Federal Trade Commission Data Security Cases

Company Name(s)..... (FTC vs.) ........................ Date Act Violated Category: False Advertising Category: Encryption Issues Category: Security Breach Category: Data Leakage Category: Poor Practice Category: Security Flaws Category: Privacy Policy Breach Summary of Problematic Conduct.................................................................... Financial Redress Audit: Must Provide Copies of Advertisements Towards Consumer Audit: Maintain Copies of Privacy Statments, Disclosures, Invoices, and Record Concerning PI Collection Audit: Maintain All Statements About Privacy Policies and Changes Audit: Maintain all Consumer Complaints Audit: Maintain All Records Audit: Must Provide Documents Signifying Compliance with Security Program Audit: Must Provide Copy of Judgement to Employees, etc. Audit: Must Notify Comission About Company Changes Audit: Report Personal Changes To Employment and Business Affiliations Audit: Report Detailing Manner of Compliance Audit: Submit to Any Active Request of Commission Within 10-30 notice Mandate: No Misrepresentation of extent of Security Measures Mandate: Adopt Security Program Mandate: Assessement From Third Party Detailing Effctiveness of Program Mandate: Will not Violate GLB Rule Mandate: Obtain Assessment About Compliance to GLB Mandate: Will not Misrepresent Data Collection Policies Mandate: Will not Disclose Data Without Proper Consent and Disclosure Mandate: Will not Misrpresent or fail to disclose consumer action Mandate: Will not violate CAN-SPAM Act Mandate: Will not Violate FCRA Press coverage
FTC v. "Company/Person" Date Act Violated Category: False Advertising Category: Encryption Issues Category: Security Breach Category: Data Leakage Category: Poor Practice Category: Security Flaws Category: Privacy Policy Breach Summary of Problematic Conduct Financial Redress Audit: Must Provide Copies of Advertisements Towards Consumer Audit: Maintain Copies of Privacy Statements, Disclosures, Invoices, and Record Concerning PI Collection Audit: Maintain All Statements About Privacy Policies and Changes Audit: Maintain all Consumer Complaints Maintain all, accounting, personnel, customer, sales, etc. records Audit: Must Provide Documents Signifying Compliance with Security Program Audit: Must Provide Copy of Judgement to Employees, etc. Audit: Must Notify Commission About Company Changes Audit: Report Personal Changes To Employment and Business Affiliations Audit: Report Detailing Manner of Compliance Audit: Submit to Any Active Request of Commission Within 10-30 notice Mandate: No Misrepresentation of extent of Security Measures Mandate: Adopt Security Program Mandate: Assessment From Third Party Detailing Effectiveness of Program Mandate: Will not Violate GLB Rule Mandate: Obtain Assessment About Compliance to GLB Mandate: Will not Misrepresent Data Collection Policies Mandate: Will not Collect/Disclose Data Without Proper Consent and Disclosure Mandate: Will not Misrepresent or fail to disclose consumer action Mandate: Will not violate CAN-SPAM Act Mandate: Will not Violate FCRA PressCoverage
Affordable Accents, Worldwide RX and World Wide Medicine 7/12/2000 Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) Section 12 of the FTC Act, 15 U.S.C. § 52 Yes Yes No No No Yes No -False Advertising/Deceptive Practice: Representing to customers that prescriptions are done by on site doctors and pharmacies when in fact not true -False Advertising/Deceptive Practice: Claim data is encrypted and protected with secure SSL connection when in fact not true -False Advertising/Deceptive Practice: Represent to customer that IOG can bill credit card without authorization for Y2K upgrades -False Advertising/Deceptive Practice: Using personal/billing information for more than just medical services i.e. see previous None 5 years N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 120 Days N/A Yes Yes No N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2000/07/online-pharmacies-settle-ftc-charges
Eli Lilly and Company 1/18/2002 Section 5(a) of the FTC Act Yes No No Yes No No No Pharmaceutical company Eli Lilly, has promoted its medication Prozac, through its company websites. Consumers can also subscribe to an email service to give them reminders and information about their medication. The websites claim to take certain steps to maintain the privacy of its subscribers. However, upon the cancellation of the email alert service, a mass email was used to inform former subscribers. This email contained in public view the email addresses of all current subscribers thus revealing personal information meant to be protected. none 5 years N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 120 Days N/A Yes Yes No N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2002/01/eli-lilly-settles-ftc-charges-concerning-security-breach
Guess? Inc. and Guess.com Inc. 8/5/2003 Section 5(a) of the FTC Act, 15 U.S.C. § 45 Yes Yes Yes No No No No Guess? and its website Guess.com sell clothing online. To interact with the website and supply personal information for purchases users interact with a web application. Guess? Inc. claims to protect and encrypt user data but this data is stored in tables and these tables are vulnerable to certain attacks such as SQL injection attacks. Guess? Inc. failed to take necessary and known steps to protect user privacy and represented that it had done so. Their claims that data was unreadable and encrypted at all times was false along with steps to prevent access. none 5 years N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 120 Days N/A Yes Yes No N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2003/06/guess-settles-ftc-security-charges-third-ftc-case-targets-false
