Posted by Masood Mohayya.
In Fall 2015, TaxSlayer, a web-based tax preparation service, fell victim to a data breach, specifically a credential-stuffing attack. Due to a security flaw, the cyber-attackers were able to gain access to almost 9000 TaxSlayer accounts, which provided them the highly-sensitive data (including social security numbers, bank accounts, and credit card information) belonging to TaxSlayer’s customers. TaxSlayer was not aware of this attack until January 2016, when a user complaint mentioned a compromised tax account. The discovery of this credential-stuffing attack resulted in a thorough investigation conducted by the FTC.
The FTC had determined that TaxSlayer failed to meet the standards set by the Privacy Rule and the Safeguards Rule of the Gramm-Leach-Bliley Act (GBLA). Although the GBLA only applies to financial institutions, such as banks or investment advisors, the fact that TaxSlayer partakes in tax return activities made it subject to the GBLA. The Safeguards Rule requires financial institutions to have a “comprehensive written security program”. Furthermore, they need to routinely monitor their cybersecurity programs, and “design and implement information safeguards” to control any risks or flaws identified during security assessments. Had TaxSlayer not violated these requirements, their network security risk could have been identified much sooner, and prevented the endangerment of thousands of customers’ information.
Moving forward, the FTC concluded that TaxSlayer must comply by the regulations set by the GBLA. Failure to do so would subject them to contempt risk. However, this incident opened larger doors for the FTC. One of their largest priorities is enforcing the importance of multi-factor authentication to access sensitive data for all companies, especially those not subject to the GBLA. They believe it is one of the most effective privacy protection tools, and can prevent countless cyberattacks. Although there are still no official legal mandates set in stone by the FTC, companies without robust network security put themselves at severe risk.
Masood is an IT management major at the Stillman School of Business, Seton Hall University, Class of 2019.
Source:
https://biglawbusiness.com/cybersecurity-enforcers-wake-up-to-unauthorized-computer-access-via-credential-stuffing/
Posted by Pooja Patel.
The Federal Trade Commission sued Volkswagen for advertising a false claim that their vehicles are environmental friendly and “clean diesel.” Volkswagen is a German manufactured car company. The vehicles that are being affected with this law suit are 2009 through 2015 Volkswagen TDI diesel models of Jetta’s, Passat’s, and Touareg SUVs, also the TDI Audi models. The sale price for these affected vehicles ranges from the least expensive $22,000 Volkswagen to the most expensive $125,000 Audi model. Volkswagen advertised its “clean diesel” vehicles through major advertisement such as Super Bowl Ads, print ads, and of course social media advertisement.
Volkswagen claims their cars are “low-emission, environmentally friendly” and “met emissions standards and would maintain a high resale value.” These claims are alleged to be false. Volkswagen claimed that their cars had low emission and it is “clean diesel.” This means the vehicle would produce low Nitrogen Oxide by 90 percent or less. Instead, the FTC complaint states that the vehicle produces up to 4,000 percent more that the legal limit. This is harmful and dangerous to the customers, since it can cause health problems as well as environmental problems. Also, Volkswagen claimed that they met the emission standards and also would maintain a high resale value, but these claims were also false. According to the FTC, Volkswagen has installed illegal software that helped it pass emission standards.
The chairwoman of FTC, Edith Ramirez, stated that “Our lawsuit seeks compensation for the consumers who bought affected cars based on Volkswagen’s deceptive and unfair practices.” Volkswagen is also looking at a potential of $20 billion-dollar fine for violating the clean air regulations. The lawsuit is still yet to be settled therefore; exact fines are not yet confirmed. But Volkswagen’s spokeswoman, Jeannine Ginivan, responded to this issue and said, “Our most important priority is to find a solution to the diesel emissions matter and earn back the trust of our customers and dealers as we build a better company.”
In my opinion, the actions Volkswagen took were definitely unethical; they were more concerned about gaining profits. They also put consumers’ lives at risk. I think the Federal Trade Commission did the right thing by suing the Volkswagen company.
Pooja is an accounting and finance major at the Feliciano School of Business, Montclair State University, Class of 2019.
Posted by Michael Larkin.
When one checks into a hotel, one would expect to have their information stored in a company’s database, but one would not expect that database to get compromised. Wyndham Worldwide Corporation was using a property management system that stored customer’s names, addresses, and credit card number. On three separate occasions in 2008 and 2009, Wyndham was hacked and this information was pulled off of over 600,000 accounts. Damage was approximately $10.6 million and the Federal Trade Commission (FTC) brought Wyndham to trial.
Even though Wyndham was the company that got hacked, it was the customers who got hurt and that is why the FTC filed against Wyndham. The FTC argued that the hacks were caused due the very limited security that the management system used. It was found that the credit card numbers could easily be read, passwords were easy to guess, and a firewall was not deployed along with various other issues. Wyndham argued that the FTC had no right to file a suit against them and that the unfairness and deception claims were not sufficiently validated. It was founded that Wyndham didn’t provide a fair system for its customers and the court required the company to change in order to protect its customers. Mainly, Wyndham needs a more comprehensive security program in order to protect account information and also conduct annual information security audits and maintain a safeguard for its servers.
This case was a matter of protection and privacy for the company’s customers. A customer is providing personal information in order to engage in business so Wyndham has a duty to protect that information. Having a higher security will ensure that hackers will not be able to breach the system and steal information. The FTC won the trial, and in doing so, made sure that a company had a high security to protect the customers.
Michael is a finance major at the Stillman School of Business, Seton Hall University, Class of 2019.
Sources:
FTC v. Wyndham Worldwide Corp.
Verdict From: https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment