FTC Charges That Security Flaws in RockYou Game Site Exposed 32 Million Email Addresses and Passwords

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

San Francisco Division 

UNITED STATES OF AMERICA, Plaintiff v. ROCKYOU, INC., Defendant

Case No. 12-CV-1487

COMPLAINT FOR CIVIL PENALTIES, PERMANENT INJUNCTION, AND OTHER RELIEF

• Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission ("FTC" or "Commission"), for its Complaint alleges:
  • Plaintiff brings this action under Sections 5(a)(l), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. §§ 41-58, 45(a)(I), 45(m)(1)(A), 53(b), and 56(a) and Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 ("COPPA"), 15 U.S.C. §§ 6501-6506, 6502(c) and 6505(d) to obtain monetary civil penalties, a permanent injunction, and other equitable relief for Defendant's violations of Section 5 of the FTC Act and the Commission's Children's Online Privacy Protection Rule ("Rule" or "COPPA Rule"), 16 C.F.R. Part 312

JURISDICTION AND VENUE

• This Court has subject matter jurisdiction pursuant to 28 U,S,C' §§ 1331; 1337(a), 1345, and 1355, and under 15 U.S.C. §§ 45(m)(I)(A), 53(b), 56(a), and 57b

• Venue is proper in the Northern District of California under 15 US.C. § 53(b) and 28 U.S.C. §§ 1391(b)-(c) and 1395(a)

INTRADISTRICT ASSIGNMENT

• Defendant RockYou, Inc. has its primary place of business in the county of San Mateo.

SECTION FIVE OF THE FTC ACT

• Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) prohibits unfair and deceptive acts or practices in or affecting commerce.

THE CHILDREN'S ONLINE PRIVACY PROTECTION RULE

• Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of Internet websites or online services. COPPA directed the Commission to promulgate a rule implementing COPPA. The Commission promulgated the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312, on November 3, 1999 under Section 1303(b) of COPPA, 15 U.S.C. § 6502(b), and Section 553 of the Administrative Procedure Act, 5 U.S.C. § 553.The Rule went into effect on April 21, 2000.

• The Rule applies to any operator of a commercial website or online service, or portion thereof, directed to children that collects, uses, and/or discloses personal information from children, and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Among other things, the Rule requires a subject website operator to meet specific requirements prior to collecting online, using, or disclosing personal information from children, including, but not limited to:

  • Posting a privacy policy on its website or online service providing clear, understandable, and complete notice of its information practices, including what information the website operator collects from children online, how it uses such information, its disclosure practices for such information, and other specific disclosures set forth in the Rule
  • Providing clear, understandable, and complete notice of its information practices, including specific disclosures, directly to parents when required by the Rule
  • Obtaining verifiable parental consent prior to collecting, using, and/or disclosing personal information from children
  • Giving parents the option to consent to the collection and internal use of their children's personal information without consenting to the disclosure of that information to third parties
  • Providing a reasonable means for parents to review the personal information collected from their children and to refuse to permit its further use or maintenance
  • Establishing and maintaining reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

• Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57a(d)(3), a violation of the Rule constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a)(1) of the FTC Act, 15 U.S.C. § 45(a)(1).

DEFENDANT

• Defendant RockYou, Inc. ("RockYou"), is a Delaware corporation. Defendant maintains offices in Redwood City, California, and transacts or has transacted business in the Northern District of California. From at least 2006, Defendant has operated a website or online service that is transmitted and accessible worldwide on the Internet.

COMMERCE

• The acts and practices of Defendant alleged in this Complaint have been in or affecting commerce, as "commerce" is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.

DEFENDANT'S PRACTICES REGARDING INFORMATION SECURITY

• Since at least 2006, Defendant has provided services to consumers online through the website RockYou.com as well as various social networking websites.

• From 2006 through at least 2010, Defendant operated a website that allowed users to develop content. To allow users to publish the content, Defendant created individualized software ("a widget") that consumers could cut and paste onto their personal RockYou.com page and on social networking websites. Among the widgets available on Defendant's website during this time period was a slideshow utility that allowed users to upload photos from their computers or the web, add captions, and choose music. Users could share the resulting slideshows on Defendant's website and elsewhere.

