[Federal Register Volume 76, Number 90 (Tuesday, May 10, 2011)]
[Notices]
[Pages 27056-27058]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-11182]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 102 3076]


Lookout Services, Inc.; Analysis of Proposed Consent Order To Aid 
Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices or unfair methods of competition. The attached Analysis to 
Aid Public Comment describes both the allegations in the draft 
complaint and the terms of the consent order--embodied in the consent 
agreement--that would settle these allegations.

DATES: Comments must be received on or before June 2, 2011.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Lookout Services, File 
No. 102 3076'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/lookout, by following the instructions 
on the Web-based form. If you prefer to file your comment on paper, 
mail or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Room H-113 (Annex D), 600 
Pennsylvania Avenue, NW., Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Kandi Parsons (202-326-2369) or 
Kristin Cohen (202-326-2276), FTC, Bureau of Consumer Protection, 600 
Pennsylvania Avenue, NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and 2.34 the 
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that 
the above-captioned consent agreement containing a consent order to 
cease and desist, having been filed with and accepted, subject to final 
approval, by the Commission, has been placed on the public record for a 
period of thirty (30) days. The following Analysis to Aid Public 
Comment describes the terms of the consent agreement, and the 
allegations in the complaint. An electronic copy of the full text of 
the consent agreement package can be obtained from the FTC Home Page 
(for May 3, 2011), on the World Wide Web, at http://www.ftc.gov/os/actions.shtm. A paper copy can be obtained from the FTC Public 
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington, 
DC 20580, either in person or by calling (202) 326-2222.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before June 2, 2011. 
Write ``Lookout Services, File No. 102 3076'' on your comment. Your 
comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to 
remove individuals' home contact information from comments before 
placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment doesn't include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment doesn't include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, don't 
include any ``[t]rade secret or any commercial or financial information 
which is obtained from any person and which is privileged or 
confidential,'' as provided in Section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, don't 
include competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR

[[Page 27057]]

4.9(c).\1\ Your comment will be kept confidential only if the FTC 
General Counsel, in his or her sole discretion, grants your request in 
accordance with the law and the public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/lookout, by following the instructions on the web-based form. If 
this Notice appears at http://www.regulations.gov/#!home, you also may 
file a comment through that Web site.
    If you file your comment on paper, write ``Lookout Services, File 
No. 102 3076'' on your comment and on the envelope, and mail or deliver 
it to the following address: Federal Trade Commission, Office of the 
Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, NW., 
Washington, DC 20580. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Visit the Commission Web site at http://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before June 2, 2011. You can find more information, 
including routine uses permitted by the Privacy Act, in the 
Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

Analysis of Agreement Containing Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, a consent order applicable to Lookout Services, Inc.
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    The Commission's complaint alleges that Lookout sells a web-based 
computer product known as the I-9 Solution. This product is designed to 
help employers comply with their obligations under federal law to 
complete and maintain a U.S. Citizenship and Immigration Services Form 
I-9 about each employee in order to verify that the employee is 
eligible to work in the United States. The complaint alleges that the 
I-9 Solution routinely collects and stores information about Lookout's 
customers' employees, including, but not limited to: Names; addresses; 
dates of birth; Social Security numbers; passport numbers; alien 
registration numbers; driver's license numbers; and military 
identification numbers. This highly sensitive information is maintained 
in Lookout's database (the ``I-9 database''). The misuse of such 
information--particularly Social Security numbers, which do not 
expire--can facilitate identity theft, including existing and new 
account fraud, and related consumer harms.
    The complaint alleges that, since at least 2006, Lookout engaged in 
a number of practices that, taken together, failed to provide 
reasonable and appropriate security for the personal information it 
collected and maintained. The challenged practices are fundamental 
security failures, most of which have been challenged in prior FTC data 
security cases. Among other things, Lookout:
    a. Failed to implement reasonable policies and procedures for the 
security of sensitive consumer information it collected and maintained;
    b. Failed to establish or enforce rules sufficient to make user 
credentials (i.e., user ID and password) hard to guess;
    c. Failed to require periodic changes of user credentials, such as 
every 90 days, for customers and employees with access to sensitive 
personal information;
    d. Failed to suspend user credentials after a certain number of 
unsuccessful login attempts;
    e. Did not adequately assess and address the vulnerability of its 
Web application to widely-known security flaws, such as ``predictable 
resource location,'' which enables users to easily predict patterns and 
manipulate the uniform resource locators (``URL'') to gain access to 
secure Web pages;
    f. Allowed users to bypass the authentication procedures on 
Lookout's Web site when they typed in a specific URL;
    g. Failed to employ sufficient measures to detect and prevent 
unauthorized access to computer networks, such as by employing an 
intrusion detection system and monitoring system logs; and
    h. Created an unnecessary risk to personal information by storing 
passwords used to access the I-9 database in clear text.

