The operator of Online Tax Preparation Service agrees to settle FTC charges that it violated financial privacy and security rules.

UNITED STATES OF AMERICA, BEFORE THE FEDERAL TRADE COMMISSION 

Commissioners: Maureen K. Ohlhausen, Acting Chairman; Terrell McSweeny

In the Matter of TAXSLAYER, LLC, a limited liability company.

DOCKET NO. C-4626 

COMPLAINT

The Federal Trade Commission, having reason to believe that TaxSlayer, LLC, a limited liability company, (“TaxSlayer” or “Respondent”), has violated the provisions of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (“Privacy Rule”), 16 C.F.R. Part 313, recodified at 12 C.F.R. § 1016 (“Reg. P”), and issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act (“GLB Act”), 15 U.S.C. §§ 6801-6803; and the Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, issued pursuant to Sections 501(b) and 505(b)(2) of the GLB Act, 15 U.S.C. §§ 6801(b), 6805(b)(2); and it appearing to the Commission that this proceeding is in the public interest, alleges:

• Respondent is a Georgia limited liability corporation with its principal office at 3003 TaxSlayer Drive, Evans, Georgia 30809.
• The acts and practices of Respondent alleged in this complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.

RESPONDENT’S BUSINESS PRACTICES

• Respondent advertises, offers for sale, sells, and distributes products and services to consumers, including TaxSlayer Online, a tax return preparation and electronic filing software and service.
• Respondent is a business that began more than 50 years ago as a tax return preparation firm. It developed tax return preparation software for its internal use in the 1980s. In the 1990s, it developed a browser-based software service that it advertises, offers for sale, sells, and distributes to assist consumers in preparing and electronically filing federal and state income tax returns. Over the years, Respondent added other tax return preparation products, including a mobile app. This Complaint refers to the browser-based software service and mobile app as “TaxSlayer Online.”
• In 2016, more than 950,000 individuals filed tax returns with TaxSlayer Online.
• Respondent typically charges consumers fees for the use of TaxSlayer Online.
• TaxSlayer Online users create an account by entering a username and password (“login credentials”) on an account creation page.
• They then input a host of personal information in order to create a tax return, including but not limited to: name, Social Security number (“SSN”), telephone number, physical address, income, employment status, marital status, identity of dependents, financial assets, financial activities, receipt of government benefits, home ownership, indebtedness, health insurance, retirement information, charitable donations, tax payments, tax refunds, bank account numbers, and payment card numbers. Respondent also collects IP addresses and persistent identifiers associated with the particular device from which the tax return is prepared and/or filed.
• TaxSlayer Online uses this personal information to prepare tax returns on behalf of customers. Once a tax return is prepared, a customer can file the return electronically through TaxSlayer Online with the Internal Revenue Service (“IRS”) and state departments of revenue. If a customer is entitled to a refund, Respondent offers the option of transferring the refund directly into a customer’s bank account. Customers may also elect to receive their tax refunds on a prepaid debit card.

RESPONDENT’S GRAMM-LEACH-BLILEY ACT (“GLB ACT”) VIOLATIONS

• Respondent is a financial institution subject to the GLB Act, as that term is defined by Section 509(3)(A) of the GLB Act, 15 U.S.C. § 6809(3)(A), because among other things, Respondent provides tax planning and tax preparation services, 16 C.F.R. § 313.3(k)(2)(viii); 12 C.F.R. § 1016.3(l)(3)(ii)(H); 12 C.F.R. § 225.28(b)(6)(vi) (“Reg. Y”), and data processing, 12 C.F.R. § 225.28(b)(14). Respondent collects nonpublic personal information, as defined by 16 C.F.R. § 313.3(n) and 12 C.F.R. § 1016.3(p)(1)-(3). Because Respondent is a financial institution that collects nonpublic personal information, it is subject to the requirements of the GLB Privacy Rule, 16 C.F.R. Part 313, Reg. P., 12 C.F.R. Part 1016, and the Safeguards Rule, 16 C.F.R. Part 314.