• Users were not required to register to access Defendant's widget programs. However, users could register in order to save content uploaded to the RockYou website for later retrieval and editing. To register, Defendant required users to provide a valid email address and password for that email address. The registration form also requested users to select a birth year and gender and provide a zip code and country. Upon completion of the registration fields, Defendant would send a welcome email containing an activation link. Upon return to the RockYou website, the user was prompted to change the RockYou password from the email address password previously provided. While users were required to enter a "new" password, they were not required to change it and could re-enter their email address password to use as a RockYou password. RockYou stored these email addresses and RockYou passwords in clear text.

• RockYou's practices posed a significant risk of harm to consumers. First, RockYou exposed the RockYou user accounts to account takeover by storing the RockYou passwords in clear text, allowing unauthorized access to private data stored in RockYou accounts, such as photographs. Second, RockYou's practices created the risk of unauthorized access to users' email accounts. RockYou's practice of initially collecting email account passwords and storing them in clear text, even temporarily, created the risk of unauthorized access to such passwords and, therefore, to users' email accounts. Moreover, it is commonly known that users often reuse passwords for different accounts. Indeed, RockYou's practice of asking users to submit their email password and then asking them to create a RockYou password may have increased the likelihood that users would use the same password for both accounts. Given that many consumers used the same passwords for both accounts, RockYou's practice of storing RockYou account passwords in clear text with users' email addresses increased the likelihood that, if intruders gained access to users' RockYou passwords, many users' email accounts also would be exposed to unauthorized access.

• Since at least February 2006, Defendant has disseminated or caused to be disseminated a privacy policy on its website, including but not necessarily limited to the attached Exhibit A, containing the following statements:

  • "RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk. Once we receive your transmission of information, RockYou! makes commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards." (Exhibit A, www.rockyou.com Privacy Policy, February 13, 2006)

• Contrary to its representations that it provided reasonable safeguards to protect its users' information, Defendant failed to take reasonable measures to do so by, among other things:

  • Unnecessarily collecting personal information from consumers in the form of email address passwords.

  • Storing users' RockYou passwords, with associated email addresses, in clear text.

  • Failing to segment its servers; once a hacker entered Defendant's network, they were able to access all information on the network, including consumers' email addresses and RockYou passwords.

  • Not protecting its website from such commonly known or reasonably foreseeable attacks from third parties attempting to obtain access to customer information stored in Defendant's databases. Defendant failed, for example, to address vulnerabilities in its system to web-based application attacks such as "Structured Query Language" (SQL) injection attacks and "Cross-Site Scripting" (XSS) attacks. During the relevant period, SQL injection and XSS attacks were well-known and well-publicized forms of hacking attacks, and solutions to prevent such attacks were readily-available and inexpensive.

• As a result of the failures described above, an unauthorized individual or individuals obtained access to consumers' personal information, including approximately 32 million email addresses and RockYou passwords, allowing for access to RockYou accounts, including photographs and other items consumers elected to keep private.

DEFENDANT'S PRACTICES REGARDING COLLECTION OF INFORMATION FROM CHILDREN UNDER THE AGE OF 13

• Defendant's website was intended for a general audience, but also attracted a significant number of children.

• As discussed in Paragraph 13, consumers were not required to register to use Defendant's website widget services. However, when a user registered, he was required to provide a valid email address and the associated password and was requested to select his birth year from a drop-down screen. Registrants could also provide gender, zip code, and country information.

• From approximately December 2008 through January 2010, Defendant accepted registrations from children under the age of 13. During this time period, it collected email addresses and associated passwords, along with birth year, sex, zip code, and/or country information, from approximately 179,000 children under age 13. Defendant, therefore, was an "operator" as defined in the Rule.

• A child who registered at Defendant's website also was able to create a personal profile and upload content, including photographs. A registered child could also post comments on others' slide shows and others could post comments on his slideshows.

