) In an unknown number of cases, criminals used the data to commit tax identity theft. They filed fake returns with altered routing numbers and pocketed refunds they weren’t owed. And what a mess that left for victimized consumers. Long delays in getting their rightful refunds, freezes or holds on their credit, and endless hours trying to unscramble the ID theft egg.
In the proposed complaint, the FTC alleges that TaxSlayer violated the Privacy Rule and Reg P by failing to give customers the privacy notices they were due. What’s more, TaxSlayer violated the Safeguards Rule by failing to have a written information security program, failing to conduct the necessary risk assessment, and failing to put safeguards in place to control those risks – specifically, the risk that remote attackers would use stolen credentials to take over consumers’ TaxSlayer accounts and commit tax identity theft.
Tracking the settlements in several other GLB cases, TaxSlayer must comply with the rules and will be subject to every-other-year independent assessments for the next decade. You can file a comment about the proposed settlement by September 29, 2017.
What does the TaxSlayer case mean for other companies?
- You or your clients may be covered by GLB and not even know it. GLB’s definition of “financial institution” is broader than a lot of businesses think. Sure, it covers companies with vaults, tellers, and chained ballpoint pens that rarely work. But if you have clients in the tax planning or tax prep business, chances are they’re covered by the Gramm-Leach-Bliley Act, too. What steps have you taken to help them comply?
- Use appropriate authentication procedures. The Safeguards Rule includes concrete guidance about crafting your information security program and the FTC’s complaint outlines instances where TaxSlayer’s authentication practices allegedly fell short. According to the FTC, the credential stuffing attack on TaxSlayer ended when the company implemented multi-factor authentication – requiring users to type in their usernames and passwords and then to authenticate their device by entering a code the company sent to their email or phone. Have your clients considered the security advantages of multi-factor authentication?
- The Safeguards Rule doesn’t build in any laurel-resting time. Once covered companies have a written information security program in place, the Safeguards Rule includes ongoing obligations. For example, companies must evaluate and adjust their programs in light of changes to their business operations, the results of monitoring or testing, and other relevant factors. Your company or your clients may have put safeguards in place back in 2003 when GLB was the new kid on the block. But what have they done recently to keep their program current?
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.