| Company Name(s)..... (FTC vs.) ........................ | Date | Act Violated | Category: False Advertising | Category: Encryption Issues | Category: Security Breach | Category: Data Leakage | Category: Poor Practice | Category: Security Flaws | Category: Privacy Policy Breach | Summary of Problematic Conduct.................................................................... | Financial Redress | Audit: Must Provide Copies of Advertisements Towards Consumer | Audit: Maintain Copies of Privacy Statments, Disclosures, Invoices, and Record Concerning PI Collection | Audit: Maintain All Statements About Privacy Policies and Changes | Audit: Maintain all Consumer Complaints | Audit: Maintain All Records | Audit: Must Provide Documents Signifying Compliance with Security Program | Audit: Must Provide Copy of Judgement to Employees, etc. | Audit: Must Notify Comission About Company Changes | Audit: Report Personal Changes To Employment and Business Affiliations | Audit: Report Detailing Manner of Compliance | Audit: Submit to Any Active Request of Commission Within 10-30 notice | Mandate: No Misrepresentation of extent of Security Measures | Mandate: Adopt Security Program | Mandate: Assessement From Third Party Detailing Effctiveness of Program | Mandate: Will not Violate GLB Rule | Mandate: Obtain Assessment About Compliance to GLB | Mandate: Will not Misrepresent Data Collection Policies | Mandate: Will not Disclose Data Without Proper Consent and Disclosure | Mandate: Will not Misrpresent or fail to disclose consumer action | Mandate: Will not violate CAN-SPAM Act | Mandate: Will not Violate FCRA | Press coverage |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| FTC v. "Company/Person" | Date | Act Violated | Category: False Advertising | Category: Encryption Issues | Category: Security Breach | Category: Data Leakage | Category: Poor Practice | Category: Security Flaws | Category: Privacy Policy Breach | Summary of Problematic Conduct | Financial Redress | Audit: Must Provide Copies of Advertisements Towards Consumer | Audit: Maintain Copies of Privacy Statements, Disclosures, Invoices, and Record Concerning PI Collection | Audit: Maintain All Statements About Privacy Policies and Changes | Audit: Maintain all Consumer Complaints | Maintain all, accounting, personnel, customer, sales, etc. records | Audit: Must Provide Documents Signifying Compliance with Security Program | Audit: Must Provide Copy of Judgement to Employees, etc. | Audit: Must Notify Commission About Company Changes | Audit: Report Personal Changes To Employment and Business Affiliations | Audit: Report Detailing Manner of Compliance | Audit: Submit to Any Active Request of Commission Within 10-30 notice | Mandate: No Misrepresentation of extent of Security Measures | Mandate: Adopt Security Program | Mandate: Assessment From Third Party Detailing Effectiveness of Program | Mandate: Will not Violate GLB Rule | Mandate: Obtain Assessment About Compliance to GLB | Mandate: Will not Misrepresent Data Collection Policies | Mandate: Will not Collect/Disclose Data Without Proper Consent and Disclosure | Mandate: Will not Misrepresent or fail to disclose consumer action | Mandate: Will not violate CAN-SPAM Act | Mandate: Will not Violate FCRA | PressCoverage |
| Affordable Accents, Worldwide RX and World Wide Medicine | 7/12/2000 | Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) Section 12 of the FTC Act, 15 U.S.C. § 52 | Yes | Yes | No | No | No | Yes | No | -False Advertising/Deceptive Practice: Representing to customers that prescriptions are done by on site doctors and pharmacies when in fact not true -False Advertising/Deceptive Practice: Claim data is encrypted and protected with secure SSL connection when in fact not true -False Advertising/Deceptive Practice: Represent to customer that IOG can bill credit card without authorization for Y2K upgrades -False Advertising/Deceptive Practice: Using personal/billing information for more than just medical services i.e. see previous | None | 5 years | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 120 Days | N/A | Yes | Yes | No | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2000/07/online-pharmacies-settle-ftc-charges
|
| Eli Lilly and Company | 1/18/2002 | Section 5(a) of the FTC Act | Yes | No | No | Yes | No | No | No | Pharmaceutical company Eli Lilly, has promoted its medication Prozac, through its company websites. Consumers can also subscribe to an email service to give them reminders and information about their medication. The websites claim to take certain steps to maintain the privacy of its subscribers. However, upon the cancellation of the email alert service, a mass email was used to inform former subscribers. This email contained in public view the email addresses of all current subscribers thus revealing personal information meant to be protected. | none | 5 years | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 120 Days | N/A | Yes | Yes | No | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2002/01/eli-lilly-settles-ftc-charges-concerning-security-breach
|
| Guess? Inc. and Guess.com Inc. | 8/5/2003 | Section 5(a) of the FTC Act, 15 U.S.C. § 45 | Yes | Yes | Yes | No | No | No | No | Guess? and its website Guess.com sell clothing online. To interact with the website and supply personal information for purchases users interact with a web application. Guess? Inc. claims to protect and encrypt user data but this data is stored in tables and these tables are vulnerable to certain attacks such as SQL injection attacks. Guess? Inc. failed to take necessary and known steps to protect user privacy and represented that it had done so. Their claims that data was unreadable and encrypted at all times was false along with steps to prevent access. | none | 5 years | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 120 Days | N/A | Yes | Yes | No | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2003/06/guess-settles-ftc-security-charges-third-ftc-case-targets-false
|
