[Federal Register Volume 82, Number 170 (Tuesday, September 5, 2017)]
[Notices]
[Pages 41959-41961]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-18706]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 162 3063]
TaxSlayer, LLC; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of the Gramm-Leach-Bliley Act Privacy Rule, and of the
Gramm-Leach-Bliley Act Safeguards Rule. The attached Analysis To Aid
Public Comment describes both the allegations in the complaint and the
terms of the consent order--embodied in the consent agreement--that
would settle these allegations.
DATES: Comments must be received on or before September 29, 2017.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write: ``In the Matter of
TaxSlayer, LLC, File No. 1623063'' on your comment, and file your
comment online at https://ftcpublic.commentworks.com/ftc/taxslayerconsent by following the instructions on the web-based form.
If you prefer to file your comment on paper, write ``In the Matter of
TaxSlayer, LLC, File No. 1623063'' on your comment and on the envelope,
and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Katherine McCarron (202-326-2333) and
Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis To Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for August 29, 2017), on the World Wide Web, at
https://www.ftc.gov/news-events/commission-actions.
[[Page 41960]]
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before September 29,
2017. Write ``In the Matter of TaxSlayer, LLC, File No. 1623063'' on
your comment. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including, to the
extent practicable, on the public Commission Web site, at https://www.ftc.gov/policy/public-comments.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/taxslayerconsent by following the instructions on the web-based
form. If this Notice appears at http://www.regulations.gov/#!home, you
also may file a comment through that Web site.
If you prefer to file your comment on paper, write ``In the Matter
of TaxSlayer, LLC, File No. 1623063'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC. 20024. If possible, submit your paper comment to
the Commission by courier or overnight service.
Because your comment will be placed on the publicly accessible FTC
Web site at https://www.ftc.gov, you are solely responsible for making
sure that your comment does not include any sensitive or confidential
information. In particular, your comment should not include any
sensitive personal information, such as your or anyone else's Social
Security number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure that your comment does not include
any sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the public FTC Web site--as legally required by FTC Rule
4.9(b)--we cannot redact or remove your comment from the FTC Web site,
unless you submit a confidentiality request that meets the requirements
for such treatment under FTC Rule 4.9(c), and the General Counsel
grants that request.
Visit the FTC Web site at http://www.ftc.gov to read this Notice
and the news release describing it. The FTC Act and other laws that the
Commission administers permit the collection of public comments to
consider and use in this proceeding, as appropriate. The Commission
will consider all timely and responsive public comments that it
receives on or before September 29, 2017. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, an agreement containing a consent order from TaxSlayer, LLC
(``TaxSlayer'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission again will review the
agreement and the comments received and will decide whether it should
withdraw from the agreement or make final the agreement's proposed
order.
This matter involves TaxSlayer, a company that advertises, offers
for sale, sells, and distributes products and services to consumers,
including TaxSlayer Online, a browser-based tax return preparation and
electronic filing software and service. TaxSlayer Online assists
consumers, typically for a fee, in preparing and electronically filing
federal and state income tax returns. In 2016, more than 950,000
individuals filed tax returns using TaxSlayer Online.
TaxSlayer Online users create an account by entering a username and
password (``login credentials'') on an account creation page. They then
input a host of personal information in order to create a tax return,
including but not limited to: Name, Social Security number (``SSN''),
telephone number, physical address, income, employment status, marital
status, identity of dependents, financial assets, financial activities,
receipt of government benefits, home ownership, indebtedness, health
insurance, retirement information, charitable donations, tax payments,
tax refunds, bank account numbers, and payment card numbers.
TaxSlayer Online uses this personal information to prepare tax
returns on behalf of customers. Once a tax return is prepared, a
customer can file the return electronically through TaxSlayer Online
with the Internal Revenue Service (``IRS'') and state departments of
revenue. If a customer is entitled to a refund, TaxSlayer offers the
option of directing the refund into a customer's bank account, or
customers may elect to receive their refunds on a prepaid debit card.
The complaint alleges that TaxSlayer became subject to a list
validation attack that began in October 2015. List validation attacks
occur when attackers use lists of stolen login credentials to attempt
to access accounts across a number of Web sites, knowing that consumers
often reuse login credentials. In an unknown number of instances, the
attackers engaged in tax identity theft by e-filing fraudulent tax
returns and diverting the fabricated refunds to themselves.
The Commission's complaint alleges that TaxSlayer failed to comply
with the Gramm-Leach-Bliley (``GLB'') Act Privacy Rule in two ways.
First, TaxSlayer failed to provide a clear and conspicuous initial
privacy notice. TaxSlayer's Privacy Policy was contained towards the
end of a long License Agreement, and TaxSlayer did not convey the
importance, nature, and relevance of this Privacy Policy to its
customers. Second, TaxSlayer failed to deliver the initial privacy
notice so that each customer could reasonably be expected to receive
actual notice. For example, TaxSlayer did not require customers to
acknowledge receipt of the
[[Page 41961]]
initial privacy notice as a necessary step to obtaining a particular
financial product or service.
In addition, the complaint alleges that TaxSlayer engaged in a
number of practices that, taken together, failed to provide reasonable
and appropriate security for sensitive information from consumers, in
violation of the GLB Act Safeguards Rule. First, TaxSlayer failed to
have a written information security program until November 2015.
Second, TaxSlayer failed to conduct a risk assessment, which would have
identified reasonably foreseeable risks to the security,
confidentiality, and integrity of customer information, including risks
associated with inadequate authentication. Third, TaxSlayer failed to
implement information safeguards to control the risks to customer
information from inadequate authentication.
The proposed order contains provisions designed to prevent
TaxSlayer from engaging in practices similar to those alleged in the
complaint. Part I prohibits TaxSlayer from violating any provision of
the GLB Act Privacy Rule and Safeguards Rule. Part II of the proposed
order requires TaxSlayer to obtain, within the first one hundred eighty
(180) days after service of the order and on a biennial basis
thereafter for a period of ten (10) years, an assessment and report
from a qualified, objective, independent third-party professional,
certifying, among other things, that: (1) It has in place a security
program that provides protections that meet or exceed the protections
required by Part I.B of the order, and (2) its security program is
operating with sufficient effectiveness to provide reasonable assurance
that the security, confidentiality, and integrity of sensitive consumer
information has been protected.
Parts III through VII of the proposed order are reporting and
compliance provisions. Part III requires dissemination of the order now
and in the future to all current and future principals, offers,
directors, and LLC managers and directors, and to persons with
managerial or supervisory responsibilities relating to Parts I through
IV of the order. Part IV ensures notification to the FTC of changes in
corporate status and mandates that TaxSlayer submit an initial
compliance report to the FTC. Part V requires TaxSlayer to retain
documents relating to its compliance with the order for a five-year
period. Part VI mandates that TaxSlayer make available to the FTC
information or subsequent compliance reports, as requested. Part VII is
a provision ``sunsetting'' the order after twenty (20) years, with
certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed complaint or order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2017-18706 Filed 9-1-17; 8:45 am]
BILLING CODE 6750-01-P