Ceridian, Lookout Services Settle With FTC Over Data Breach
Two companies have settled charges leveled by the Federal Trade Commission that they failed to adequately protect large quantities of sensitive employee data.
The companies, Ceridian Corporation and Lookout Services, violated federal laws that require they take appropriate security measures to protect the data, which included Social Security numbers and other personally identifiable information.
A report recently revealed that data breaches were at an all time high in 2010, with 96 percent of all breaches shown to have been avoidable by implementing simple security measures.
The FTC claimed that both companies promised to take the measures, but did not do so--something that became clear when security breaches at each company exposed the data of over 65,000 consumers. The FTC called their security practices "unfair and deceptive."
According to the FTC's report, Ceridian, a provider of payroll and HR services, stored data on its network in readable text without "a business need," allowing the breach to occur and putting information including direct deposit data at risk. The personal data of approximately 28,000 Ceridian customers was compromised.
To help employers comply with immigration laws, Lookout Services offers the 'I-9 Solution' product, which stores names, addresses, dates of birth and Social Security numbers. The company also failed to adequately protect its data. The FTC found that anyone with the correct URL was able to bypass the Lookout website's authentication procedures and easily access sensitive data -- no username or password necessary. According to the FTC complaint, an employee of a Lookout customer was able to gain unauthorized access to the personal data of over 37,000 consumers.
As part of the settlement, the companies will have to implement appropriate security programs and get independent audits of these programs every other year for the next 20 years.