| MTS Inc. and Tower Direct LLC | 6/4/2004 | Section 5(a) of the FTC Act | Yes | No | No | No | Yes | No | No | MTS and its subsidiary Tower sell records, books, and video, online via their website. Users interact with an application in order to purchase goods and users are given an order number to track their purchases. MTS and Tower claim to take reasonable steps in maintaining privacy. When updating a certain piece of code, the "authentication" variant was not updated as well, thus anyone could gain unauthorized access to information not their own with a valid order number and some 5225 users experienced information leakage to unauthorized sources. The claim of reasonable protection was false and the Broken Account and Session Management problems were deemed irresponsible and fixable beforehand. | none | 5 years | N/A | N/A | N/A | N/A | Biannually for 3 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | Yes | Yes | Biannually For 10 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2004/04/tower-records-settles-ftc-charges
|
| Sunbelt Lending Services Inc. | 1/7/2005 | Section 4 of the FTC Act, 15 U.S.C. § 44 Safeguarding Customer Information Rule Privacy of Consumer Financial Information Rule Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 Section 5(a)(1) of the FTC Act. | No | No | No | No | Yes | No | No | Sunbelt Lending collects important user data such a social security numbers and has failed to take steps to identify and mitigate risks to this information's security. One such example is poor security practices when working remote. This is in violation of the Safeguards rule. Secondly, Sunbelt Lending failed to give notices to their customers detailing their privacy policies and practices and this is a violation of the Privacy Rule. | none | N/A | N/A | N/A | N/A | N/A | N/A | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | N/A | No | N/A | Yes | Within 180 Days Biannual Reports for 10 years | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2004/11/ftc-enforces-gramm-leach-bliley-acts-safeguards-rule-against
|
| Petco | 3/8/2005 | Section 5(a) of the Federal Trade Commission Act | No | Yes | Yes | No | No | No | No | Petco collects user information such as credit card information when consumers interact with their web application to buy products. It was found that this information was not securely encrypted and that reasonable security measures were not taken to prevent attacks such as SQL injections. Thus the lack of good practice in addition to claims of the opposite have lead to a violation of the FTC act. | none | 5 years | N/A | N/A | N/A | N/A | Biannually for 3 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | Yes | Yes | Biannually For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2004/11/petco-settles-ftc-charges
|
| Nationwide | 11/9/2004 | Gramm-Leach Bliley Act, 15 U.S.C. § 6801 Section 5(a)(1) of the FTC Act | No | No | No | No | Yes | No | No | Nationwide collects personal information from its customers and has failed to implement protective practices to maintain the security of this information. One such example is storing this information in a computer network accessible to all employees. Additionally Nationwide failed to give its customers notice as to their privacy practices. These are violations of the Safeguards Rule and Privacy Rule of the GLB Act. | none | N/A | N/A | N/A | N/A | N/A | N/A | Within 30 Days | Within 30 Days | 10 years | Within 180 Days | N/A | N/A | No | N/A | Yes | Within 180 Days Biannual Reports for 10 years | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2004/11/ftc-enforces-gramm-leach-bliley-acts-safeguards-rule-against
https://www.ftc.gov/news-events/press-releases/2005/03/mortgage-company-settles-ftc-charges |
| Vision I | 4/26/2005 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)a | Yes | No | No | No | No | No | No | Vision I designs "shopping cart" technologies for use on merchants sites where buyers shop for goods and thus volunteer some personal information. Although the merchant sites themselves may adhere to certain privacy policies, it is unclear that Vision I third part technology does not apply to the same standards. In fact, Vision I has collected and rented information its collected to other merchants for marketing purposes. Thus this is considered and unfair or deceptive practice | $9,101.63 (within 5 days) | N/A | 5 Years | N/A | N/A | N/A | N/A | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | N/A | No | N/A | N/A | N/A | Yes | Yes | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2005/03/internet-service-provider-settles-ftc-privacy-charges
|
| BJ's Wholesale Club | 9/23/2005 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) | No | Yes | No | No | Yes | No | No | BJ's wholesale club operates warehouse clubs across the country. At these stores consumers often make purchases via credit or debit card and thus personal information is collected from the cards and stored in the store's computer network before being sent to banks for authorization. BJ's does not encrypt this information in transit, leaves it accessible to anonymous access, does not utilize restrictions on wireless access, and stores data for unnecessarily long periods of time. This resulted in a variety of credit card fraud cases resulting in several millions of dollars fraudulently spent. | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | N/A | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2005/06/bjs-wholesale-club-settles-ftc-charges
|
| Superior Mortgage Corporation | 12/16/2005 | Section 5(a)(1) of the FTC Act | No | Yes | No | No | Yes | No | No | Superior Mortgage Company via its loans business, has collected personal information from its clients. However, steps have not been taken to maintain the safety of this information including poor password policies, lacking encryption, and not certifying the practices of its service providers. This is in violation with the Safeguards Rule. Additionally, claims that PI is encrypted from beginning to end of transactions are false, and this information is only encrypted in transmit to third party service providers, at which point it is decrypted in plaintext. | none | N/A | N/A | N/A | N/A | N/A | N/A | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | Yes | No | N/A | Yes | Within 180 Days Biennial Reports for 10 years | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2005/09/mortgage-company-settles-information-security-charges