MTS Inc. and Tower Direct LLC 6/4/2004 Section 5(a) of the FTC Act Yes No No No Yes No No MTS and its subsidiary Tower sell records, books, and video, online via their website. Users interact with an application in order to purchase goods and users are given an order number to track their purchases. MTS and Tower claim to take reasonable steps in maintaining privacy. When updating a certain piece of code, the "authentication" variant was not updated as well, thus anyone could gain unauthorized access to information not their own with a valid order number and some 5225 users experienced information leakage to unauthorized sources. The claim of reasonable protection was false and the Broken Account and Session Management problems were deemed irresponsible and fixable beforehand. none 5 years N/A N/A N/A N/A Biannually for 3 years Within 30 Days Within 30 Days N/A Within 180 Days N/A Yes Yes Biannually For 10 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2004/04/tower-records-settles-ftc-charges
Sunbelt Lending Services Inc. 1/7/2005 Section 4 of the FTC Act, 15 U.S.C. § 44 Safeguarding Customer Information Rule Privacy of Consumer Financial Information Rule Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 Section 5(a)(1) of the FTC Act. No No No No Yes No No Sunbelt Lending collects important user data such a social security numbers and has failed to take steps to identify and mitigate risks to this information's security. One such example is poor security practices when working remote. This is in violation of the Safeguards rule. Secondly, Sunbelt Lending failed to give notices to their customers detailing their privacy policies and practices and this is a violation of the Privacy Rule. none N/A N/A N/A N/A N/A N/A Within 30 Days Within 30 Days N/A Within 180 Days N/A N/A No N/A Yes Within 180 Days Biannual Reports for 10 years N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2004/11/ftc-enforces-gramm-leach-bliley-acts-safeguards-rule-against
Petco 3/8/2005 Section 5(a) of the Federal Trade Commission Act No Yes Yes No No No No Petco collects user information such as credit card information when consumers interact with their web application to buy products. It was found that this information was not securely encrypted and that reasonable security measures were not taken to prevent attacks such as SQL injections. Thus the lack of good practice in addition to claims of the opposite have lead to a violation of the FTC act. none 5 years N/A N/A N/A N/A Biannually for 3 years Within 30 Days Within 30 Days N/A Within 180 Days N/A Yes Yes Biannually For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2004/11/petco-settles-ftc-charges
Nationwide 11/9/2004 Gramm-Leach Bliley Act, 15 U.S.C. § 6801 Section 5(a)(1) of the FTC Act No No No No Yes No No Nationwide collects personal information from its customers and has failed to implement protective practices to maintain the security of this information. One such example is storing this information in a computer network accessible to all employees. Additionally Nationwide failed to give its customers notice as to their privacy practices. These are violations of the Safeguards Rule and Privacy Rule of the GLB Act. none N/A N/A N/A N/A N/A N/A Within 30 Days Within 30 Days 10 years Within 180 Days N/A N/A No N/A Yes Within 180 Days Biannual Reports for 10 years N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2004/11/ftc-enforces-gramm-leach-bliley-acts-safeguards-rule-against
https://www.ftc.gov/news-events/press-releases/2005/03/mortgage-company-settles-ftc-charges
Vision I 4/26/2005 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)a Yes No No No No No No Vision I designs "shopping cart" technologies for use on merchants sites where buyers shop for goods and thus volunteer some personal information. Although the merchant sites themselves may adhere to certain privacy policies, it is unclear that Vision I third part technology does not apply to the same standards. In fact, Vision I has collected and rented information its collected to other merchants for marketing purposes. Thus this is considered and unfair or deceptive practice $9,101.63 (within 5 days) N/A 5 Years N/A N/A N/A N/A Within 30 Days Within 30 Days N/A Within 60 Days N/A N/A No N/A N/A N/A Yes Yes N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2005/03/internet-service-provider-settles-ftc-privacy-charges
BJ's Wholesale Club 9/23/2005 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) No Yes No No Yes No No BJ's wholesale club operates warehouse clubs across the country. At these stores consumers often make purchases via credit or debit card and thus personal information is collected from the cards and stored in the store's computer network before being sent to banks for authorization. BJ's does not encrypt this information in transit, leaves it accessible to anonymous access, does not utilize restrictions on wireless access, and stores data for unnecessarily long periods of time. This resulted in a variety of credit card fraud cases resulting in several millions of dollars fraudulently spent. none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 180 Days N/A N/A Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2005/06/bjs-wholesale-club-settles-ftc-charges
Superior Mortgage Corporation 12/16/2005 Section 5(a)(1) of the FTC Act No Yes No No Yes No No Superior Mortgage Company via its loans business, has collected personal information from its clients. However, steps have not been taken to maintain the safety of this information including poor password policies, lacking encryption, and not certifying the practices of its service providers. This is in violation with the Safeguards Rule. Additionally, claims that PI is encrypted from beginning to end of transactions are false, and this information is only encrypted in transmit to third party service providers, at which point it is decrypted in plaintext. none N/A N/A N/A N/A N/A N/A Within 30 Days Within 30 Days N/A Within 180 Days N/A Yes No N/A Yes Within 180 Days Biennial Reports for 10 years N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2005/09/mortgage-company-settles-information-security-charges
