Reed Elsevier Inc. and Seisint, Inc.; Analysis of Proposed Consent Order to Aid Public Comment, 18279-18281 [E8-6952]
Download as PDF
<![CDATA[
Federal Register / Vol. 73, No. 65 / Thursday, April 3, 2008 / Notices
1. Kirkwood Bancorporation Co.,
Bismark, North Dakota; to acquire 27.67
percent of the voting shares of Kirkwood
Bancorporation of Nevada, Inc., and
thereby indirectly acquire voting shares
of Kirkwood Bank of Nevada, both of
Las Vegas, Nevada, a de novo bank.
2. Kirkwood Bancorporation of
Nevada, Inc.; to become a bank holding
company by acquiring 100 percent of
the voting shares of Kirkwood Bank of
Nevada, both of Las Vegas, Nevada, a de
novo bank.
Board of Governors of the Federal Reserve
System, March 31, 2008.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. E8–6925 Filed 4–2–08; 8:45 am]
BILLING CODE 6210–01–S
FEDERAL RESERVE SYSTEM
rwilkins on PROD1PC63 with NOTICES
Notice of Proposals to Engage in
Permissible Nonbanking Activities or
to Acquire Companies that are
Engaged in Permissible Nonbanking
Activities; Correction
This notice corrects a notice (FR Doc.
E8–4013) published on page 11419 of
the issue for Monday, March 3, 2008.
Under the Federal Reserve Bank of
Richmond, the entry for Bank of
America Corporation, Charlotte, North
Carolins, is revised to read as follows:
A. Federal Reserve Bank of
Richmond (A. Linwood Gill, III, Vice
President) 701 East Byrd Street,
Richmond, Virginia 23261–4528:
1. Bank of America Corporation,
Charlotte, North Carolina; to acquire
Countrywide Financial Corporation,
Calabasas, California, and thereby
indirectly acquire Countrywide Bank,
FSB, Alexandria, Virginia, Countrywide
Home Loans, Inc., Calabasas, California,
Countrywide Financial Corporation,
Calabasas, California, Countrywide
Financial Holding Company, Inc.,
Calabasas, California, Effinity Financial
Corporation, Alexandria, Virginia,
Countrywide Tax Services Corporation,
Simi Valley, California, CTC Real Estate
Services, Calabasas, California,
Countrywide Servicing Exchange,
Calabasas, California, Countrywide
Asset Management Corp., Calabasas,
California, Landsafe Appraisal Services,
Inc., Plano, Texas, Landsafe Credit, Inc.,
Richardson, Texas, Landsafe Flood
Determination, Inc., Richardson, Texas,
Landsafe Title of California, Inc.,
Rosemead, California, Landsafe Title of
Texas, Inc., Rosemead, California,
Landsafe Title of Florida, Inc.,
Calabasas, California, Countrywide
Warehouse Lending, Calabasas,
California, Countrywide Home Loans
VerDate Aug<31>2005
18:11 Apr 02, 2008
Jkt 214001
Servicing LP, Plano, Texas,
Countrywide Mortgage Ventures, LLC,
Calabasas, California, Countrywide
Commercial Real Estate Finance, Inc.,
Calabasas, California, The Countrywide
Foundation, Calabasas, California,
Recontrust Company, National
Association, Thousand Oaks, California,
CWB Community Assets, Inc.,
Thousand Oaks, California,
Countrywide Commercial
Administration LLC, Calabasas,
California, Recontrust Company
(Nevada) Thousand Oaks, California,
Countrywide KB Home Loans, LLC,
Thousand Oaks, California, CWB
Mortgage Ventures, LLC, Thousand
Oaks, California, Landsafe Services of
Alabama, Inc., Rosemead, California,
Landsafe Title of Maryland, Inc.,
Calabasas, California and thereby engage
in (1) operating a savings association; (2)
operating a nondepository trust
company; (3) community development
activities; (4) extending credit and
servicing loans; (5) real estate and
personal property appraising; (6) credit
bureau services; (7) asset management,
servicing, and collection activities; (8)
acquiring debt in default; and (9)
providing tax services for residential
mortgage transaction pursuant to
sections 225.28(b)(1), 225.28(b)(2),
225.28(b)(4), 225.28(b)(5), 225.28(b)(6)
and 225.28(b)(12) of Regulation Y.
In connection with this proposal Bank
of America Corporation, has applied to
acquire from Bank of America, National
Association, Charlotte, North Carolina,
20,000 shares of Series B Non–Voting
Convertible Preferred Stock of
Countrywide Financial Corporation,
Calabasas, California, which is
convertible at the option of the holder
into approximately 15.7 percent of the
voting common stock of Countrywide
Financial Corporation.