|
| DSW Inc. | 3/14/2006 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) | No | Yes | No | No | Yes | No | No | DSW was responsible for the upwards of 1,438,281 credit and debit card information and almost 100,00 checking accounts and licenses being stolen via its poor practices that include storing personal information in multiple files longer than necessary, limiting access to computer networks via wireless points, failing to encrypt data that can accessed by any known user ID and password, allowing computers on one network to access other networks, and failing to implement strategies for unauthorized access | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days For 10 Years | Within 30 Days | N/A | Within 180 Days | N/A | N/A | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2005/12/dsw-inc-settles-ftc-charges
https://www.ftc.gov/news-events/press-releases/2006/03/commission-approves-final-order-matter-dsw-inc |
| Nations Title Agency Inc. Nations Holding Company Christopher M. Likens | 6/20/2006 | Section 5(a) of the FTC Act GLB Act | No | No | No | No | Yes | No | No | Nations Holding Company and its subsidiaries regularly collect personal information in their business of financing home payments. They have routinely failed to assess risks to this information, adequately train employees how to handle it, implement defenses to common website attacks or access control policies, implement measures to detect unauthorized access, and reasonably oversee the handling of collected data by third parties. Not only were poor practices employed digitally, but hard copies of sensitive information were found near the office premises. With the false claims that NTA employs reasonable protection practices, these acts are seen as violations of the Safeguards Rule and Privacy Rule set out in the GLB Act. | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | 10 years | Within 180 Days | N/A | Yes | Yes | Within 180 Days Biennially For 20 Years | Yes | No | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2006/05/real-estate-services-company-settles-privacy-and-security-charge
https://www.ftc.gov/news-events/press-releases/2006/06/ftc-staff-alpena-michigan-public-schools-planned-pharmaceutical |
| Snapchat, Inc. | 5/8/2014 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)a | Yes | No | No | No | No | Yes | Yes | Snapchat provides a mobile application that allows consumer to send and receive photo and video messages known as "snaps." Snapchat markets these messages as disappearing once they are opened by the recipient however this was not the case because several methods exist to capture these snaps. For example accessing the video files when they are briefly stored in an unrestricted area of the phone, using Snapchat's application programming interface (API) to download sent images, taking a screenshot of the image before it disappears with an undetectable double tap of the iPhone home button. Additionally Snapchat misled customers to believe that their geolocation was not tracked, that it did not collect contact information, and that it securely stored your friends information when none of the above were true. | none | N/A | N/A | Yes | Yes | N/A | No | Within 30 Days | Within 30 Days | N/A | N/A | Yes | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were
http://www.washingtonpost.com/blogs/the-switch/wp/2014/05/08/snapchat-agrees-to-settle-ftc-charges-that-it-deceived-users/ http://www.wsj.com/articles/SB10001424052702304655304579550010332216676 |
|
| GMR Transcription Services, Inc. | 1/31/2014 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)a | Yes | No | No | No | No | Yes | Yes | GMR Transcription Services provides transcription services for customers for audio and transcript files. These files can contain sensitive health, financial or personal information. GMR ensures customers that their data is kept securely but the way that GMR sends its data can easily be accessed online by anyone without authentication. The files were captured and accessed by a major search engine and the contents were seen by anyone. The search engine removed the files when asked. GMR could have easily corrected these security failures. | none | 5 years | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | 10 years | Within 60 Days | N/A | Yes | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | Yes | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2014/01/provider-medical-transcript-services-settles-ftc-charges-it
https://www.ftc.gov/news-events/press-releases/2014/08/ftc-approves-final-order-case-against-gmr-transcription-services |
| CardSystem Solutions | 9/8/2006 | Section 5(a) of the Federal Trade Commission Act | No | No | Yes | No | Yes | Yes | No | CardSystems Solutions provides merchants with products and services that authenticate credit/debit card purchases by collecting important security information from the card and transmitting this data to banks for authorization. Cardsystems failed to implement basic security mechanisms to protect and store this data and was victim to an SQL injection attack that compromised thousands of credit cards | none | N/A | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | N/A | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2006/09/ftcdoj-issue-annual-hsr-premerger-notification-report-congress
|
| Guidance Software Inc. | 4/3/2007 | Section 5(a) of the Federal Trade Commission Act | Yes | Yes | Yes | No | Yes | Yes | No | Guidance Software sells products and services to consumers about how to deal with computer breaches. Via this, Guidance Software collects personal information in accordance with business transactions. Although claiming to take steps to maintain security including implementing SSL, the steps taken are either inefficient or not present at all. This, plus an actual breach during an SQL injection attack compromising user information lead to the indictment. | none | N/A | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | Yes | Yes | Within 180 Days Biennially For 10 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2007/04/commission-approves-final-consent-order-matter-guidance-software
|
