Two Breach Cases Settled

The Federal Trade Commission (FTC) has announced that it has signed proposed agreements and consent orders with Ceridian Corporation (Ceridian) and Lookout Services, Inc (both undated), settling charges that the companies failed to protect sensitive employee data and subsequently experienced security breaches. Ceridian allegedly lacked adequate network security, allowing “an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information … of approximately 28,000 employees of Ceridian’s small business customers”. Lookout Services also allegedly lacked sufficient network security, allowing unauthorised access to sensitive information relating to around 37,000 customers.

Under the settlement orders, both companies will be barred from making misleading claims about the privacy and security of personal information, and must implement “a comprehensive information security program and … obtain independent, third party security audits every other year for 20 years”.

The FTC is seeking comments on the proposed agreements, with online submissions forms available for Ceridian and Lookout Services. Comments close 2 June 2011. 
FTC’s media release (3 May 2011)

Related news item:
Computerworld: FTC settles data breach charges against two firms (3 May 2011)
(Source: FTC; Computerworld)