New FTC Data Breach Cases Focus on HR Service Providers & Safeguarding Employee Data

Today, the FTC announced data security settlements with two companies based on allegations that the companies failed to employ reasonable data security measures. The twist in these cases, compared to prior FTC cases, is the focus on companies who act as service providers to businesses related to their employee data (as opposed to customer data).

The FTC settlements underscore:

  1. that reasonably protecting employee/HR data is within the FTC’s scope of enforcement under Section 5 of the FTC Act, and
  2. the importance for all businesses to (a) exercise due diligence in selecting vendors that will have access to their employee/human resources data, and (b) confirm via contract and otherwise that the vendors have reasonable security measures in place (as to both the products being offered and the vendor’s own business where the HR data will be maintained).

The Charges: In the two cases at issue, the HR service providers both incurred data breaches resulting in compromised employee information (e.g., employee names, addresses, social security numbers, dates of birth, direct deposit information). According to the FTC complaints:

  • Ceridian (a payroll and human resource services provider) operated a web-based payroll processing service for small business customers. The FTC’s allegations focused on the vendor’s practice of storing the HR PII in plain text and indefinitely without a business need, remaining vulnerable to predictable SQL injection attacks, and not employing measures to detect and prevent unauthorized access to the PII. As a result, the FTC alleged the company lacked adequate network protections and mishandled its customers’ employee information, resulting in a data breach that affected 28,000 employees of its small business customers.
  • Lookout Services, Inc. markets a web-based compliance product for employers who need to maintain citizenship information about its employees. The FTC’s allegations charged that the vendor failed to implement reasonable security safeguards, including the absence of reasonable security policies, inadequate passwords and user credentials, and an insecure web application, resulting in a data breach to the company’s database that retained 37,000 social security numbers.

The Settlements: Under the settlements, Ceridian and Lookout Services must implement comprehensive information security programs that need to be independently audited every other year for 20 years. Additionally, the companies are barred from misrepresenting the privacy, confidentiality, and integrity of the personal information that they maintain in their systems. Violations of an FTC Order can subject a company to up to $16,000 per violation.