| American United Mortgage Company | 12/18/2007 | Disposal Rule, C.F.R. § 682.1(b) Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 | No | No | No | No | Yes | Yes | No | American United Mortgage, in collecting various forms of personal information from clients, failed to safely store and dispose of such information when necessary. Intact copies of consumer reports were found around the building and when warned American United Mortgage failed to act. This violated the Disposal Rule, and both Privacy and Safeguards rule of the GLB Act. | $50,000.00 (within 30 days) | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | Yes | N/A | No | N/A | Yes | Within 180 Days Biennial Reports for 10 years | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2007/12/company-will-pay-50000-penalty-tossing-consumers-credit-report
|
| ValueClick Inc. Hi-Speed Media Inc. E-Babylon Inc. | 3/17/2008 | Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) Section 5(a)(2) of CAN-SPAM, 15 U.S.C. § 7704(a)(2) | Yes | Yes | No | No | Yes | Yes | No | The defendants consistently send lead generation emails to consumers whose subject headers imply the winning of prizes or otherwise are set to mislead consumers as to the additional steps they must take, or money they must pay to receive the goods promised. Emails just lead to a variety of landing pages. Additionally, after obtaining E-Babylon, the opportunity to collect personal information including credit card became possible. As such, the measures taken to protect this data were insufficient, including the lack of encryption, and yet privacy statements stated that these steps were in fact taken | $2,900,000 (within 10 days) | N/A | N/A | N/A | Yes | 8 years | 5 years | Within 10 Days | Within 30 Days | N/A | Within 180 Days | Yes | Yes | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | Yes | Yes | N/A |
https://www.ftc.gov/news-events/press-releases/2008/03/valueclick-pay-29-million-settle-ftc-charges
|
| Goal Financial LLC | 4/15/2008 | Section 5(a) of the FTC Act GLB Act | Yes | Yes | Yes | No | Yes | Yes | No | Through loan related services, Goal Financial collects a variety of confidential personal information. Although claiming to protect this data sufficiently and giving access only to authorized employees, this is actually untrue. Employees were able to access upwards of 7000 records without authorization and one employee sold unprotected and uncleaned hard drives from the company compromising some 34000 customers | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | Yes | Yes | Within 180 Days Biennially For 10 Years | Yes | Within 180 Days Biennial Reports for 10 years | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2008/04/commission-approves-final-consent-order-matter-connecticut
|
| Life Is Good Inc. | 4/18/2008 | Section 5(a) of the FTC Act | Yes | No | Yes | No | Yes | Yes | No | Life is Good Inc. failed to sufficiently protect consumer data it collected in the course of selling its products. As such, Life is Good was victim to an SQL injection attack that compromised the data of thousands of customers. This in addition to false claims of security steps taken lead to this indictment | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | Yes | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2008/04/commission-approves-final-consent-order-matter-life-good-inc
|
| Reed Elsevier Inc. Seisint Inc. | 8/1/2008 | Section 5(a) of the FTC Act | No | No | Yes | No | Yes | Yes | No | The defendants are in the business of collecting and selling information about consumers as well as selling verification products to its own customers. As such, they host a large database of sensitive information on millions of consumers. The defendants failed to implement security measures that would restrict access to the database such as limited password attempts, multiple account verification, cycling of credentials, Cross Site Scripting vulnerabilities, etc. As a result, several instances of unauthorized users gaining credentials and compromising hundreds of thousands of consumers has been reported | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | N/A | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2008/08/commission-approves-final-consent-order-matter-tjx-companies-inc
|
| The TJX Companies Inc. | 8/1/2008 | Section 5(a) of the FTC Act | No | Yes | Yes | Yes | Yes | Yes | No | The retailer routinely collects personal information in regards to processing payments, however it was found that this information is stored in clearly plaintext, and access to this information is not thoroughly restricted. As such, an intruder installed hacker tools on the defendant's network and found and stole personal information. Additionally, numerous times, payments were intercepted and the personal data was stolen, leading to many millions of compromised cards. | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | N/A | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2008/08/commission-approves-final-consent-order-matter-tjx-companies-inc
|
| Premier Capital Lending Inc. Debra Stiles | 12/16/2008 | Section 5(a) of the FTC Act GLB Act | Yes | No | Yes | No | Yes | Yes | No | The defendant, a loan company, routinely receives consumer reports from a consumer reporting agency.PCL must have authorized login credential to access these reports. Debra Stiles, provided credentials to a third party company for use from his home business. However, the defendant failed to assess the security risk of this move, nor the security practices of the third party. Thus, a hacker was able to breach the security of the third party, gain the credentials, and receive access to the 83 reports the third party requested, as well as an additional 300 more. This, taken with PCL's privacy policy which claims to take reasonable measures to protect personal information was found in violation of the GLB act and the FTC act. | none | N/A | N/A | N/A | Yes | N/A | 5 years | Within 30 Days | Within 30 Days | 10 years | Within 180 Days | N/A | Yes | Yes | Within 180 Days Biennially For 20 Years | Yes | Within 180 Days Biennial Reports for 20 years | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2008/12/commission-approves-final-consent-order-matter-premier-capital
