Tax Preparer TaxSlayer Settles FTC Privacy, Security Charges

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Tax preparation service TaxSlayer LLC Aug. 29 settled FTC claims of failing to implement adequate security procedures to protect client information.

The Federal Trade Commission charged that the Evans, Ga.-based private company violated the Gramm-Leach-Bliley Act’s (GLB) Safeguards Rule and Privacy Rule by not implementing provisions “to protect the security, confidentiality, and integrity of customer information,” and by not delivering “privacy notices to customers.”

The enforcement action reinforces the FTC’s continuing active GLB compliance oversight role. The GLB Act authorized the FTC to issue the Safeguards Rule, which requires financial institutions to secure customer data, and the Privacy Rule, which requires companies to inform customers of the financial institution’s privacy policies. The FTC says it has brought nearly 30 cases under the Safeguards Rule.

The no-fault settlement stems from FTC claims that hackers were able to get access to 9,000 customer accounts from Oct.-Dec. 2015. The hackers used the stolen information “to obtain tax refunds by filing fraudulent tax returns,” the FTC said in its complaint.

Remedial Action

A TaxSlayer spokesperson told Bloomberg BNA Aug. 29 that the company “reacted instantly and self-reported the attack to the IRS and took immediate remediation efforts.” Since the hack “that was aimed at less than one percent of” customers, TaxSlayer has “implemented increased security procedures and stricter authentication requirements,” the spokesperson said.

The FTC, even with TaxSlayer’s remediation efforts, decided to take action and continue focusing on consumer data security and privacy enforcement.

Tom Pahl, acting director of the FTC’s bureau of consumer protection, said in a Aug. 29 statement that “it’s critical” for tax preparation services to “implement appropriate safeguards to protect” client information. TaxSlayer failed to “have an adequate risk assessment plan, and hackers took over user accounts and committed identity theft,” he said.

Compliance Assessments

Under the terms of the no-fault settlement, TaxSlayer must conduct biennial, third-party assessments to ensure compliance with federal privacy and financial services laws.

TaxSlayer must show in each assessment that it implements “administrative, technical, and physical safeguards;" explains how the “safeguards are appropriate” to the company’s size and sensitivity of customer data; shows that the safeguards “meet or exceed” required protections; and certifies that the program provides “reasonable assurances that the security, confidentiality, and integrity of personal information is protected.”

If the company fails to abide by the consent agreement in the next 20 years, it could face federal court action to enforce the order.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Text of the no-fault settlement is available at http://src.bna.com/r4X.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security