Hacking-Opfer nach Steuerdatenverlust gestraft
CK • Washington. Eine Lehre für alle zieht das Hacking-Opfer, das als Online-Steuerberatungsdienst Kundendaten verlor. Am 5. September 2017 verkündet das Bundesverbraucherschutzamt FTC einen Vergleich, den es mit dem Dienst nach einer gründlichen Untersuchung schließen will. Seine Begründung legt es samt den Tatsachen unter FTC v. TaxSlayer zur Kommentierung vor.
Steuerberaterkundendaten enthalten Finanzdaten, die der Gramm-Leach-Bliley Act schützt. Dessen Datenschutzbestimmungen hatte der Dienstleister laut der Federal Trade Commission in Washington auf verschiedene Weise verletzt. Die notwendige Kundenbelehrung fand online zwar statt, doch nicht deutlich genug - ein eklatanter, doch leicht zu korrigierender Fehler. Das Amt drückt sich in der Verkündung TaxSlayer LLC; Analysis To Aid Public Comment mit der Bitte an die Öffentlichkeit, den beabsichtigten Vergleich zu kommentieren, deutlich aus:
Steuerberaterkundendaten enthalten Finanzdaten, die der Gramm-Leach-Bliley Act schützt. Dessen Datenschutzbestimmungen hatte der Dienstleister laut der Federal Trade Commission in Washington auf verschiedene Weise verletzt. Die notwendige Kundenbelehrung fand online zwar statt, doch nicht deutlich genug - ein eklatanter, doch leicht zu korrigierender Fehler. Das Amt drückt sich in der Verkündung TaxSlayer LLC; Analysis To Aid Public Comment mit der Bitte an die Öffentlichkeit, den beabsichtigten Vergleich zu kommentieren, deutlich aus:
The consent agreement in this matter settles alleged violations of the Gramm-Leach-Bliley Act Privacy Rule, and of the Gramm-Leach-Bliley Act Safeguards Rule.…
This matter involves TaxSlayer, a company that advertises, offers for sale, sells, and distributes products and services to consumers, including TaxSlayer Online, a browser-based tax return preparation and electronic filing software and service. TaxSlayer Online assists consumers, typically for a fee, in preparing and electronically filing federal and state income tax returns. In 2016, more than 950,000 individuals filed tax returns using TaxSlayer Online.
TaxSlayer Online users create an account by entering a username and password … on an account creation page. They then input a host of personal information in order to create a tax return, including but not limited to: Name, Social Security number…, telephone number, physical address, income, employment status, marital status, identity of dependents, financial assets, financial activities, receipt of government benefits, home ownership, indebtedness, health insurance, retirement information, charitable donations, tax payments, tax refunds, bank account numbers, and payment card numbers.…
The complaint alleges that TaxSlayer became subject to a list validation attack that began in October 2015. List validation attacks occur when attackers use lists of stolen login credentials to attempt to access accounts across a number of Web sites, knowing that consumers often reuse login credentials. In an unknown number of instances, the attackers engaged in tax identity theft by e-filing fraudulent tax returns and diverting the fabricated refunds to themselves.
The Commission's complaint alleges that TaxSlayer failed to comply with the Gramm-Leach-Bliley … Act Privacy Rule in two ways. First, TaxSlayer failed to provide a clear and conspicuous initial privacy notice. TaxSlayer's Privacy Policy was contained towards the end of a long License Agreement, and TaxSlayer did not convey the importance, nature, and relevance of this Privacy Policy to its customers. Second, TaxSlayer failed to deliver the initial privacy notice so that each customer could reasonably be expected to receive actual notice. For example, TaxSlayer did not require customers to acknowledge receipt of the initial privacy notice as a necessary step to obtaining a particular financial product or service.
In addition, the complaint alleges that TaxSlayer engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive information from consumers, in violation of the GLB Act Safeguards Rule. First, TaxSlayer failed to have a written information security program until November 2015.Second, TaxSlayer failed to conduct a risk assessment, which would have identified reasonably foreseeable risks to the security, confidentiality, and integrity of customer information, including risks associated with inadequate authentication. Third, TaxSlayer failed to implement information safeguards to control the risks to customer information from inadequate authentication.