|
| Rental Research Services Inc. Lee Mikkelson | 3/5/2009 | Section 604 of the FCRA, 15 U.S.C. § 1681b Section 607(a) of the FCRA, 15 U.S.C. § 1681e(a) Section 5(a)(1) of the FTC Act, 15 U.S.C. § 45(a) | No | No | Yes | No | Yes | Yes | No | The defendants provide tenant screening reports to a variety of businesses, and thus is in the business of selling consumer information. To obtain these reports one must simply apply online. The defendants failed to properly screen customers making these requests and was unclear as to when and how to obtain consumer credentials. Thus, identity thieves, claiming to be a certain person, were able to steal up to 318 identities. | $500,000 (no date mentioned) | N/A | N/A | N/A | Yes | N/A | 7 years | Within 5 Days | Within 30 Days | 4 years | Within 180 Days | Yes | N/A | Yes | Within 180 Days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | Yes |
https://www.ftc.gov/news-events/press-releases/2009/03/consumer-reporting-agency-settles-ftc-charges-sold-tenant
|
| Genica Corp. Compgeeks.com | 3/20/2009 | Section 5(a) of the FTC Act | Yes | Yes | Yes | No | Yes | Yes | No | The defendants sell computer electronics and parts etc. and in doing so collect personal information via credit card purchases. Although their privacy statement ensures the use of reasonable security practices and encryption, this was found to be misleading as the website was hacked multiple times via SQL Injection attacks and hundreds of users' data was compromised | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | Yes | Yes | Within 180 Days Biennially For 10 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2009/03/ftc-approves-federal-register-notice-establishing-new-fiber-name
|
| James B. Nutter & Co. | 6/16/2009 | GLB Act | No | No | No | No | Yes | Yes | Yes | The defendant, a mortgage loan company, routine collects personal user data and operates a computer network for storing, collecting, and preparing this information, sometimes in paper form. The defendant did not take reasonable steps to protect this data or prevent unauthorized breaches. Hackers were able to use the network to send large amounts of spam emails from the the company and user data was at risk. Additionally, the privacy statements sent to customers did not set out the means to which privacy was being handled, and informed customers they had 30 days to exercise opt out rights when in fact the privacy rule says they can do this at any time. | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | N/A | Yes | Within 180 Days Biennially For 10 Years | Yes | Within 180 Days Biennial Reports for 10 years | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2009/06/ftc-approves-final-consent-order-related-james-b-nutter-company
|
| CVS Caremark Corporation | 6/23/2009 | Section 5(a) of the FTC Act | Yes | No | No | Yes | Yes | Yes | No | CVS, in collecting personal information from customers, especially personal health information, failed to implement necessary safeguards to protect this data including storing it in plain readable text and failing to dispose of it in a manner that would make it inaccessible or unreadable. CVS's privacy policy ensures that it takes steps to prevent this but in truth it has not. | none (note: separate HIPPA charges) | N/A | N/A | N/A | N/A | N/A | 5 years | Within 60 Days | Within 30 Days | N/A | Within 90 Days | N/A | Yes | Yes | Within 1 Year Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial
https://www.ftc.gov/news-events/press-releases/2009/06/ftc-approves-final-consent-order-matter-cvs-caremark-corporation |
| Gregory Navone | 1/20/2010 | Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w Section 682.3(a) of the Disposal Rule, 16 C.F.R. § 682.3(a) | Yes | No | No | No | Yes | Yes | No | Gregory Navone was the owner of several mortgage companies, and misrepresented the extent to which he collected, stored, handled, and disposed of personal user information. Most of this "storing" included boxes of consumer files and reports in his own personal garage. | $35,000 (within 5 days) | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Within 30 Days | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2010/01/mortgage-broker-who-dumped-consumer-records-settles-ftc-charges
|
| Control Scan, Inc. | 2/25/2010 | Section 5(a) of the FTC Act | Yes | No | No | No | Yes | No | Yes | ControlScan is a Data Security Standard provider then gives Privacy Protected seals to companies to reassure consumers that a certain company will keep their data safe. However ControlScan provided seals to web-based merchants even though ControlScan did not continually verify these merchants with routine inspection. The company also provided current date stamps even though the company did not review sites on a day basis. | $750,000 (no date mentioned) | N/A | Yes | Yes | N/A | Yes | 5 years | N/A | Within 30 Days | 5 years | Within 180 Days | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2010/02/online-privacy-and-security-certification-service-settles-ftc
http://www.greensheet.com/breakingnews.php?flag=breaking_news&id=382 |
| Dave & Buster's, Inc. | 6/8/2010 | Section 5(a) of the FTC Act | No | No | Yes | Yes | Yes | Yes | No | Dave & Buster's collects personal information from consumers such as credit card numbers and electronic security codes. To store this data the company transfers the data from in store servers to a third party credit card processing company. But the company did not take the necessary security measures to ensure the safety of this data including failing to restrict 3rd party access, filter outbound traffic, and use firewalls. This data was compromised and 130,000 unique payment credit cards were accessed that resulted in hundreds of thousands of dollars of fraudulent charges. | none | N/A | N/A | N/A | N/A | Yes | 5 years | Within 30 Days | Within 30 Days | 5 years | Within 180 Days | N/A | N/A | Yes | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2010/06/ftc-approves-final-settlement-order-dave-busters-ftc-rejects
https://www.ftc.gov/news-events/press-releases/2010/03/dave-busters-settles-ftc-charges-it-failed-protect-consumers |