• Defendant's online privacy policy stated in pertinent part:

  • Our Commitment to Children's Privacy:
    Protecting the privacy of young children is especially important. For that reason, RockYou! does not knowingly collect or maintain personally identifiable information or non-personally-identifiable information on the RockYou! Sites from persons under 13 years of age, and no part of our website is directed to persons under 13. If you are under 13 years of age, then please do not use or access the RockYou! Sites at any time or in any manner. If RockYou! learns that personally identifiable information of persons under 13 years of age has been collected on the RockYou! Sites without verified parental consent, then RockYou! will take appropriate steps to delete this information. Exhibit A (Privacy Policy).

• Contrary to the statements made in Defendant's privacy policy, as set forth in Paragraph 22 above, Defendant knowingly collected, and did not delete, children's personal information and enabled children to publicly disclose their personal information through personal profile pages and public slideshows.

• Defendant's online notice of its information practices did not clearly, completely, or accurately disclose all of Defendant's information collection, use, and disclosure practices for children, as required by the Rule.

• Defendant did not take the steps required by the Rule to provide parents with a direct notice of its information practices prior to collecting, using, or disclosing children's personal information.

• Defendant did not take the steps required by the Rule to obtain verifiable consent from parents prior to collecting, using, or disclosing children's personal information.

• In approximately 179,000 instances, Defendant knowingly collected, used, and/or disclosed personal information from children in violation of the Children's Online Privacy Protection Rule.

• Defendant did not establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

COUNT I. DEFENDANT'S VIOLATIONS OF THE FTC ACT IN CONNECTION WITH DATA SECURITY

• Through the means described in Paragraph 15, Defendant represented, expressly or by implication, that it implemented reasonable and appropriate measures to protect against unauthorized access to the personal information it obtained from customers.

• In truth and in fact, as set forth in Paragraph 16, Defendant did not implement reasonable and appropriate measures to protect against unauthorized access to the personal information it obtained from customers. Therefore, the representation set forth in Paragraph 15 was false or misleading and constituted a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

COUNT II. DEFENDANT'S VIOLATIONS OF THE CHILDREN'S ONLINE PRIVACY PROTECTION RULE

• For purposes of Counts II and III and the paragraphs referenced therein, the terms "child," "collects," "collection," "Commission," "delete," "disclosure," "Internet," "online contact information," "operator," "parent," "person," "personal information," "third party," "verifiable consent," and "website or online service directed to children," are defined as those terms are defined in Section 312.2 of the Rule, 16 C.F.R. § 312.2.

• Since 2006, Defendant has operated a website or online services through which it collected, with actual knowledge, personal information from children under age 13.

• In numerous instances, in connection with the acts and practices described above, Defendant collected, used, and/or disclosed personal information from children in violation of the Rule, including by:

  • Failing to provide sufficient notice on its website or online services of the information it collects online from children, how it uses such information, its disclosure practices, and all other required content, in violation of Section 312.4(b) of the Rule, 16 C.F.R. § 312.4(b);
  • Failing to provide direct notice to parents of the information Defendant collects online from children, how it uses such information, its disclosure practices, and all other required content, in violation of Section 312.4(c) of the Rule, 16 C.F.R. § 312.4(c);
  • Failing to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, in violation of Section 312.5 of the Rule, 16 C.F.R. § 312.5(a)(1); and
  • Failing to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, in violation of Section 312.8 of the Rule, 16 C.F.R. § 312.8.

Therefore, Defendant has violated the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312.

COUNT III. DEFENDANT'S VIOLATIONS OF THE FTC ACT IN CONNECTION WITH COLLECTION AND RETENTION OF PERSONAL INFORMATION FROM CHILDREN

• Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits "unfair or deceptive acts or practices in or affecting commerce." Misrepresentations constitute deceptive acts or practices prohibited by Section 5(a) of the Act.

• Through the statements made in the privacy policy referenced in Paragraph 22 above, Defendant represented, expressly or by implication, that it: (a) did not knowingly collect or maintain personal information from children under 13; and (b) would delete any personal information that it learns it has collected from children.

• In truth and in fact, as set forth in Paragraph 23 above, Defendant knowingly collected, and did not delete, personal information from children under 13. Therefore, the representations set forth in Paragraph 35 above were false and misleading and constitute deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

THE COURT'S POWER TO GRANT RELIEF

• Defendant violated the Rule as described above with the knowledge required by Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A).