Comments on this application must
be received by April 29, 2008.
Board of Governors of the Federal Reserve
System, March 31, 2008.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. E8–6924 Filed 4–2–08; 8:45 am]
BILLING CODE 6210–01–S
FEDERAL TRADE COMMISSION
18279
SUMMARY: The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before April 28, 2008.
ADDRESSES: Interested parties are
invited to submit written comments.
Comments should refer to ‘‘Reed
Elsevier and Seisint, File No. 052 3094,’’
to facilitate the organization of
comments. A comment filed in paper
form should include this reference both
in the text and on the envelope, and
should be mailed or delivered to the
following address: Federal Trade
Commission/Office of the Secretary,
Room 135–H, 600 Pennsylvania
Avenue, N.W., Washington, D.C. 20580.
Comments containing confidential
material must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with Commission
Rule 4.9(c). 16 CFR 4.9(c) (2005).1 The
FTC is requesting that any comment
filed in paper form be sent by courier or
overnight service, if possible, because
U.S. postal mail in the Washington area
and at the Commission is subject to
delay due to heightened security
precautions. Comments that do not
contain any nonpublic information may
instead be filed in electronic form by
following the instructions on the webbased form at https://
secure.commentworks.com/ftcReedElsevierSeisint. To ensure that the
Commission considers an electronic
comment, you must file it on that webbased form.
The FTC Act and other laws the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. All timely and responsive
public comments, whether filed in
paper or electronic form, will be
considered by the Commission, and will
be available to the public on the FTC
website, to the extent practicable, at
www.ftc.gov. As a matter of discretion,
the FTC makes every effort to remove
home contact information for
[File No. 052 3094]
Reed Elsevier Inc. and Seisint, Inc.;
Analysis of Proposed Consent Order
to Aid Public Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
PO 00000
Frm 00023
Fmt 4703
Sfmt 4703
1 The comment must be accompanied by an
explicit request for confidential treatment,
including the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record.
The request will be granted or denied by the
Commission’s General Counsel, consistent with
applicable law and the public interest. See
Commission Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\03APN1.SGM
03APN1
18280
Federal Register / Vol. 73, No. 65 / Thursday, April 3, 2008 / Notices
rwilkins on PROD1PC63 with NOTICES
individuals from the public comments it
receives before placing those comments
on the FTC website. More information,
including routine uses permitted by the
Privacy Act, may be found in the FTC’s
privacy policy, at https://www.ftc.gov/
ftc/privacy.shtm.
FOR FURTHER INFORMATION CONTACT:
Alain Sheer, FTC Bureau of Consumer
Protection, 600 Pennsylvania Avenue,
NW, Washington, D.C. 20580, (202)
326–2252.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 of the Commission
Rules of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for March 27, 2008), on the
World Wide Web, at https://www.ftc.gov/
os/2008/03/index.htm. A paper copy
can be obtained from the FTC Public
Reference Room, Room 130–H, 600
Pennsylvania Avenue, NW, Washington,
D.C. 20580, either in person or by
calling (202) 326–2222.
Public comments are invited, and may
be filed with the Commission in either
paper or electronic form. All comments
should be filed as prescribed in the
ADDRESSES section above, and must be
received on or before the date specified
in the DATES section.
Analysis of Agreement Containing
Consent Order to Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from Reed Elsevier
Inc. (‘‘REI’’) and Seisint, Inc. (‘‘Seisint’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
The Commission’s proposed
complaint alleges that REI (through its
LexisNexis division) and Seisint are
data brokers. REI acquired Seisint on
VerDate Aug<31>2005
17:19 Apr 02, 2008
Jkt 214001
September 1, 2004 and has continued to
operate Seisint under the Seisint name;
REI also uses Seisint’s technologies and
facilities in REI’s LexisNexis data broker
business. In connection with Seisint’s
business, proposed respondents collect,
and store in electronic databases,
information about millions of
consumers, including names, current
and prior addresses, dates of birth,
driver’s license numbers, and Social
Security numbers (‘‘SSNs’’). They also
sell products customers use to retrieve
information from the databases,
including products to locate assets and
people, authenticate identities, and
verify credentials. Until at least mid2005, access to information in Seisint
databases was controlled using only
user IDs and passwords (‘‘credentials’’).
Seisint customers include insurance
companies, debt collectors, employers,
landlords, law firms, and law
enforcement and other government
agencies.
The complaint further alleges that REI
and Seisint engaged in a number of
practices that, taken together, failed to
provide reasonable and appropriate
security for sensitive consumer
information stored in Seisint databases.