| ChoicePoint Inc. | 9/22/2010 | Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w Section 682.3(a) of the Disposal Rule, 16 C.F.R. § 682.3(a) | Yes | No | No | Yes | Yes | Yes | Yes | ChoicePoint is a supplier of identification and credential verification services. ChoicePoint has hundreds of thousands of pieces of personal information and failed to employ reasonable or appropriate security measures to protect this information. Additionally it does not verify the credentials of the information it collects from individuals. Lastly they had multiple privacy policies that were in contradiction of one another and did not accurately reflect what the company was doing. ChoicePoint then violated its first FTC ruling and had to pay additional damages for the violation | $10,000,000 in civil penalties (plus $275,000 to the FTC for the second violation) $5,000,000 for consumer redress | N/A | N/A | N/A | N/A | N/A | 6 years | Within 180 Days | Within 30 Days | N/A | Within 60 Days | N/A | Yes | Yes | Within 1 Year Biennially For 20 Years | N/A | N/A | Yes | N/A | N/A | N/A | Yes |
https://www.ftc.gov/news-events/press-releases/2009/10/consumer-data-broker-choicepoint-failed-protect-consumers
https://www.ftc.gov/news-events/press-releases/2006/01/choicepoint-settles-data-security-breach-charges-pay-10-million |
| LifeLock, Inc. | 11/18/2010 | Section 5(a) of the FTC Act | Yes | Yes | No | No | Yes | Yes | Yes | LifeLock is an American identity theft protection company that used deceptive advertising to get clients. They stored millions of customers' personal information and claimed that they would give $1 million to any customer who had their identity stolen. Their data was not encrypted and had other security flaws. | $12,000,000 in consumer redress | 5 Years | Yes (8 years) | Yes | N/A | Yes, 8 years | 5 years | N/A | Within 30 Days | 5 years | Within 180 Days | N/A | Yes | Yes | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2010/03/lifelock-will-pay-12-million-settle-charges-ftc-35-states
|
| Rite Aid Corporation | 11/22/2010 | Section 5(a) of the FTC Act | Yes | No | No | Yes | Yes | No | No | Rite Aid is an American drugstore company. Rite Aid collects user information including credit card information and sensitive medical information. Rite Aid failed to dispose of this information securely and train their employees to properly dispose of the information. | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 60 Days | Within 30 Days | 5 years | Within 60 Days | N/A | N/A | Yes | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2010/11/ftc-approves-final-order-settling-charges-rite-aid-failed-protect
https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-and |
| Twitter, Inc. | 3/11/2011 | Section 5(a) of the FTC Act | Yes | No | Yes | No | Yes | Yes | Yes | Twitter is an American social media company. Twitter's Privacy Policy promised to protect user's personal information and accounts as well as to keep private messages, private. Twitter failed to do so by implementing poor security choices such as poor password protection, allowed unreasonable numbers of repeated logins which led to bots hacking into accounts. Intruders were able to compromise user's accounts including US President Barack Obama. | none | N/A | Yes (3 years) | Yes | N/A | N/A | N/A | N/A | Within 30 Days | 5 years | Within 180 Days | N/A | N/A | Yes | Within 180 days Biennially For 10 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2011/03/ftc-accepts-final-settlement-twitter-failure-safeguard-personal
https://www.ftc.gov/news-events/press-releases/2010/06/twitter-settles-charges-it-failed-protect-consumers-personal |
| Lookout Services, Inc. | 6/15/2011 | Section 5(a) of the FTC Act | Yes | No | Yes | Yes | Yes | Yes | No | Lookout Services is an employment verification and i-9 compliance software company. Lookout stores personal information of all users including social security numbers. Lookout failed to use proper password protection methods as well as did not secure the individual URLs of their users meaning that one could guess a URL and bypass the security system. An employee gained access to the entire database in this manner | none | N/A | Yes (3 years) | Yes | N/A | N/A | N/A | Within 60 Days | Within 30 Days | 5 years | Within 180 Days | N/A | N/A | Yes | Within 180 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2011/06/ftc-approves-final-orders-settling-charges-companies-failed
https://www.ftc.gov/news-events/press-releases/2011/05/ftc-settles-charges-against-two-companies-allegedly-failed |
| Ceriidian Corporation | 6/15/2011 | Section 5(a) of the FTC Act | Yes | Yes | Yes | No | Yes | Yes | Yes | Ceridian is a small business payroll software solution. Ceridian stores user's bank account information, social security numbers, are dates of birth. Despite assurances of security, Ceridian stored user information in plain text, stored information indefinitely which made it vulnerable and left infomation vulnerable to common attacks such as an SQL injection attack. Intruders exploited this to steal 27,000 user's personal information | none | 5 Years | N/A | N/A | N/A | N/A | N/A | Within 60 Days | Within 30 Days | 5 years | Within 60 Days | N/A | N/A | Yes | Within 180 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2011/06/ftc-approves-final-orders-settling-charges-companies-failed
https://www.ftc.gov/news-events/press-releases/2011/05/ftc-settles-charges-against-two-companies-allegedly-failed |
| SettlementOne Credit Corporation | 8/19/2011 | Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w GLB Act | No | No | Yes | Yes | Yes | Yes | Yes | SettlementOne is a credit report reseller. SettlementOne stores customer information. Because of poor practices this information was given away to intruders including at least 784 consumer reports as well as any end user client reports used 90 days prior to the breach. SettlementOne afterwards did not do an adequate job to prevent this again | none | N/A | Yes (5 years) | Yes | N/A | Yes, 5 years | N/A | Within 60 Days | Within 30 Days | N/A | Within 60 Days | N/A | N/A | Yes | Within 60 days Biennially For 20 Years | Yes | Yes | N/A | N/A | N/A | N/A | Yes |
https://www.ftc.gov/news-events/press-releases/2011/08/ftc-approves-final-orders-settling-charges-credit-report