• Each collection, use, or disclosure of a child's personal information in which Defendant violated the Rule in one or more of the ways described above, constitutes a separate violation for which Plaintiff seeks monetary civil penalties.

• Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), as modified by Section 4 of the Federal Civil Penalties Inflation Adjustment Act of 1990, 28 U.S.C. § 2461, and Section 1.98(d) of the FTC's Rules of Practice, 16 C.F.R. § 1.98(d), authorizes this Court to award monetary civil penalties of not more than $11,000 for each such violation of the Rule prior to February 10, 2009, and not more than $16,000 for each such violation of the Rule on or after February 10, 2009.

• Under Section 13(b) of the FTC Act, 15 U.S.C. § 53(b), this Court is authorized to issue a permanent injunction against Defendant's data security and COPPA violations of the FTC Act, as well as such ancillary relief as may be just and proper.

PRAYER

• WHEREFORE, plaintiff United States of America, pursuant to Sections 5(a)(1), 5(m)(1)(A), 13(b) and 16(a) of the FTC Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b) and 56(a), and the Court's own equitable powers, requests that the Court:
  • (1) Enter a permanent injunction to prevent future violations of the FTC Act with respect to the security of consumers' personal information;
  • (2) Enter a permanent injunction to prevent future violations of the FTC Act and the COPPA Rule by Defendant;
  • (3) Award Plaintiff monetary civil penalties from Defendant for each violation of the Rule alleged in this Complaint; and
  • (4) Award such other and additional relief as the Court may determine to be just and proper.

Dated: March 26, 2012

EXHIBIT A

For more information, refer to the original source:https://www.ftc.gov/sites/default/files/documents/cases/2012/03/120327rockyoucmpt.pdf

CONSENT DECREE AND ORDER 
FOR CIVIL PENALTIES, INJUNCTION AND OTHER RELIEF

WHEREAS Plaintiff, the United States of America, has commenced this action by filing the
 complaint herein; Defendant has waived service of the Summons and Complaint; the parties have been represented by the attorneys whose names appear hereafter; and the parties have agreed to  settlement of this action upon the following terms and conditions, without adjudication of any issue of fact or law, and without Defendant admitting any issue of fact or law other than those related to jurisdiction and venue;



• This Court has jurisdiction of the subject matter and of the parties pursuant to 28 U.S.C. §§ 1331, 1337(a), 1345, and 1355, and 15 U.S.C. §§ 45(m)(1)(A), 53(b), 56(a), and 57b.
• Venue is proper as to all parties in the Northern District of California under 15 U.S.C. § 53(b) and 28 U.S.C. §§ 1391(b)-(c) and 1395(a). The activities of Defendant are in or affecting commerce as defined in Section 4 of the FTC Act, 15 U.S.C. § 44.
• The Complaint states a claim upon which relief may be granted against Defendant under Sections 5(a)(1), 5(m)(1)(A), 13(b), and16(a) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a) and under Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (“COPPA”),
15 U.S.C. §§ 6501-6506, 6502(c), and 6505(d); the Commission's Children's Online Privacy Protection Rule, 16 C.F.R. Part 312. Among other things, the Complaint alleges that:
  
  • Defendant violated the FTC Act by deceptively representing to consumers that it provided reasonable security for the personal information it collected from consumers;
  • Defendant violated COPPA and the FTC Act by failing to provide notice to parents of its information practices, and to obtain verifiable parental consent prior to collecting, using, and or disclosing personal information from children online;
  • Defendant violated the FTC Act by deceptively representing that it did not collect
information from children online; and 3

Defendant violated the FTC Act by deceptively representing that it would delete any personal information collected from children online.
• 
Defendant has entered into this Consent Decree and Order for Civil Penalties, Injunction,
and Other Rellef (“Order”) freely and without coercion. Defendant further acknowledges 8
that it has read the provisions of this Order and is prepared to abide by them.

