Washington, DC - If you or your clients are in the tax preparation field, there are three letters you should focus on. OK, I-R-S may be the first thing on your mind. But as the FTC’s proposed settlement with TaxSlayer suggests, don’t forget those other important letters: G-L-B.
Under the Gramm-Leach-Bliley Act, “financial institutions” – more on what that means in a moment – must comply with the Privacy Rule and the Safeguards Rule. The Privacy Rule requires covered companies to provide notices to consumers that explain their privacy policies and practices. (The Privacy Rule has been around since 2001. In the wake of the Dodd-Frank Act, the Consumer Financial Protection Bureau became responsible for implementing the Rule. In 2014 the CFPB puts its version in place, called Reg P.)
The Safeguards Rule mandates that financial institutions protect the security, confidentiality, and integrity of customer information by implementing and maintaining a comprehensive written information security program. A cut-and-paste job won’t do. The program has to include administrative, technical, and physical safeguards appropriate to the business’ size, the nature and scope of its activities, and the sensitivity of the customer information at issue. For example, companies have to conduct an assessment of how customers’ information could be at risk and then implement safeguards to address those risks.
Now back to what the FTC says TaxSlayer did – and didn’t do – that violated the Rules. TaxSlayer offers consumers tax preparation and filing services that are both web-based and available through the company’s app. Of course, to file a tax return, consumers have to input pretty much everything other than their blood type and favorite flavor of ice cream. We’re talking name, Social Security number, phone number, address, income, marital status, spouse, kids, debts, health insurance, bank names, account numbers, etc.
For a two-month period in 2015, TaxSlayer was subject to a list validation attack, which allowed remote attackers to access the accounts for about 8,800 TaxSlayer users. (A list validation attack, also known as credential stuffing, is where hackers steal login credentials from one site and then – banking on the fact that some consumers use the same password on multiple sites – use them to access accounts on other popular sites.) In an unknown number of cases, criminals used the data to commit tax identity theft. They filed fake returns with altered routing numbers and pocketed refunds they weren’t owed. And what a mess that left for victimized consumers. Long delays in getting their rightful refunds, freezes or holds on their credit, and endless hours trying to unscramble the ID theft egg.
In the proposed complaint, the FTC alleges that TaxSlayer violated the Privacy Rule and Reg P by failing to give customers the privacy notices they were due. What’s more, TaxSlayer violated the Safeguards Rule by failing to have a written information security program, failing to conduct the necessary risk assessment, and failing to put safeguards in place to control those risks – specifically, the risk that remote attackers would use stolen credentials to take over consumers’ TaxSlayer accounts and commit tax identity theft.
Tracking the settlements in several other GLB cases, TaxSlayer must comply with the rules and will be subject to every-other-year independent assessments for the next decade. You can file a comment about the proposed settlement by September 29, 2017.
What does the TaxSlayer case mean for other companies?
- You or your clients may be covered by GLB and not even know it. GLB’s definition of “financial institution” is broader than a lot of businesses think. Sure, it covers companies with vaults, tellers, and chained ballpoint pens that rarely work. But if you have clients in the tax planning or tax prep business, chances are they’re covered by the Gramm-Leach-Bliley Act, too. What steps have you taken to help them comply?
- Deliver your privacy notices. Reg P requires that you deliver your privacy notice in a way that consumers are reasonably expected to actually receive it. A link to your privacy policy on your home page is insufficient. There’s a model notice that identifies the information you’re required to provide.
- Use appropriate authentication procedures. The Safeguards Rule includes concrete guidance about crafting your information security program and the FTC’s complaint outlines instances where TaxSlayer’s authentication practices allegedly fell short. According to the FTC, the credential stuffing attack on TaxSlayer ended when the company implemented multi-factor authentication – requiring users to type in their usernames and passwords and then to authenticate their device by entering a code the company sent to their email or phone. Have your clients considered the security advantages of multi-factor authentication?
- The Safeguards Rule doesn’t build in any laurel-resting time. Once covered companies have a written information security program in place, the Safeguards Rule includes ongoing obligations. For example, companies must evaluate and adjust their programs in light of changes to their business operations, the results of monitoring or testing, and other relevant factors. Your company or your clients may have put safeguards in place back in 2003 when GLB was the new kid on the block. But what have they done recently to keep their program current?