The IT Law Wiki

Citation[]

In re Reed Elsevier Inc. and Seisint, Inc., FTC File No. 052-3094 (March 27, 2008).

Factual Background[]

In the Federal Trade Commission’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI — through its LexisNexis data broker business — and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases.

The complaint alleges that, among other security failures, they allowed customers to use easy-to-guess passwords to access Seisint’s “Accurint” databases. The databases contained sensitive consumer information, including drivers license numbers and Social Security numbers. Identity thieves exploited these security failures, and through multiple breaches obtained access to sensitive information about at least 316,000 consumers from Accurint databases. The identity thieves used the information to activate credit cards and open new accounts, and made fraudulent purchases on the cards and new accounts. REI acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time REI controlled Seisint’s practices.

The agency charged that Seisint and REI:

  • Failed to make Seisint user credentials hard to guess;
  • Failed to require periodic changes of Seisint user credentials;
  • Failed to suspend credentials after a certain number unsuccessful log-in attempts;
  • Allowed Seisint customers to store their credentials in a vulnerable format in cookies on their computers;
  • Failed to require Seisint customers to encrypt or protect credentials, search queries or search results in transit between customer computers and Seisint websites;
  • Allowed customers to create new user credentials without confirming that the new credentials were created by customers rather than identity thieves;
  • Permitted users to share credentials;
  • Did not adequately assess the vulnerability of Seisint’s Web applications and computer network to commonly known attacks; and
  • Did not implement simple, low-cost, and readily available defenses to such attacks.

Settlement Agreement[]

The settlement with REI and Seisint (contained within a Agreement Containing Consent Order) requires them to establish and maintain comprehensive security programs to protect personal information that is in whole or part nonpublic information. The settlements require the programs to contain administrative, technical, and physical safeguards appropriate to each company’s size, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, the companies must:

The settlements require the companies to retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The auditors will be required to certify that the companies’ security programs meet or exceed the requirements of the FTC’s orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected.

The settlements also contain bookkeeping and record keeping provisions to allow the agency to monitor compliance with its orders.