Plaintiff and Defendant hereby waive all rights to appeal or otherwise challenge the validity
of this Order.
• Plaintiff and Defendant stipulate and agree that entry of this Order shall constitute a full,
complete, and final settlement of this action.
• Defendant has agreed that this Order does not entitle it to seek or to obtain attorneys’ fees as a prevailing party under the Equal Access to Justice Act, 28 U.S.C. § 2412, and Defendant further waives any rights to attorneys' fees that may arise under said provision of law.
• Entry of this Order is in the public interest.
 

DEFINITIONS

• “Rule” means the Federal Trade Commission's Children's Online Prlvacy Protection Rule, 16 C.F.R. Part 312.
• The terms “child,” “collects,” “collection,” “Commission,” “delete,” “disclosure,” “Internet,” “online contact information,” “operator,” “parent,” “person,” “personal 25 information,” “third party,” “verlfiable consent,” and “website or online service directed to children,” are defined in Section 312.2 of the Rule, 16 C.F.R. § 312.2.
• 
 “Consumer personal information” means individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver's license or other state-issued identification number; (g) a financial institution 8 account number; (h) credit or debit card information; (i) a persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, or processor serial number; (j) nonpublic communications and content posted on Defendant's web site or within Defendant's applications provided on any other web site; or (k) any information that is combined with any of(a) through (i) above. 
• “Defendant” means RockYou, Inc., a corporation, its successors and assigns and its
i6 officers, agents, representatives, and employees.

INJUNCTION REGARDING COLLECTION OF INFORMATION FROM CHILDREN ONLINE

• failing to provide sufficient notice of the information Defendant collects online from children, how it uses such information, its disclosure practices, and all other content, as required by Section 312.4(b) of the Rule, 16 C.F.R. § 312.4(b); 3
• failing to provide direct notice to parents of what information Defendant collects online from children, how it uses such information, its disclosure practices, and all other required content, as required by Section 312.4(c) of the Rule, 16 C.F.R. § 312.4(c); 
• failing to obtain verifiable parental consent before an.y collection., use, an.d/or disclosure of personal information from children, as required by Section 312.5 of the Rule, 16 C.F.R. § 312.5(a)(1); 
• failing to establish and maintain reasonable procedures to protect the
• confidentiality, security, and integrity of personal information collected from children, as required by Section 312.8 of the Rule, 16 C.F.R. § 312.8; or 
• violating any other provision of the Rule, 16 C.F.R. Part 312, and as the Rule may hereafter be amended. A copy of the Rule is attached hereto as “Appendix A” and incorporated herein as if fully set forth verbatim.

IT IS FURTHER ORDERED that Defendant, and its officers, agents, representatives, and employees, and all persons in active concert or participation with them who receive actual notice of this Order by personal service or otherwise, are hereby enjoined, directly or through any corporation, subsidiary, division, website, or other device, in connection with the operation of any website or online service, from making any misrepresentation concerning the collection, use, disclosure, or deletion of children's personal information.

DELETION OF CHILDREN'S PERSONAL INFORMATION

IT IS FURTHER ORDERED that Defendant, within 10 days from the date of receipt of notice of the entry of this Order shall delete all personal information collected and maintained within its possession, custody, or control in violation of the Rule at any time from April 21, 2000 through the date of entry of this Order.

CONSUMER EDUCATION REMEDY

IT IS FURTHER ORDERED that, for a period of 5 years from the date of entry of this
Order, Defendant, in connection with its operation of any website or online service directed to children, and any website or online service through which Defendant, with actual knowledge, collects, uses, and/or discloses personal information from children, shall place a clear and conspicuous notice, that will unavoidably be seen by users prior to the collection of personal information from the users, which states as follows in bold typeface: 

NOTICE: Visit www.OnGuardOnline.gov for tips from the Federal Trade Commission on protecting kids' privacy online [“www.OnguardOnline.gov” must contain a hyperlink to [http://www.onguardon1ine.gov/topics/kids-privacy.aspxj]

The defendant shall be required to change the hyperlinks/URLs within 15 days after receipt of notice from the Federal Trade Commission stating a change to such hyperlinks/URLs.