DSW Inc. 3/14/2006 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) No Yes No No Yes No No DSW was responsible for the upwards of 1,438,281 credit and debit card information and almost 100,00 checking accounts and licenses being stolen via its poor practices that include storing personal information in multiple files longer than necessary, limiting access to computer networks via wireless points, failing to encrypt data that can accessed by any known user ID and password, allowing computers on one network to access other networks, and failing to implement strategies for unauthorized access none N/A N/A N/A N/A N/A 5 years Within 30 Days For 10 Years Within 30 Days N/A Within 180 Days N/A N/A Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2005/12/dsw-inc-settles-ftc-charges
https://www.ftc.gov/news-events/press-releases/2006/03/commission-approves-final-order-matter-dsw-inc
Nations Title Agency Inc. Nations Holding Company Christopher M. Likens 6/20/2006 Section 5(a) of the FTC Act GLB Act No No No No Yes No No Nations Holding Company and its subsidiaries regularly collect personal information in their business of financing home payments. They have routinely failed to assess risks to this information, adequately train employees how to handle it, implement defenses to common website attacks or access control policies, implement measures to detect unauthorized access, and reasonably oversee the handling of collected data by third parties. Not only were poor practices employed digitally, but hard copies of sensitive information were found near the office premises. With the false claims that NTA employs reasonable protection practices, these acts are seen as violations of the Safeguards Rule and Privacy Rule set out in the GLB Act. none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days 10 years Within 180 Days N/A Yes Yes Within 180 Days Biennially For 20 Years Yes No N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2006/05/real-estate-services-company-settles-privacy-and-security-charge
https://www.ftc.gov/news-events/press-releases/2006/06/ftc-staff-alpena-michigan-public-schools-planned-pharmaceutical
Snapchat, Inc. 5/8/2014 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)a Yes No No No No Yes Yes Snapchat provides a mobile application that allows consumer to send and receive photo and video messages known as "snaps." Snapchat markets these messages as disappearing once they are opened by the recipient however this was not the case because several methods exist to capture these snaps. For example accessing the video files when they are briefly stored in an unrestricted area of the phone, using Snapchat's application programming interface (API) to download sent images, taking a screenshot of the image before it disappears with an undetectable double tap of the iPhone home button. Additionally Snapchat misled customers to believe that their geolocation was not tracked, that it did not collect contact information, and that it securely stored your friends information when none of the above were true. none N/A N/A Yes Yes N/A No Within 30 Days Within 30 Days N/A N/A Yes Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were
http://www.washingtonpost.com/blogs/the-switch/wp/2014/05/08/snapchat-agrees-to-settle-ftc-charges-that-it-deceived-users/
http://www.wsj.com/articles/SB10001424052702304655304579550010332216676
GMR Transcription Services, Inc. 1/31/2014 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)a Yes No No No No Yes Yes GMR Transcription Services provides transcription services for customers for audio and transcript files. These files can contain sensitive health, financial or personal information. GMR ensures customers that their data is kept securely but the way that GMR sends its data can easily be accessed online by anyone without authentication. The files were captured and accessed by a major search engine and the contents were seen by anyone. The search engine removed the files when asked. GMR could have easily corrected these security failures. none 5 years N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days 10 years Within 60 Days N/A Yes Yes Within 180 Days Biennially For 20 Years N/A N/A Yes N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2014/01/provider-medical-transcript-services-settles-ftc-charges-it
https://www.ftc.gov/news-events/press-releases/2014/08/ftc-approves-final-order-case-against-gmr-transcription-services
CardSystem Solutions 9/8/2006 Section 5(a) of the Federal Trade Commission Act No No Yes No Yes Yes No CardSystems Solutions provides merchants with products and services that authenticate credit/debit card purchases by collecting important security information from the card and transmitting this data to banks for authorization. Cardsystems failed to implement basic security mechanisms to protect and store this data and was victim to an SQL injection attack that compromised thousands of credit cards none N/A N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 180 Days N/A N/A Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2006/09/ftcdoj-issue-annual-hsr-premerger-notification-report-congress
Guidance Software Inc. 4/3/2007 Section 5(a) of the Federal Trade Commission Act Yes Yes Yes No Yes Yes No Guidance Software sells products and services to consumers about how to deal with computer breaches. Via this, Guidance Software collects personal information in accordance with business transactions. Although claiming to take steps to maintain security including implementing SSL, the steps taken are either inefficient or not present at all. This, plus an actual breach during an SQL injection attack compromising user information lead to the indictment. none N/A N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 180 Days N/A Yes Yes Within 180 Days Biennially For 10 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2007/04/commission-approves-final-consent-order-matter-guidance-software
