The FTC has announced settlements with both Ceridian Corporation and Lookout Services, Inc., which the FTC charged with committing unfair and deceptive trade practices. According to the FTC, Ceridian and Lookout claimed they would take reasonable measures to secure the sensitive consumer data they maintained, but failed to do so. The FTC appears to have become aware of security inadequacies after both companies experienced data breaches that affected tens of thousands of consumers.
The security problems cited by the FTC included the indefinite retention of sensitive data in readable text without a business need, the failure to require strong user passwords that are periodically changed, and the failure to provide adequate employee training.
The settlement orders prohibit misrepresentations about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They further require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.