Data brokers Reed Elsevier and Seisint have agreed to conduct biennial audits of its data protection procedures for 20 years as part of a settlement with the FTC. Businesses that find themselves under the FTC's scrutiny and choose to settle data privacy allegations may have to eventually assume the expense of conducting costly audits for as long as 20 years.
Reed Elsevier, via its LexisNexis data broker business, and Seisint gather information about millions of consumers, including names, current and prior addresses, dates of birth, drivers’ license numbers and Social Security Numbers. The companies relied on user IDs and passwords to control customer access to consumer information in their databases.
The FTC alleged that Reed Elsevier and Seisint failed, among other things, to:
• Make Seisint user credentials hard to guess;
• Suspend credentials after a certain number unsuccessful log-in attempts;
• Require Seisint customers to encrypt or protect credentials, search queries or search results in transit between customer computers and Seisint Web sites;
• Verify that new user credentials were created by customers rather than identity thieves;
• Prevent users from sharing credentials;
• Adequately assess the vulnerability of Seisint’s Web applications and computer network to commonly known attacks; and
• Implement simple, low-cost, and readily available defenses to such attacks.
Identity thieves allegedly exploited these security failures and obtained access to the sensitive information of at least 316,000 consumers from Accurint databases. The identity thieves used the information to create and activate new credit cards with which they made fraudulent purchases. Reed Elsevier acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time Reed Elsevier controlled Seisint’s practices.
For the next 20 years, auditors will be required to certify that the companies’ security programs meet or exceed the requirements of the FTC’s orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected. The Reed Elsevier and Seisint settlements also contain bookkeeping and record keeping provisions to allow the FTC to monitor compliance with its orders.
View the compliant here.
View the settlement agreement here.