American United Mortgage Company 12/18/2007 Disposal Rule, C.F.R. § 682.1(b) Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 No No No No Yes Yes No American United Mortgage, in collecting various forms of personal information from clients, failed to safely store and dispose of such information when necessary. Intact copies of consumer reports were found around the building and when warned American United Mortgage failed to act. This violated the Disposal Rule, and both Privacy and Safeguards rule of the GLB Act. $50,000.00 (within 30 days) N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 180 Days Yes N/A No N/A Yes Within 180 Days Biennial Reports for 10 years N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2007/12/company-will-pay-50000-penalty-tossing-consumers-credit-report
ValueClick Inc. Hi-Speed Media Inc. E-Babylon Inc. 3/17/2008 Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) Section 5(a)(2) of CAN-SPAM, 15 U.S.C. § 7704(a)(2) Yes Yes No No Yes Yes No The defendants consistently send lead generation emails to consumers whose subject headers imply the winning of prizes or otherwise are set to mislead consumers as to the additional steps they must take, or money they must pay to receive the goods promised. Emails just lead to a variety of landing pages. Additionally, after obtaining E-Babylon, the opportunity to collect personal information including credit card became possible. As such, the measures taken to protect this data were insufficient, including the lack of encryption, and yet privacy statements stated that these steps were in fact taken $2,900,000 (within 10 days) N/A N/A N/A Yes 8 years 5 years Within 10 Days Within 30 Days N/A Within 180 Days Yes Yes Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A Yes Yes N/A https://www.ftc.gov/news-events/press-releases/2008/03/valueclick-pay-29-million-settle-ftc-charges
Goal Financial LLC 4/15/2008 Section 5(a) of the FTC Act GLB Act Yes Yes Yes No Yes Yes No Through loan related services, Goal Financial collects a variety of confidential personal information. Although claiming to protect this data sufficiently and giving access only to authorized employees, this is actually untrue. Employees were able to access upwards of 7000 records without authorization and one employee sold unprotected and uncleaned hard drives from the company compromising some 34000 customers none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 60 Days N/A Yes Yes Within 180 Days Biennially For 10 Years Yes Within 180 Days Biennial Reports for 10 years N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2008/04/commission-approves-final-consent-order-matter-connecticut
Life Is Good Inc. 4/18/2008 Section 5(a) of the FTC Act Yes No Yes No Yes Yes No Life is Good Inc. failed to sufficiently protect consumer data it collected in the course of selling its products. As such, Life is Good was victim to an SQL injection attack that compromised the data of thousands of customers. This in addition to false claims of security steps taken lead to this indictment none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 180 Days N/A Yes Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2008/04/commission-approves-final-consent-order-matter-life-good-inc
Reed Elsevier Inc. Seisint Inc. 8/1/2008 Section 5(a) of the FTC Act No No Yes No Yes Yes No The defendants are in the business of collecting and selling information about consumers as well as selling verification products to its own customers. As such, they host a large database of sensitive information on millions of consumers. The defendants failed to implement security measures that would restrict access to the database such as limited password attempts, multiple account verification, cycling of credentials, Cross Site Scripting vulnerabilities, etc. As a result, several instances of unauthorized users gaining credentials and compromising hundreds of thousands of consumers has been reported none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 180 Days N/A N/A Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2008/08/commission-approves-final-consent-order-matter-tjx-companies-inc
The TJX Companies Inc. 8/1/2008 Section 5(a) of the FTC Act No Yes Yes Yes Yes Yes No The retailer routinely collects personal information in regards to processing payments, however it was found that this information is stored in clearly plaintext, and access to this information is not thoroughly restricted. As such, an intruder installed hacker tools on the defendant's network and found and stole personal information. Additionally, numerous times, payments were intercepted and the personal data was stolen, leading to many millions of compromised cards. none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 180 Days N/A N/A Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2008/08/commission-approves-final-consent-order-matter-tjx-companies-inc
Premier Capital Lending Inc. Debra Stiles 12/16/2008 Section 5(a) of the FTC Act GLB Act Yes No Yes No Yes Yes No The defendant, a loan company, routinely receives consumer reports from a consumer reporting agency.PCL must have authorized login credential to access these reports. Debra Stiles, provided credentials to a third party company for use from his home business. However, the defendant failed to assess the security risk of this move, nor the security practices of the third party. Thus, a hacker was able to breach the security of the third party, gain the credentials, and receive access to the 83 reports the third party requested, as well as an additional 300 more. This, taken with PCL's privacy policy which claims to take reasonable measures to protect personal information was found in violation of the GLB act and the FTC act. none N/A N/A N/A Yes N/A 5 years Within 30 Days Within 30 Days 10 years Within 180 Days N/A Yes Yes Within 180 Days Biennially For 20 Years Yes Within 180 Days Biennial Reports for 20 years N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2008/12/commission-approves-final-consent-order-matter-premier-capital
