Sensitive information of nearly 65,000 employees allegedly compromised

By Roy Maurer

The U.S. Federal Trade Commission (FTC) has ordered two companies—one providing payroll and human resource services and another providing immigration law compliance services—to undergo third-party security audits every other year for 20 years after data breaches exposed the personal information of 65,000 employees of the two companies’ business partners.

Ceridian Corp. and Lookout Services, Inc. have agreed to settle FTC charges that they failed to employ reasonable and appropriate security measures to protect the data, in violation of federal law.

The settlements with Ceridian and Lookout are part of the FTC’s efforts to ensure that companies secure the sensitive consumer information that they maintain, the commission said. In complaints filed against the companies, the FTC charged that Ceridian and Lookout claimed they would take reasonable measures to secure the consumer data they maintained, including Social Security numbers, but that they failed to do so. These flaws were exposed when security breaches at the companies put the personal information of thousands of consumers at risk, the FTC charged.

The Charges

Minneapolis-based payroll provider Ceridian failed to encrypt personal information and stored it in clear text for an unspecified period of time, the FTC complaint alleged. The company’s web-based payroll processing application was breached by an intruder in December 2009, and personal information belonging to 28,000 people was compromised. Social Security numbers and direct-deposit information belonging to employees of Ceridian’s small business customers were stolen.

“Ceridian failed to take readily available, free or low-cost defenses against SQL injection attacks,” the FTC said in its complaint. This type of attack is a hacking technique that exploits a security vulnerability occurring in the database layer of a software application.

According to the FTC’s complaint against Lookout, an immigration service software provider based in Bellaire, Texas, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password by typing a relatively simple URL into a web browser. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords and failed to provide adequate employee training. As a result of these and other failures, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database in October 2010, including the Social Security numbers of about 37,000 customers.

Ceridian and Lookout claimed that they took reasonable measures to secure sensitive data, but the FTC accused them of negligence and claimed that “unfair and deceptive” security practices put consumers at risk.

The FTC settlements bar the companies from making misrepresentations, including misleading claims about the privacy, confidentiality and integrity of any personal information collected about consumers.

Lessons for Employers

“It’s absolutely crucial for organizations to assess the security risks of housing their confidential and protected I-9 data with an electronic vendor,” said John Fay, an immigration attorney and general counsel with LawLogix Group Inc., a provider of electronic I-9 compliance software.

With so much data residing in the cloud, it’s critical for organizations to examine the cloud provider’s data governance, Fay told SHRM Online. “Do they own their own servers, routers [and] storage area network and have exclusive access to all of the above? Employers need to look beyond buzzwords like ‘SAS70 type II’ and marketing jargon such as ‘being housed in the same data center as Google,’ ” Fay chided.

Employers should involve their IT security specialists at the beginning of the selection process to perform a detailed analysis of the vendor’s systems and processes, Fay advised. IT specialists should be able to provide a thorough assessment of whether the vendor’s system does what it claims to do, he said.

Vendors should be asked if penetration tests, which gauge the effectiveness of the vendor’s defenses against hacking attempts, have been performed. “The ideal test will involve a combination of automated and manual penetration testing, web application testing, network configuration analysis and a social engineering exercise to measure the vendor’s own security practices and policies,” Fay said.

“Organizations also have to plan for a data breach by making sure the vendor has cyber liability insurance and demanding that the vendor fully indemnify the organization in the event of a breach,” Fay said.

Finally, the most basic rule in data protection: No matter how well the system is designed, good data security revolves around people and practices, Fay said.

Roy Maurer is a staff writer for SHRM