Privacy Rule and Reg. P

• The Privacy Rule, which implements Sections 501-503 of the GLB Act, 15 U.S.C. §§ 6801-6803, was promulgated by the Federal Trade Commission on May 24, 2000, and became effective on July 1, 2001. See 16 C.F.R. Part 313. Since the enactment of the Dodd-Frank Act on July 21, 2010, the Consumer Financial Protection Bureau (“CFPB”) became responsible for implementing the Privacy Rule, and accordingly promulgated the Privacy of Consumer Financial Information, Regulation P, 12 C.F.R. Part 1016 (“Reg. P”), which became effective on October 28, 2014. Accordingly, Respondent’s conduct is governed by the Privacy Rule prior to October 28, 2014, and by Reg. P after that date. The GLB Act authorizes both the CFPB and the Federal Trade Commission to enforce Reg. P. 15 U.S.C. § 6805.
• Both the Privacy Rule and Reg. P require financial institutions to provide consumers with an initial and annual privacy notice. Both the initial and annual privacy notices must be “clear and conspicuous,” 16 C.F.R. § 313.3(b) and 12 C.F.R. § 1016.3(b), and must “accurately reflect[] [the financial institution’s] privacy policies and practices.” 16 C.F.R. §§ 313.4 and 313.5 and 12 C.F.R. §§ 1016.4 and 1016.5. The privacy notice must include specified elements, including the categories of nonpublic personal information the financial institution collects and discloses, the categories of third parties to whom the financial institution discloses the information, and the security and confidentiality policies of the financial institution. 16 C.F.R. § 313.6; 12 C.F.R. § 1016.6. A financial institution must provide its privacy notice so that each consumer can reasonably be expected to receive actual notice. 16 C.F.R. § 313.9; 12 C.F.R. § 1016.9. An example, for the consumer who conducts transactions electronically, is to require the consumer to acknowledge receipt of the initial notice as a necessary step to obtaining the financial product or service. 16 C.F.R. § 313.9; 12 C.F.R. § 1016.9; Privacy of Consumer Financial Information, 65 Fed. Reg. 33646-01, at 33665-66 (May 24, 2000).

• Respondent failed to comply with the Privacy Rule requirements discussed in Paragraph 12. Specifically:
  • Respondent failed to provide a clear and conspicuous initial privacy notice. 16 C.F.R. § 313.4, 12 C.F.R. § 1016.4. Respondent’s Privacy Policy was contained towards the end of a long License Agreement, and Respondent did not convey the importance, nature, and relevance of this Privacy Policy to its customers.
  • Respondent failed to deliver the initial privacy notice so that each customer could reasonably be expected to receive actual notice. 16 C.F.R. § 313.9; 12 C.F.R. § 1016.9. For example, Respondent did not require customers to acknowledge receipt of the initial notice as a necessary step to obtaining a particular financial product or service.

Safeguards Rule

• The Safeguards Rule, which implements Section 501(b) of the GLB Act, 15 U.S.C. § 6801(b), was promulgated by the Commission on May 23, 2002, and became effective on May 23, 2003. The Rule requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive information security program that is written in one or more readily accessible parts, and that contains administrative, technical, and physical safeguards that are appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue, including:

  • Designating one or more employees to coordinate the information security program;
  • Identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, and assessing the sufficiency of any safeguards in place to control those risks;
  • Designing and implementing information safeguards to control the risks identified through risk assessment, and regularly testing or otherwise monitoring the effectiveness of the safeguards’ key controls, systems, and procedures;
  • Overseeing service providers, and requiring them by contract to protect the security and confidentiality of customer information; and
  • Evaluating and adjusting the information security program in light of the results of testing and monitoring, changes to the business operation, and other relevant circumstances.