Rental Research Services Inc. Lee Mikkelson 3/5/2009 Section 604 of the FCRA, 15 U.S.C. § 1681b Section 607(a) of the FCRA, 15 U.S.C. § 1681e(a) Section 5(a)(1) of the FTC Act, 15 U.S.C. § 45(a) No No Yes No Yes Yes No The defendants provide tenant screening reports to a variety of businesses, and thus is in the business of selling consumer information. To obtain these reports one must simply apply online. The defendants failed to properly screen customers making these requests and was unclear as to when and how to obtain consumer credentials. Thus, identity thieves, claiming to be a certain person, were able to steal up to 318 identities. $500,000 (no date mentioned) N/A N/A N/A Yes N/A 7 years Within 5 Days Within 30 Days 4 years Within 180 Days Yes N/A Yes Within 180 Days Biennially For 20 Years N/A N/A N/A N/A N/A N/A Yes https://www.ftc.gov/news-events/press-releases/2009/03/consumer-reporting-agency-settles-ftc-charges-sold-tenant
Genica Corp. Compgeeks.com 3/20/2009 Section 5(a) of the FTC Act Yes Yes Yes No Yes Yes No The defendants sell computer electronics and parts etc. and in doing so collect personal information via credit card purchases. Although their privacy statement ensures the use of reasonable security practices and encryption, this was found to be misleading as the website was hacked multiple times via SQL Injection attacks and hundreds of users' data was compromised none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 180 Days N/A Yes Yes Within 180 Days Biennially For 10 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2009/03/ftc-approves-federal-register-notice-establishing-new-fiber-name
James B. Nutter & Co. 6/16/2009 GLB Act No No No No Yes Yes Yes The defendant, a mortgage loan company, routine collects personal user data and operates a computer network for storing, collecting, and preparing this information, sometimes in paper form. The defendant did not take reasonable steps to protect this data or prevent unauthorized breaches. Hackers were able to use the network to send large amounts of spam emails from the the company and user data was at risk. Additionally, the privacy statements sent to customers did not set out the means to which privacy was being handled, and informed customers they had 30 days to exercise opt out rights when in fact the privacy rule says they can do this at any time. none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 60 Days N/A N/A Yes Within 180 Days Biennially For 10 Years Yes Within 180 Days Biennial Reports for 10 years N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2009/06/ftc-approves-final-consent-order-related-james-b-nutter-company
CVS Caremark Corporation 6/23/2009 Section 5(a) of the FTC Act Yes No No Yes Yes Yes No CVS, in collecting personal information from customers, especially personal health information, failed to implement necessary safeguards to protect this data including storing it in plain readable text and failing to dispose of it in a manner that would make it inaccessible or unreadable. CVS's privacy policy ensures that it takes steps to prevent this but in truth it has not. none (note: separate HIPPA charges) N/A N/A N/A N/A N/A 5 years Within 60 Days Within 30 Days N/A Within 90 Days N/A Yes Yes Within 1 Year Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial
https://www.ftc.gov/news-events/press-releases/2009/06/ftc-approves-final-consent-order-matter-cvs-caremark-corporation
Gregory Navone 1/20/2010 Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w Section 682.3(a) of the Disposal Rule, 16 C.F.R. § 682.3(a) Yes No No No Yes Yes No Gregory Navone was the owner of several mortgage companies, and misrepresented the extent to which he collected, stored, handled, and disposed of personal user information. Most of this "storing" included boxes of consumer files and reports in his own personal garage. $35,000 (within 5 days) N/A N/A N/A N/A N/A N/A N/A Within 30 Days N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2010/01/mortgage-broker-who-dumped-consumer-records-settles-ftc-charges
Control Scan, Inc. 2/25/2010 Section 5(a) of the FTC Act Yes No No No Yes No Yes ControlScan is a Data Security Standard provider then gives Privacy Protected seals to companies to reassure consumers that a certain company will keep their data safe. However ControlScan provided seals to web-based merchants even though ControlScan did not continually verify these merchants with routine inspection. The company also provided current date stamps even though the company did not review sites on a day basis. $750,000 (no date mentioned) N/A Yes Yes N/A Yes 5 years N/A Within 30 Days 5 years Within 180 Days N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2010/02/online-privacy-and-security-certification-service-settles-ftc
http://www.greensheet.com/breakingnews.php?flag=breaking_news&id=382
Dave & Buster's, Inc. 6/8/2010 Section 5(a) of the FTC Act No No Yes Yes Yes Yes No Dave & Buster's collects personal information from consumers such as credit card numbers and electronic security codes. To store this data the company transfers the data from in store servers to a third party credit card processing company. But the company did not take the necessary security measures to ensure the safety of this data including failing to restrict 3rd party access, filter outbound traffic, and use firewalls. This data was compromised and 130,000 unique payment credit cards were accessed that resulted in hundreds of thousands of dollars of fraudulent charges. none N/A N/A N/A N/A Yes 5 years Within 30 Days Within 30 Days 5 years Within 180 Days N/A N/A Yes N/A N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2010/06/ftc-approves-final-settlement-order-dave-busters-ftc-rejects