https://www.ftc.gov/news-events/press-releases/2011/02/credit-report-resellers-settle-ftc-charges-security-failures |
| Fajilan and Associates, Inc. | 8/19/2011 | Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w GLB Act | No | No | Yes | Yes | Yes | Yes | Yes | Fajilan and Associates is a credit report reseller. Fajilan and Associates stores customer information. Because of poor practices this information was given away to intruders including at least 323 consumer reports as well as any end user client reports used 90 days prior to the breach. Fajilan and Associates afterwards did not do an adequate job to prevent this again | none | N/A | Yes (5 years) | Yes | N/A | Yes, 5 years | N/A | Within 60 Days | Within 30 Days | 10 years | Within 60 Days | N/A | N/A | Yes | Within 60 days Biennially For 20 Years | Yes | Yes | N/A | N/A | N/A | N/A | Yes |
https://www.ftc.gov/news-events/press-releases/2011/08/ftc-approves-final-orders-settling-charges-credit-report
https://www.ftc.gov/news-events/press-releases/2011/02/credit-report-resellers-settle-ftc-charges-security-failures |
| ACRAnet Inc. | 8/19/2011 | Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w GLB Act | No | No | Yes | Yes | Yes | Yes | Yes | ACRAnet is a credit report reseller. ACRAnet stores customer information. Because of poor practices this information was given away to intruders including at least 694 consumer reports as well as any end user client reports used 90 days prior to the breach. ACRAnet afterwards did not do an adequate job to prevent this again including changing any policies for screening new end users, allowing more breaches to occur | none | N/A | Yes (5 years) | Yes | N/A | Yes, 5 years | N/A | Within 60 Days | Within 30 Days | N/A | Within 60 Days | N/A | N/A | Yes | Within 60 days Biennially For 20 Years | Yes | Yes | N/A | N/A | N/A | N/A | Yes |
https://www.ftc.gov/news-events/press-releases/2011/08/ftc-approves-final-orders-settling-charges-credit-report
https://www.ftc.gov/news-events/press-releases/2011/02/credit-report-resellers-settle-ftc-charges-security-failures |
| RockYou, Inc. | 3/27/2012 | Section 5(a) of the FTC Act Section 13039(b) of the COPPA Act | Yes | No | Yes | Yes | Yes | Yes | Yes | RockYou is a social game site that failed to protect the privacy of its users. It allowed hackers to access the information of 179,000 children. RockYou claimed to be able to protect this information but did not. | $250,000 | N/A | Yes | Yes | N/A | Yes | 8 years | N/A | Within 30 Days | 20 years | Within 7 Days | N/A | Yes | Yes | Within 60 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2012/03/ftc-charges-security-flaws-rockyou-game-site-exposed-32-million
|
| Upromise, Inc. | 4/3/2012 | Section 5(a) of the FTC Act | Yes | Yes | No | No | Yes | Yes | No | Upromise is a membership service that allows consumers to save money for college. It gave out a feature called TurboSaver Toolbar which deceptively collected personal information such as social security numbers without consent. This information was not encrypted and could have been taken easily | none | 5 Years | Yes (5 years) | N/A | N/A | Yes | 5 years | N/A | Within 30 Days | N/A | N/A | N/A | N/A | Yes | Within 180 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | Yes |
https://www.ftc.gov/news-events/press-releases/2012/04/ftc-approves-final-order-settling-charges-upromise
https://www.ftc.gov/news-events/press-releases/2012/01/membership-reward-service-aimed-college-savers-settles-ftc |
| Franklin's Budget Car Sales, Inc. | 10/26/2012 | Section 5(a) of the FTC Act GLB Act | Yes | No | No | No | Yes | Yes | No | Franklin is an auto dealer that manages its customers financial information. Franklin exposed the information of thousands of employees by allowing peer-to-peer sharing software to be installed on corporate computer systems. Franklin failed to identify obvious risks or develop a reasonable security system | none | 5 Years | N/A | N/A | N/A | N/A | 5 years | Within 60 Days | Within 30 Days | N/A | Within 180 Days | N/A | N/A | Yes | Within 180 days Biennially For 20 Years | Yes | Yes | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2012/10/ftc-finalizes-settlements-businesses-exposed-consumers-sensitive
https://www.ftc.gov/news-events/press-releases/2012/06/ftc-charges-businesses-exposed-sensitive-information-peer-peer |
| EPN and Checknet Inc. | 10/26/2012 | Section 5(a) of the FTC Act GLB Act | Yes | No | No | No | Yes | Yes | No | EPN is an debt collector its customers personal information including medical visit types, social security numbers and insurance number. EPN exposed the information of thousands of employees by allowing peer-to-peer sharing software to be installed on corporate computer systems. EPN failed to identify obvious risks or develop a reasonable security system | none | 5 Years | N/A | N/A | N/A | N/A | 5 years | Within 60 Days for 5 years | Within 30 Days | N/A | Within 180 Days | N/A | N/A | Yes | Within 180 days Biennially For 20 Years | Yes | Yes | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2012/10/ftc-finalizes-settlements-businesses-exposed-consumers-sensitive
https://www.ftc.gov/news-events/press-releases/2012/06/ftc-charges-businesses-exposed-sensitive-information-peer-peer |
| PLS Financial Services Inc. | 11/7/2012 | Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w GLB Act | Yes | No | No | Yes | Yes | No | No | PLS Financial Services owns several payday loan and check cashing stores. They store sensitive information such as Social Security numbers, employment information, loan applications and bank account information. PLS improperly disposed of this information as it was found in dumpsters near these stores untouched. PLS employees were also no properly trained | $101,500 | 5 Years | Yes | Yes | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | 5 years | Within 60 Days | N/A | N/A | Yes | Within 180 days Biennially For 20 Years | Yes | Yes | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2012/11/companies-own-manage-payday-lending-check-cashing-stores-settle
|