• Respondent violated the Safeguards Rule. For example:

  • Respondent failed to have a written information security program until November 2015.
  • Respondent failed to conduct a risk assessment, which would have identified reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, including risks associated with inadequate authentication.
  • Respondent failed to implement information safeguards to control the risks to customer information from inadequate authentication. For example:
    • Respondent did not require consumers to choose strong passwords when setting up their accounts, which is a standard practice for accounts containing sensitive personal information. Respondent’s only requirement for passwords was that they be eight to sixteen characters in length. This created a risk that attackers could guess commonly-used passwords, or use dictionary attacks, to access TaxSlayer Online accounts.
    • Respondent failed to implement adequate risk-based authentication measures sufficient to mitigate the risk of list validation attacks when such attacks became reasonably foreseeable. List validation attacks occur when remote attackers use lists of stolen login credentials to attempt to access accounts across a number of popular Internet sites, knowing that consumers often reuse username and password combinations.
    • Respondent failed to inform TaxSlayer Online users when a material change was made to the mailing address, password, or security question associated with their accounts. Respondent also failed to inform TaxSlayer Online users when a material change is made to the bank account routing number or the payment method for a refund (e.g., from bank account to a pre-paid debit card) associated with their accounts.
    • Respondent failed to require customers to validate their email addresses at account creation, in order to verify accuracy and communicate with customers regarding security-related issues.
    • Respondent failed to use readily-available tools to prevent devices or IP addresses from attempting to access an unlimited number of TaxSlayer Online accounts in rapid succession through a list validation attack.

• Respondent became subject to a list validation attack that began on October 10, 2015, and ended on December 21, 2015. On that day, Respondent implemented multi-factor authentication, requiring users to first submit their username and password, and then to authenticate their device by, for example, entering a code that Respondent sent to the user’s email or mobile phone.

• As part of this list validation attack, the remote attackers were able to gain full access to 8,882 existing TaxSlayer Online accounts. In an unknown number of instances, the attackers engaged in tax identity theft by altering the bank routing and refund methods, e-filing fraudulent tax returns, and diverting the fabricated tax refunds to themselves. Customers were not notified when these alterations occurred. Respondent was not aware of this list validation attack until a TaxSlayer Online user called on January 11, 2016 to report suspicious activity on her account.

• Consumers who are the victims of tax identity theft spend significant time resolving this problem. Victims spend time calling the IRS and state tax authorities to report the tax identity theft. Victims then have to obtain PIN numbers from the IRS and file their taxes on paper using those PIN numbers. They then have to wait months to receive their tax refunds. To protect themselves and their dependents from future identity theft, victims freeze or place holds on their credit, and they spend additional time monitoring their credit histories and financial accounts. These victims also suffer out-of-pocket financial losses.

Count I Violations of the Privacy Rule and Reg. P

• As described in Paragraphs 11 to 13, the Privacy Rule and Reg. P require financial institutions to provide customers with a clear and conspicuous privacy notice that accurately reflects the financial institution’s privacy policies and practices. Further, financial institutions must deliver the privacy notice so that each customer could reasonably be expected to receive actual notice.

• Respondent is a financial institution, as defined in Section 509(3)(A) of the GLB Act, 15 U.S.C. § 6809(3)(A).

• As set forth in Paragraph 13.a, Respondent failed to provide its customers with a clear and conspicuous initial privacy notice. Therefore, Respondent violated the Privacy Rule, 16 C.F.R. § 313.4, and Reg. P, 12 C.F.R. § 1016.4.

• As set forth in Paragraph 13.b, Respondent failed to deliver the initial privacy notice so that each customer could reasonably be expected to receive actual notice. Therefore, Respondent violated the Privacy Rule, 16 C.F.R. § 313.9; and Reg. P., 12 C.F.R. § 1016.9.

• Therefore, the conduct set forth in Paragraphs 21 and 22 is a violation of the Privacy Rule and Reg. P.

Count II Violations of the Safeguards Rule

• As described in Paragraph 14, the Safeguards Rule requires financial institutions to have a written comprehensive information security program that includes specified elements, including a requirement to conduct a risk assessment. It also requires financial institutions to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and then design and implement information safeguards to control the risks identified through the risk assessment.

• Respondent is a financial institution, as defined in Section 509(3)(A) of the GLB Act, 15 U.S.C. § 6809(3)(A).

• As set forth in Paragraph 15a, Respondent failed to have a written comprehensive information security program until November 2015.

• As set forth in Paragraph 15b, Respondent did not conduct risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.