https://www.ftc.gov/news-events/press-releases/2010/03/dave-busters-settles-ftc-charges-it-failed-protect-consumers
ChoicePoint Inc. 9/22/2010 Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w Section 682.3(a) of the Disposal Rule, 16 C.F.R. § 682.3(a) Yes No No Yes Yes Yes Yes ChoicePoint is a supplier of identification and credential verification services. ChoicePoint has hundreds of thousands of pieces of personal information and failed to employ reasonable or appropriate security measures to protect this information. Additionally it does not verify the credentials of the information it collects from individuals. Lastly they had multiple privacy policies that were in contradiction of one another and did not accurately reflect what the company was doing. ChoicePoint then violated its first FTC ruling and had to pay additional damages for the violation $10,000,000 in civil penalties (plus $275,000 to the FTC for the second violation) $5,000,000 for consumer redress N/A N/A N/A N/A N/A 6 years Within 180 Days Within 30 Days N/A Within 60 Days N/A Yes Yes Within 1 Year Biennially For 20 Years N/A N/A Yes N/A N/A N/A Yes https://www.ftc.gov/news-events/press-releases/2009/10/consumer-data-broker-choicepoint-failed-protect-consumers
https://www.ftc.gov/news-events/press-releases/2006/01/choicepoint-settles-data-security-breach-charges-pay-10-million
LifeLock, Inc. 11/18/2010 Section 5(a) of the FTC Act Yes Yes No No Yes Yes Yes LifeLock is an American identity theft protection company that used deceptive advertising to get clients. They stored millions of customers' personal information and claimed that they would give $1 million to any customer who had their identity stolen. Their data was not encrypted and had other security flaws. $12,000,000 in consumer redress 5 Years Yes (8 years) Yes N/A Yes, 8 years 5 years N/A Within 30 Days 5 years Within 180 Days N/A Yes Yes N/A N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2010/03/lifelock-will-pay-12-million-settle-charges-ftc-35-states
Rite Aid Corporation 11/22/2010 Section 5(a) of the FTC Act Yes No No Yes Yes No No Rite Aid is an American drugstore company. Rite Aid collects user information including credit card information and sensitive medical information. Rite Aid failed to dispose of this information securely and train their employees to properly dispose of the information. none N/A N/A N/A N/A N/A 5 years Within 60 Days Within 30 Days 5 years Within 60 Days N/A N/A Yes N/A N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2010/11/ftc-approves-final-order-settling-charges-rite-aid-failed-protect
https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-and
Twitter, Inc. 3/11/2011 Section 5(a) of the FTC Act Yes No Yes No Yes Yes Yes Twitter is an American social media company. Twitter's Privacy Policy promised to protect user's personal information and accounts as well as to keep private messages, private. Twitter failed to do so by implementing poor security choices such as poor password protection, allowed unreasonable numbers of repeated logins which led to bots hacking into accounts. Intruders were able to compromise user's accounts including US President Barack Obama. none N/A Yes (3 years) Yes N/A N/A N/A N/A Within 30 Days 5 years Within 180 Days N/A N/A Yes Within 180 days Biennially For 10 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2011/03/ftc-accepts-final-settlement-twitter-failure-safeguard-personal
https://www.ftc.gov/news-events/press-releases/2010/06/twitter-settles-charges-it-failed-protect-consumers-personal
Lookout Services, Inc. 6/15/2011 Section 5(a) of the FTC Act Yes No Yes Yes Yes Yes No Lookout Services is an employment verification and i-9 compliance software company. Lookout stores personal information of all users including social security numbers. Lookout failed to use proper password protection methods as well as did not secure the individual URLs of their users meaning that one could guess a URL and bypass the security system. An employee gained access to the entire database in this manner none N/A Yes (3 years) Yes N/A N/A N/A Within 60 Days Within 30 Days 5 years Within 180 Days N/A N/A Yes Within 180 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2011/06/ftc-approves-final-orders-settling-charges-companies-failed
https://www.ftc.gov/news-events/press-releases/2011/05/ftc-settles-charges-against-two-companies-allegedly-failed
Ceriidian Corporation 6/15/2011 Section 5(a) of the FTC Act Yes Yes Yes No Yes Yes Yes Ceridian is a small business payroll software solution. Ceridian stores user's bank account information, social security numbers, are dates of birth. Despite assurances of security, Ceridian stored user information in plain text, stored information indefinitely which made it vulnerable and left infomation vulnerable to common attacks such as an SQL injection attack. Intruders exploited this to steal 27,000 user's personal information none 5 Years N/A N/A N/A N/A N/A Within 60 Days Within 30 Days 5 years Within 60 Days N/A N/A Yes Within 180 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2011/06/ftc-approves-final-orders-settling-charges-companies-failed
https://www.ftc.gov/news-events/press-releases/2011/05/ftc-settles-charges-against-two-companies-allegedly-failed
SettlementOne Credit Corporation 8/19/2011 Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w GLB Act No No Yes Yes Yes Yes Yes SettlementOne is a credit report reseller. SettlementOne stores customer information. Because of poor practices this information was given away to intruders including at least 784 consumer reports as well as any end user client reports used 90 days prior to the breach. SettlementOne afterwards did not do an adequate job to prevent this again none N/A Yes (5 years) Yes N/A Yes, 5 years N/A Within 60 Days Within 30 Days N/A Within 60 Days N/A N/A Yes Within 60 days Biennially For 20 Years Yes Yes N/A N/A N/A N/A Yes https://www.ftc.gov/news-events/press-releases/2011/08/ftc-approves-final-orders-settling-charges-credit-report