CIVIL PENALTY

IT IS FURTHER ORDERED that Defendant shall pay to Plaintiff a civil penalty, pursuant to Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), in the amount of two hundred and fifty thousand dollars ($250,000), due and payable within five (5) days of receipt of notice of the entry of this Order. Unless otherwise directed, payment shall be made by electronic fund transfer in accordance with procedures specified by theConsumer Protection Branch, Civil Division, U.S. Department of Justice, Washington, DC 20530.


• Defendant relinquishes all dominion, control, and title to the funds paid to the fullest extent permitted by law. Defendant shall make no claim to or demand return of the funds, directly or indirectly, through counsel or otherwise. 8
• Defendant agrees that the facts as alleged in the Complaint filed in this action shall be taken as true, without further proof, in any subsequent civil litigation filed by or on behalf of the Commission to enforce its rights to any payment or money judgment pursuant to this Order.
• In the event of any default in payment, which default continues for ten (10) days beyond the due date of payment, the entire unpaid penalty, together with interest, as computed pursuant to 28 U.S.C. § 1961 (accrued from the date of default to the date of payment) shall immediately become due and payable.

INJUNCTION REGARDING SECURITY OF CONSUMER PERSONAL INFORMATION

IT IS ORDERED that Defendant, and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, limited liability company, division, or other device, in connection with the advertising, marketing, promotion,offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which they maintain and protect the privacy, confidentiality, security, or integrity of consumer personal information collected fiom or about consumers.


IT IS FURTHER ORDERED that Defendant, and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, limited liability company, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of consumer persona! information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to Defendant's size andcomplexity, the nature and scope of Defendant's activities, and the sensitivity of the consumer personal information collected from or about consumers, including:

• the designation of an employee or employees to coordinate and be accountable for the information security program.
• the identification of material internal and external risks to the security, confidentiality, and integrity of consumer personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) preventlon, detection, and response to attacks, intrusions, or other systems failures.
• the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures.
• the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding consumer personal information they receive from Defendant, and requiring service providers by contract to implement and maintain appropriate safeguards.
• the evaluation and adjustment of Defendant's information security program in light of the results of the testing and monitoring required by subpart C, any material changes to Defendant's operations or business arrangements, or any other circumstances that Defendant knows or has reason to know may have a material impact on the effectiveness of its information security program. 

 
IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph 23 of this order, Defendant shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, whouses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first year after service of the Order for the initial 25Assessment, and (2) each 2 year period thereafter for 20 years after service of the Orderfor the biennial Assessments.


• Each Assessment shall:
  • set forth the specific administrative, technical, and physical safeguards that Defendant has implemented and maintained during the reporting period;
  • explain how such safeguards are appropriate to Defendant's size and complexity, the nature and scope of Defendant's activities, and the sensitivity of the consumer personal information collected from or about consumers;
  • explain how the safeguards that have been implemented meet or exceed the protections required by the Paragraph 23 of this Order; and
  • certify that Defendant's security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of consumer personal information is protected and has so operated throughout the reporting period.
• Each Assessment shall be prepared and completed within 60 days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organisation approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.

• Defendant shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within 10 days after the Assessment has been prepared.All subsequent biennial Assessments shall be retained by Defendant until theorder is terminated and provided to the Associate Director for Enforcement within 10 days of request.

ORDER ACKNOWLEDGMENTS


• Defendant, within 7 days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury. 
• For 8 years alter entry of this Order, Defendant must deliver a copy of this Order to: (1) all principals, officers, directors, and managers; (2) all employees, agents, and representatives having supervisory responsibilities relating to the collection, retention, storage, or security of consumer personal information and all employees, agents, and representatives having supervisory responsibilities related to the operation of any website or online service subject to this Order; and (3) any business entity resulting from any change in structure as set forth in the Section titled “Compliance Reporting.” Delivery must occur within 7 days of entry of this Order for current personnel. To all others, delivery must occur before they 25 assume their responsibilities.
• From each individual or entity to which a Defendant delivered a copy of this Order, that Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.