In particular, they: (1) failed to make
credentials hard to guess; (2) failed to
require periodic changes of credentials
(such as every 90 days, for customers
with access to sensitive consumer
information); (3) failed to suspend
credentials after a certain number of
unsuccessful log-in attempts; (4)
allowed customers to store their
credentials in a vulnerable format in
cookies on their computers; (5) failed to
require customers to encrypt or
otherwise protect credentials, search
queries, and/or search results in transit
between customer computers and
Seisint websites; (6) allowed customers
to create new credentials without
confirming that the new credentials
were created by customers rather than
identity thieves; (7) permitted users to
share credentials; (8) did not adequately
assess the vulnerability of Seisint’s web
application and computer network to
commonly known or reasonably
foreseeable attacks, such as ‘‘Cross-Site
Scripting‘‘ attacks; and (9) did not
implement simple, low-cost, and readily
available defenses to such attacks. As a
result, an attacker could easily guess or
intercept the user credentials of
legitimate customers and use them to
access sensitive information—including
SSNs—about millions of consumers.
The complaint alleges that on
multiple occasions since January 2003,
identity thieves exploited these
vulnerabilities to obtain the credentials
of legitimate Seisint customers. The
PO 00000
Frm 00024
Fmt 4703
Sfmt 4703
thieves then used the credentials to
make thousands of unauthorized
searches for consumer information in
Seisint databases. These breaches
disclosed sensitive information about
more than 300,000 consumers,
including, in many instances, names,
current and prior addresses, dates of
birth, and SSNs. In some instances, the
thieves opened new credit accounts in
the names of consumers whose
information was disclosed and made
purchases on the new accounts. In other
instances, they used the information to
activate newly-issued credit cards stolen
from legitimate cardholders and then
made fraudulent purchases on the cards.
Although some of these breaches
occurred before REI acquired Seisint on
September 1, 2004, they continued for at
least 9 months after the acquisition,
during which time Seisint was under
REI’s control.
The proposed order applies to
nonpublic information sold by Seisint
and LexisNexis, as well as by any other
business within REI to the extent that
the business sells products that include
an SSN, driver’s license number; date of
birth; or bank, credit card, or other
financial account number or
information. The order also contains
provisions designed to prevent
respondents from engaging in the future
in practices similar to those alleged in
the complaint.
Part I of the proposed order requires
each respondent to establish and
maintain a comprehensive information
security program that is reasonably
designed to protect the security,
confidentiality, and integrity of
nonpublic personal information
collected from or about consumers. The
security programs must contain
administrative, technical, and physical
safeguards appropriate to the
respondent’s size and complexity, the
nature and scope of its activities, and
the sensitivity of the personal
information collected from or about
consumers. Specifically, the order
requires each respondent to:
∑ Designate an employee or
employees to coordinate and be
accountable for the information security
program.
∑ Identify material internal and
external risks to the security,
confidentiality, and integrity of
customer information that could result
in the unauthorized disclosure, misuse,
loss, alteration, destruction, or other
compromise of such information, and
assess the sufficiency of any safeguards
in place to control these risks.
∑ Design and implement reasonable
safeguards to control the risks identified
through risk assessment, and regularly
E:\FR\FM\03APN1.SGM
03APN1
rwilkins on PROD1PC63 with NOTICES
Federal Register / Vol. 73, No. 65 / Thursday, April 3, 2008 / Notices
test or monitor the effectiveness of the
safeguards’ key controls, systems, and
procedures.
∑ Develop and use reasonable steps to
select and retain service providers
capable of appropriately safeguarding
personal information they receive from
the respondent, and require service
providers by contract to implement and
maintain appropriate safeguards.
∑ Evaluate and adjust its information
security programs in light of the results
of testing and monitoring, any material
changes to operations or business
arrangements, or any other
circumstances that it knows or has
reason to know may have material
impact on its information security
program.
Part II of the proposed order requires
each respondent to obtain within 180
days, and on a biennial basis thereafter
for a period of twenty (20) years, an
assessment and report from a qualified,
objective, independent third-party
professional, certifying, among other
things, that: (1) it has in place a security
program that provides protections that
meet or exceed the protections required
by Part I of the proposed order; and (2)
its security program is operating with
sufficient effectiveness to provide
reasonable assurance that the security,
confidentiality, and integrity of
consumers’ personal information has
been protected.