Each of these failures could have been remedied using well-known, 
readily available, and/or free or low-cost data security measures.

    The complaint further alleges that, as a result of these failures, 
an employee of a Lookout customer was able to obtain unauthorized 
access to Lookout's I-9 database on two separate occasions between 
October and December 2009. In both instances, the employee gained 
unauthorized access to the personal information, including Social 
Security numbers, of more than 37,000 consumers. Given the sensitive 
nature of the personal information exposed, the company's failure to 
provide reasonable and appropriate security for this information is 
likely to cause consumers substantial injury as described above. That 
substantial injury is not offset by countervailing benefits to 
consumers or competition and is not reasonably avoidable by consumers. 
The complaint alleges that Lookout's failure to employ reasonable and 
appropriate measures to prevent unauthorized access to sensitive 
personal information is an unfair act or practice and that the company 
misrepresented that it had implemented such measures, in violation of 
Section 5 of the Federal Trade Commission Act.
    The proposed order applies to personal information that Lookout 
collects from or about consumers and employees. It contains provisions 
designed to prevent Lookout from engaging in the future in practices 
similar to those alleged in the complaint.
    Part I of the proposed order prohibits misrepresentations about the 
privacy, confidentiality, or integrity of personal information 
collected from or about consumers. Part II of the proposed order 
requires Lookout to establish and maintain a comprehensive information 
security program that is reasonably designed to protect the security, 
confidentiality, and integrity of personal information collected from 
or about consumers. The security program must contain administrative, 
technical, and physical safeguards appropriate to Lookout's size and 
complexity, the nature and scope of its activities, and the sensitivity 
of the information collected from or about consumers and employees. 
Specifically, the proposed order requires Lookout to:

[[Page 27058]]

     Designate an employee or employees to coordinate and be 
accountable for the information security program;
     Identify material internal and external risks to the 
security, confidentiality, and integrity of personal information that 
could result in the unauthorized disclosure, misuse, loss, alteration, 
destruction, or other compromise of such information, and assess the 
sufficiency of any safeguards in place to control these risks;
     Design and implement reasonable safeguards to control the 
risks identified through risk assessment, and regularly test or monitor 
the effectiveness of the safeguards' key controls, systems, and 
procedures;
     Develop and use reasonable steps to select and retain 
service providers capable of appropriately safeguarding personal 
information they receive from Lookout, and require service providers by 
contract to implement and maintain appropriate safeguards; and
     Evaluate and adjust its information security programs in 
light of the results of testing and monitoring, any material changes to 
operations or business arrangements, or any other circumstances that it 
knows or has reason to know may have a material impact on its 
information security program.
    Part III of the proposed order requires Lookout to obtain within 
the first one hundred eighty (180) days after service of the order, and 
on a biennial basis thereafter for a period of twenty (20) years, an 
assessment and report from a qualified, objective, independent third-
party professional, certifying, among other things, that: (1) It has in 
place a security program that provides protections that meet or exceed 
the protections required by Part II of the proposed order; and (2) its 
security program is operating with sufficient effectiveness to provide 
reasonable assurance that the security, confidentiality, and integrity 
of sensitive consumer, employee, and job applicant information has been 
protected.
    Parts IV through VIII of the proposed order are reporting and 
compliance provisions. Part IV requires Lookout to retain documents 
relating to its compliance with the order. For most records, the order 
requires that the documents be retained for a five-year period. For the 
third-party assessments and supporting documents, Lookout must retain 
the documents for a period of three years after the date that each 
assessment is prepared. Part V requires dissemination of the order now 
and in the future to all current and future subsidiaries, current and 
future principals, officers, directors, and managers, and to persons 
with responsibilities relating to the subject matter of the order. Part 
VI ensures notification to the FTC of changes in corporate status.
    Part VII mandates that Lookout submit a compliance report to the 
FTC within 60 days, and periodically thereafter as requested. Part VIII 
is a provision ``sunsetting'' the order after twenty (20) years, with 
certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed order or to modify its terms in any way.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2011-11182 Filed 5-9-11; 8:45 am]
BILLING CODE 6750-01-P