COMPLIANCE REPORTING

• 
One hundred eighty (180) days after the date of entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury. This report must:

  • Designate at least one telephone number and an email, physical, and postal address as points of contact, which representatives of the
  • Commission may use to communicate with Defendant;
  • Identify all of Defendant's businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; 
  • Describe the activities of each business, including the products and services offered and the means of advertising, marketing, and sales;
  • Describe in detail whether and how Defendant is in compliance with each Section of this Order;
  • Provide a statement setting forth in detail the criteria and process through which Defendant's websites or online services register visitors online for any activity requiring the submission of personal information, and a copy of each different version of screen or page providing or collecting registration information;
  • Provide a copy of each different version of any privacy notice posted on each website or online service operated by Defendant;
  • Provide a statement setting forth in detail each place where the privacy notice on any such website or online service is located and a copy of each different version of screen or page on which such website or online service collects personal information;
  • Provide a copy of each different version of any privacy notice sent toparents of children that register on each website or online service;
  • Provide a statement setting forth in detail when and how each such notice to parents is provided;
  • Provide a statement setting forth in detail the methods used to obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children;
  • Provide a statement setting forth in detail the means provided for parents to review the personal information collected from their children and to refuse to permit its further use or maintenance;
  • Provide a statement setting forth in detail why each type of information collected from a child is reasonably necessary for the provision of the particular related activity;
  • Provide a statement setting forth in detail the procedures used to protect the confidentiality, security, and integrity of personal information collected from children; and
  • Provide a copy of each Order Acknowledgement obtained pursuant to this Order, unless previously submitted to the Commission.
• For 20 years following entry of this Order, Defendant must submit a compliance  notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of Defendant or any entity that Defendant has any ownership interest in or directly or indirectly controls that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

• Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or any similar proceeding by or against Defendant within 14 days of its filing.

• Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 18 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on:       ” and supplying the date, signatory's full name, title (if applicable), and signature.
• Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: FTC v. RockYou, Inc.

RECORDKEEPING

• Defendant, in connection with personal information collected from consumers, including children under the age of 13, must maintain the following records:
  
  • Accounting records showing the revenues from all goods or services sold, all costs incurred in generating those revenues, and the resulting net profit or loss;
  • Personnel records showing, for each person providing services, whether as an employee or otherwise, that person's: name, addresses, and telephone numbers; job title or position; dates of service; and, if applicable, the reason for termination;
  • A copy of all complaints submitted by consumers to Defendant regarding its information security practices or its practices relating to the collection or retention of consumer personal information, including from children; 
  • All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and
  • A sample copy of every materially different form, page, or screen created, maintained, or otherwise provided by Defendant through which Defendant collects personal information, and a sample copy of each materially differentdocument containing any representation regarding Defendant's collection, use, and disclosure practices pertaining to personal information of a child. Each web page copy shall be accompanied by the URL of the web page where the material was posted online. Electronic copies shall include all text and graphics files, 25 audio scripts, and other computer files used in presenting information on the Internet. Provided, however, that Defendant shall not be required to retain any document for longer than two (2) years after the document was created, or to retain a print or electronic copy of any amended web page or screen to the extent that the amendment does not affect Defendant's compliance obligations under this Order.


COMPLIANCE MONITORING

IT IS FURTHER ORDERED that for the purpose of monitoring compliance with this Order:


• Within 14 days of receipt of a written request from a representative of the Commission, Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents, for inspection and copying. The Commission is also authorized to obtain discovery, without f\irther leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30
• (including telephonic depositions), 31, 33, 34, 36, 45, and 69.
• For matters concerning this Order, the Commission is authorized to communicate
• directly with Defendant. Defendant must permit representatives of the Commission to interview any employee or other person affiliated with any Defendant who has agreed to such an interview. The person interviewed may have counsel present.
• The Commission may use all other lawful means, including posing, through its representatives, as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without thenecessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.

RETENTION OF JURISDICTION

IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for the purposes of construction, modification, and enforcement of this Order.

JUDGMENT IS THEREFORE ENTERED in favor of Plaintiff and against Defendant, pursuant to all the terms and conditions recited above. 

Dated this 27 day of March, 2012.

The parties, by their counsel, hereby consent to the terms and conditions of the Order as
set forth above and consent to the entry thereof.