https://www.ftc.gov/news-events/press-releases/2011/02/credit-report-resellers-settle-ftc-charges-security-failures
Fajilan and Associates, Inc. 8/19/2011 Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w GLB Act No No Yes Yes Yes Yes Yes Fajilan and Associates is a credit report reseller. Fajilan and Associates stores customer information. Because of poor practices this information was given away to intruders including at least 323 consumer reports as well as any end user client reports used 90 days prior to the breach. Fajilan and Associates afterwards did not do an adequate job to prevent this again none N/A Yes (5 years) Yes N/A Yes, 5 years N/A Within 60 Days Within 30 Days 10 years Within 60 Days N/A N/A Yes Within 60 days Biennially For 20 Years Yes Yes N/A N/A N/A N/A Yes https://www.ftc.gov/news-events/press-releases/2011/08/ftc-approves-final-orders-settling-charges-credit-report
https://www.ftc.gov/news-events/press-releases/2011/02/credit-report-resellers-settle-ftc-charges-security-failures
ACRAnet Inc. 8/19/2011 Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w GLB Act No No Yes Yes Yes Yes Yes ACRAnet is a credit report reseller. ACRAnet stores customer information. Because of poor practices this information was given away to intruders including at least 694 consumer reports as well as any end user client reports used 90 days prior to the breach. ACRAnet afterwards did not do an adequate job to prevent this again including changing any policies for screening new end users, allowing more breaches to occur none N/A Yes (5 years) Yes N/A Yes, 5 years N/A Within 60 Days Within 30 Days N/A Within 60 Days N/A N/A Yes Within 60 days Biennially For 20 Years Yes Yes N/A N/A N/A N/A Yes https://www.ftc.gov/news-events/press-releases/2011/08/ftc-approves-final-orders-settling-charges-credit-report
https://www.ftc.gov/news-events/press-releases/2011/02/credit-report-resellers-settle-ftc-charges-security-failures
RockYou, Inc. 3/27/2012 Section 5(a) of the FTC Act Section 13039(b) of the COPPA Act Yes No Yes Yes Yes Yes Yes RockYou is a social game site that failed to protect the privacy of its users. It allowed hackers to access the information of 179,000 children. RockYou claimed to be able to protect this information but did not. $250,000 N/A Yes Yes N/A Yes 8 years N/A Within 30 Days 20 years Within 7 Days N/A Yes Yes Within 60 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2012/03/ftc-charges-security-flaws-rockyou-game-site-exposed-32-million
Upromise, Inc. 4/3/2012 Section 5(a) of the FTC Act Yes Yes No No Yes Yes No Upromise is a membership service that allows consumers to save money for college. It gave out a feature called TurboSaver Toolbar which deceptively collected personal information such as social security numbers without consent. This information was not encrypted and could have been taken easily none 5 Years Yes (5 years) N/A N/A Yes 5 years N/A Within 30 Days N/A N/A N/A N/A Yes Within 180 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A Yes https://www.ftc.gov/news-events/press-releases/2012/04/ftc-approves-final-order-settling-charges-upromise
https://www.ftc.gov/news-events/press-releases/2012/01/membership-reward-service-aimed-college-savers-settles-ftc
Franklin's Budget Car Sales, Inc. 10/26/2012 Section 5(a) of the FTC Act GLB Act Yes No No No Yes Yes No Franklin is an auto dealer that manages its customers financial information. Franklin exposed the information of thousands of employees by allowing peer-to-peer sharing software to be installed on corporate computer systems. Franklin failed to identify obvious risks or develop a reasonable security system none 5 Years N/A N/A N/A N/A 5 years Within 60 Days Within 30 Days N/A Within 180 Days N/A N/A Yes Within 180 days Biennially For 20 Years Yes Yes N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2012/10/ftc-finalizes-settlements-businesses-exposed-consumers-sensitive
https://www.ftc.gov/news-events/press-releases/2012/06/ftc-charges-businesses-exposed-sensitive-information-peer-peer
EPN and Checknet Inc. 10/26/2012 Section 5(a) of the FTC Act GLB Act Yes No No No Yes Yes No EPN is an debt collector its customers personal information including medical visit types, social security numbers and insurance number. EPN exposed the information of thousands of employees by allowing peer-to-peer sharing software to be installed on corporate computer systems. EPN failed to identify obvious risks or develop a reasonable security system none 5 Years N/A N/A N/A N/A 5 years Within 60 Days for 5 years Within 30 Days N/A Within 180 Days N/A N/A Yes Within 180 days Biennially For 20 Years Yes Yes N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2012/10/ftc-finalizes-settlements-businesses-exposed-consumers-sensitive
https://www.ftc.gov/news-events/press-releases/2012/06/ftc-charges-businesses-exposed-sensitive-information-peer-peer
PLS Financial Services Inc. 11/7/2012 Section 5(a) of the FTC Act Section 628 of the FCRA, 15 U.S.C. § 1681w GLB Act Yes No No Yes Yes No No PLS Financial Services owns several payday loan and check cashing stores. They store sensitive information such as Social Security numbers, employment information, loan applications and bank account information. PLS improperly disposed of this information as it was found in dumpsters near these stores untouched. PLS employees were also no properly trained $101,500 5 Years Yes Yes N/A N/A 5 years Within 30 Days Within 30 Days 5 years Within 60 Days N/A N/A Yes Within 180 days Biennially For 20 Years Yes Yes N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2012/11/companies-own-manage-payday-lending-check-cashing-stores-settle
