In re Reed Elsevier Inc. and Seisint, Inc., FTC File No. 052-3094 (March 27, 2008).
Factual Background Edit
In the Federal Trade Commission’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI — through its LexisNexis data broker business — and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases.
The complaint alleges that, among other security failures, they allowed customers to use easy-to-guess passwords to access Seisint’s “Accurint” databases. The databases contained sensitive consumer information, including drivers license numbers and Social Security numbers. Identity thieves exploited these security failures, and through multiple breaches obtained access to sensitive information about at least 316,000 consumers from Accurint databases. The identity thieves used the information to activate credit cards and open new accounts, and made fraudulent purchases on the cards and new accounts. REI acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time REI controlled Seisint’s practices.
The agency charged that Seisint and REI:
- Failed to make Seisint user credentials hard to guess;
- Failed to require periodic changes of Seisint user credentials;
- Failed to suspend credentials after a certain number unsuccessful log-in attempts;
- Allowed Seisint customers to store their credentials in a vulnerable format in cookies on their computers;
- Failed to require Seisint customers to encrypt or protect credentials, search queries or search results in transit between customer computers and Seisint websites;
- Allowed customers to create new user credentials without confirming that the new credentials were created by customers rather than identity thieves;
- Permitted users to share credentials;
- Did not adequately assess the vulnerability of Seisint’s Web applications and computer network to commonly known attacks; and
- Did not implement simple, low-cost, and readily available defenses to such attacks.
Settlement Agreement Edit
The settlement with REI and Seisint (contained within a Agreement Containing Consent Order) requires them to establish and maintain comprehensive security programs to protect personal information that is in whole or part nonpublic information. The settlements require the programs to contain administrative, technical, and physical safeguards appropriate to each company’s size, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, the companies must:
- Designate an employee or employees to coordinate the information security program;
- Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
- Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
- Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and
- Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs;
The settlements require the companies to retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The auditors will be required to certify that the companies’ security programs meet or exceed the requirements of the FTC’s orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected.
The settlements also contain bookkeeping and record keeping provisions to allow the agency to monitor compliance with its orders.