| Compete, Inc. | 2/25/2013 | Section 5(a) of the Federal Trade Commission Act | Yes | No | No | No | Yes | Yes | No | Compete is a company that collects consumer information for the intent of compiling consumer reports to sell to other businesses. It tracks some behavior through the use of a toolbar application. Compete makes claims to protect user data and to strip its collection of personally identifying information, but in fact fails to do this. In addition, Compete fails to disclose the extent to which data is collected to consumers | none | Yes | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 180 Days | N/A | Yes | Yes | Within 180 days Biennially For 20 Years | N/A | N/A | Yes | Yes | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2013/02/ftc-approves-final-order-settling-charges-against-compete-inc
|
| CBR Systems Inc. | 5/3/2013 | Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) | Yes | Yes | No | Yes | Yes | Yes | No | CBR Systems collects umbilical cord blood and tissue for potential medical use given the presence of certain stem cells. Through this they collect and store a variety of personal information medical or otherwise. However, although their privacy policy states that they take the necessary steps to ensure data security, they in fact failed to store and manage data effectively leaving much of it in portable, unencrypted hard drives, one of which was leaked compromising 298,000 customers. | none | N/A | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | Yes | Yes | Within 180 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2013/05/ftc-approves-final-order-settling-charges-against-cbr-systems-inc
|
| HTC America Inc. | 7/2/2013 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) | Yes | No | No | No | No | Yes | No | Through customizing its own apps on their smartphones on the Android system, HTC actually made its phones vulnerable to a multitude of breaches. On HTC phones third party apps can circumvent the normal installation and permissions process that regulates which apps have access to personal information. Also HTC states that apps will prompt for permission if requesting access to PI when in fact this prompt was not guaranteed. Lastly, HTC's error reporting tool gives the option of adding location, but regardless if it is checked or not, location information is sent anyway | none | N/A | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | N/A | Yes (and develop patches) | Within 180 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2013/07/ftc-approves-final-order-settling-charges-against-htc-america-inc
|
| TRENDnet, Inc. | 2/7/2014 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) | Yes | No | Yes | No | Yes | Yes | No | TRENDnet sells networking devices a prominent one of which are IP cameras for security monitoring of homes and business. While their privacy policy states that the cameras are a secure measure in security monitoring and that feeds are only accessed by authorized users, in actuality the defendant failed to take steps to reasonably secure these devices from unauthorized access. As such, hackers were able to access the live streams of consumer cameras and make them public. | none | N/A | N/A | N/A | N/A | N/A | 5 years | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | Yes | Yes (and notify consumers of breach) | Within 180 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc
|
| Accretive Health, Inc. | 2/24/2014 | Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) | No | No | Yes | No | Yes | Yes | No | Accretive Health works with hospitals and provides services relating to their revenue cycles. Through this they collect and store hospital information including information on patients. Accretive health did not ensure that this data was sufficiently protected, necessarily disposed of, and transported safely. As such, a laptop containing 20 million pieces of PI was stolen and this information compromised | none | N/A | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | N/A | Yes | Within 180 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-consent-settling-charges-accretive-health
|
| Genelink, Inc. foru International Corporation | 5/12/2014 | Sections 5(a) and 12 of the FTC Act. | Yes | No | No | No | Yes | No | No | The defendants are in the business of selling nutritional supplements and skin care products based on at home genetic tests. Through this process a variety of personal information is collected. Not only do advertisements about their products suggest the mitigation of a variety of diseases and disorders without proof, but the service providers that handle their personal information management did not take steps to reasonably protect this data or prevent unauthorized access | none | N/A | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | Yes | Yes | Within 180 days Biennially For 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2014/05/ftc-approves-final-consent-orders-settling-charges-companies
|
| Fandango, LLC | 8/19/2014 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) | Yes | No | No | No | Yes | Yes | No | Fandango's mobile app failed to check SSL certificates and instead overrode them. Over wifi networks, this is a prime opportunity for attackers to facilitate man in the middle attacks intercepting user data. This failure goes against Fandango's acclaimed privacy policy | none | N/A | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 60 Days | N/A | Yes | Yes | Within 180 Days Biennially for 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2014/08/ftc-approves-final-orders-settling-charges-against-fandango
|
| Credit Karma, Inc. | 8/19/2014 | Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) | Yes | No | No | No | Yes | Yes | No | Credit Karma mobile app failed to check SSL certificates and instead overrode them. Over wifi networks, this is a prime opportunity for attackers to facilitate man in the middle attacks intercepting user data. This failure goes against Fandango's acclaimed privacy policy | none | N/A | N/A | N/A | N/A | N/A | 3 years | Within 30 Days | Within 30 Days | N/A | Within 120 Days | N/A | Yes | Yes | Within 180 Days Biennially for 20 Years | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
https://www.ftc.gov/news-events/press-releases/2014/08/ftc-approves-final-orders-settling-charges-against-fandango
|