Compete, Inc. 2/25/2013 Section 5(a) of the Federal Trade Commission Act Yes No No No Yes Yes No Compete is a company that collects consumer information for the intent of compiling consumer reports to sell to other businesses. It tracks some behavior through the use of a toolbar application. Compete makes claims to protect user data and to strip its collection of personally identifying information, but in fact fails to do this. In addition, Compete fails to disclose the extent to which data is collected to consumers none Yes N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 180 Days N/A Yes Yes Within 180 days Biennially For 20 Years N/A N/A Yes Yes N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2013/02/ftc-approves-final-order-settling-charges-against-compete-inc
CBR Systems Inc. 5/3/2013 Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) Yes Yes No Yes Yes Yes No CBR Systems collects umbilical cord blood and tissue for potential medical use given the presence of certain stem cells. Through this they collect and store a variety of personal information medical or otherwise. However, although their privacy policy states that they take the necessary steps to ensure data security, they in fact failed to store and manage data effectively leaving much of it in portable, unencrypted hard drives, one of which was leaked compromising 298,000 customers. none N/A N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 60 Days N/A Yes Yes Within 180 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2013/05/ftc-approves-final-order-settling-charges-against-cbr-systems-inc
HTC America Inc. 7/2/2013 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) Yes No No No No Yes No Through customizing its own apps on their smartphones on the Android system, HTC actually made its phones vulnerable to a multitude of breaches. On HTC phones third party apps can circumvent the normal installation and permissions process that regulates which apps have access to personal information. Also HTC states that apps will prompt for permission if requesting access to PI when in fact this prompt was not guaranteed. Lastly, HTC's error reporting tool gives the option of adding location, but regardless if it is checked or not, location information is sent anyway none N/A N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 60 Days N/A N/A Yes (and develop patches) Within 180 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2013/07/ftc-approves-final-order-settling-charges-against-htc-america-inc
TRENDnet, Inc. 2/7/2014 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) Yes No Yes No Yes Yes No TRENDnet sells networking devices a prominent one of which are IP cameras for security monitoring of homes and business. While their privacy policy states that the cameras are a secure measure in security monitoring and that feeds are only accessed by authorized users, in actuality the defendant failed to take steps to reasonably secure these devices from unauthorized access. As such, hackers were able to access the live streams of consumer cameras and make them public. none N/A N/A N/A N/A N/A 5 years Within 30 Days Within 30 Days N/A Within 60 Days N/A Yes Yes (and notify consumers of breach) Within 180 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc
Accretive Health, Inc. 2/24/2014 Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) No No Yes No Yes Yes No Accretive Health works with hospitals and provides services relating to their revenue cycles. Through this they collect and store hospital information including information on patients. Accretive health did not ensure that this data was sufficiently protected, necessarily disposed of, and transported safely. As such, a laptop containing 20 million pieces of PI was stolen and this information compromised none N/A N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 60 Days N/A N/A Yes Within 180 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-consent-settling-charges-accretive-health
Genelink, Inc. foru International Corporation 5/12/2014 Sections 5(a) and 12 of the FTC Act. Yes No No No Yes No No The defendants are in the business of selling nutritional supplements and skin care products based on at home genetic tests. Through this process a variety of personal information is collected. Not only do advertisements about their products suggest the mitigation of a variety of diseases and disorders without proof, but the service providers that handle their personal information management did not take steps to reasonably protect this data or prevent unauthorized access none N/A N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 60 Days N/A Yes Yes Within 180 days Biennially For 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2014/05/ftc-approves-final-consent-orders-settling-charges-companies
Fandango, LLC 8/19/2014 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) Yes No No No Yes Yes No Fandango's mobile app failed to check SSL certificates and instead overrode them. Over wifi networks, this is a prime opportunity for attackers to facilitate man in the middle attacks intercepting user data. This failure goes against Fandango's acclaimed privacy policy none N/A N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 60 Days N/A Yes Yes Within 180 Days Biennially for 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2014/08/ftc-approves-final-orders-settling-charges-against-fandango
Credit Karma, Inc. 8/19/2014 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) Yes No No No Yes Yes No Credit Karma mobile app failed to check SSL certificates and instead overrode them. Over wifi networks, this is a prime opportunity for attackers to facilitate man in the middle attacks intercepting user data. This failure goes against Fandango's acclaimed privacy policy none N/A N/A N/A N/A N/A 3 years Within 30 Days Within 30 Days N/A Within 120 Days N/A Yes Yes Within 180 Days Biennially for 20 Years N/A N/A N/A N/A N/A N/A N/A https://www.ftc.gov/news-events/press-releases/2014/08/ftc-approves-final-orders-settling-charges-against-fandango