• As set forth in Paragraph 15c, Respondent did not implement information safeguards to control risks, specifically the risk that remote attackers were using stolen account credentials to take over customers’ TaxSlayer Online accounts in order to perpetrate tax identity theft.

• Therefore, the conduct set forth in Paragraphs 26 to 28 is a violation of the Safeguards Rule.

• Pursuant to the GLB Act, violations of the Safeguards Rule and the Privacy Rule are enforced through the FTC Act.

THEREFORE, the Federal Trade Commission this twentieth day of October, 2017, has issued this Complaint against Respondent.

By the Commission.

DECISION

Findings 

• The Respondent, TaxSlayer, LLC, is a Georgia limited liability corporation with its principal office at 3003 TaxSlayer Drive, Evans, Georgia 30809. 
  
  
• The Commission has jurisdiction over the subject matter of this proceeding and over the Respondent, and the proceeding is in the public interest. 

ORDER

Definitions 

• “Personal information” means individually identifiable information from or about an individual consumer, including but not limited to: (1) email address; (2) user account credentials, such as a login name and password; (3) first and last name; (4) government-issued identification number, such as a Social Security number; (5) mobile or other telephone number; (6) home or other physical address, including street name and name of city or town; or (7) any information from or about an individual consumer that is combined with any of (1) through (6) above. 
• “Covered product or service” means any tax return preparation product or e-filing service, including any plan or program. 
• “Respondent” means TaxSlayer, LLC, and its successors and assigns. 

Provisions 

I. GLB Rule Violations

• The Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313, or the Privacy  of Consumer Financial Information Rule (Regulation P), 12 C.F.R. Part 1016; or 
• The Standards for Safeguarding Consumer Information Rule, 16 C.F.R. Part 314.

II. Biennial Assessment Requirements

• Set forth the specific administrative, technical, and physical safeguards that Respondent has implemented and maintained during the reporting period; 
• Explain how such safeguards are appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the personal information collected from or about consumers; 
• Explain how the safeguards that have been implemented meet or exceed the protections required by Section I (B) of this Order, and 
• Certify that Respondent’s security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.

III. Acknowledgments of the Order

• Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury. 
• For 20 years after issuance of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives having managerial responsibilities for the conduct specified in Provisions I through IV; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices.  Delivery must occur within 10 days after the effective date of this Order for current personnel.  For all others, delivery must occur before they assume their responsibilities. 
• From each individual or entity to which a Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order. 

IV. Compliance Reports and Notices

IT IS FURTHER ORDERED that Respondent make timely submissions to the Commission:

One year after the issuance date of this Order, Respondent must submit a compliance 
report, sworn under penalty of perjury, in which:

• Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (b) identify all of the Respondent’s businesses by their names, primary telephone numbers, and primary physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.

Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following:

• Respondent must submit notice of any change in: (a) any designated point of contact; or (b) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order. 

V. Recordkeeping

• Accounting records showing the revenues from all goods or services sold; 
• Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and, if applicable, the reason for termination; 
• Records of all consumer complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response; 
• All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; 
• A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security and confidentiality of Personal Information, including any representation concerning a change in any website or other service controlled by Respondent that relates to the privacy, security and confidentiality of Personal Information; 
• For 5 years from the date of the last dissemination of any representation covered by this Order:

• • All materials that were relied upon in making the representation; and
  • All evidence in Respondent’s possession, custody, or control that contradicts, qualifies, or otherwise calls into question the representation, or the basis relied upon for the representation, including complaints and other communications with consumers or with governmental or consumer protection organizations; and
    
    
• For 5 years from the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies,  training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment. 

VI. Compliance Monitoring 

• Within 10 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information,  which must be sworn under penalty of perjury, and produce records for inspection and copying. 
• For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an  interview.  The interviewee may have counsel present. 
• The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification  or prior notice.  Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1. 

VII. Order Effective Dates

• Any provision in this Order that terminates in less than 20 years; 
• This Order’s application to a Respondent that is not named as a defendant in such complaint; and 
• This Order if such complaint is filed after the Order has terminated pursuant to this Provision.

Provided further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision, as though the  complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal. 
 
By the Commission.