Parts III through VII of the proposed
order are reporting and compliance
provisions. Part III requires respondents
to retain documents relating to their
compliance with the order. For most
records, the order requires that the
documents be retained for a five-year
period. For the third-party assessments
and supporting documents, respondents
must retain the documents for a period
of three years after the date that each
assessment is prepared. Part IV requires
dissemination of the order now and in
the future to persons with
responsibilities relating to the subject
matter of the order. Part V ensures
notification to the FTC of changes in
corporate status. Part VI mandates that
each respondent submit a compliance
report to the FTC within 180 days, and
periodically thereafter as requested. Part
VII is a provision ‘‘sunsetting’’ the order
after twenty (20) years, with certain
exceptions.
This is the Commission’s nineteenth
case to challenge the failure by a
company to implement reasonable
information security practices. Each of
the Commission’s cases to date has
alleged that a number of security
practices, taken together, failed to
provide reasonable and appropriate
security to prevent unauthorized access
VerDate Aug<31>2005
18:19 Apr 02, 2008
Jkt 214001
to consumers’ information. The
practices challenged in the cases have
included, but are not limited to: (1)
creating unnecessary risks to sensitive
information by storing it on computer
networks without a business need to do
so; (2) storing sensitive information on
networks in a vulnerable format; (3)
failing to use readily available security
measures to limit access to a computer
network through wireless access points
on the network; (4) failing to adequately
assess the vulnerability of a web
application and computer network to
commonly known or reasonably
foreseeable attacks; (5) failing to
implement simple, low-cost, and readily
available defenses to such attacks; and
(6) failing to use readily available
security measures to limit access
between computers on a network and
between such computers and the
Internet. This proposed action against
REI and Seisint is the first to challenge
alleged security failures involving the
security of passwords. Passwords are a
critical part of a reasonable and
appropriate security program because
passwords are typically the first (and are
often the only) method used to
authenticate (or authorize) users to
access resources, such as programs and
databases, available on a computer
network or online.
The purpose of this analysis is to
facilitate public comment on the
proposed order. It is not intended to
constitute an official interpretation of
the proposed order or to modify its
terms in any way.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E8–6952 Filed 4–2–08: 8:45 am]
[BILLING CODE 6750–01–S]
FEDERAL TRADE COMMISSION
[File No. 072 3055]
The TJX Companies, Inc.; Analysis of
Proposed Consent Order to Aid Public
Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
SUMMARY: The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
PO 00000
Frm 00025
Fmt 4703
Sfmt 4703
18281
Comments must be received on
or before April 28, 2008.
ADDRESSES: Interested parties are
invited to submit written comments.
Comments should refer to ‘‘TJX, File No.
072 3055,’’ to facilitate the organization
of comments. A comment filed in paper
form should include this reference both
in the text and on the envelope, and
should be mailed or delivered to the
following address: Federal Trade
Commission/Office of the Secretary,
Room 135–H, 600 Pennsylvania
Avenue, N.W., Washington, D.C. 20580.
Comments containing confidential
material must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with Commission
Rule 4.9(c). 16 CFR 4.9(c) (2005).1 The
FTC is requesting that any comment
filed in paper form be sent by courier or
overnight service, if possible, because
U.S. postal mail in the Washington area
and at the Commission is subject to
delay due to heightened security
precautions. Comments that do not
contain any nonpublic information may
instead be filed in electronic form by
following the instructions on the webbased form at https://
secure.commentworks.com/ftc-TJX. To
ensure that the Commission considers
an electronic comment, you must file it
on that web-based form.
The FTC Act and other laws the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. All timely and responsive
public comments, whether filed in
paper or electronic form, will be
considered by the Commission, and will
be available to the public on the FTC
website, to the extent practicable, at
www.ftc.gov. As a matter of discretion,
the FTC makes every effort to remove
home contact information for
individuals from the public comments it
receives before placing those comments
on the FTC website. More information,
including routine uses permitted by the
Privacy Act, may be found in the FTC’s
privacy policy, at https://www.ftc.gov/
ftc/privacy.shtm.
FOR FURTHER INFORMATION CONTACT:
Alain Sheer or Molly Crawford, FTC
Bureau of Consumer Protection, 600
Pennsylvania Avenue, NW, Washington,
D.C. 20580, (202) 326–2252.
DATES:
1 The comment must be accompanied by an
explicit request for confidential treatment,
including the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record.
The request will be granted or denied by the
Commission’s General Counsel, consistent with
applicable law and the public interest. See
Commission Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\03APN1.SGM
03APN1
]]>Agencies
[Federal Register Volume 73, Number 65 (Thursday, April 3, 2008)]
[Notices]
[Pages 18279-18281]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-6952]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 052 3094]
Reed Elsevier Inc. and Seisint, Inc.; Analysis of Proposed
Consent Order to Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before April 28, 2008.
ADDRESSES: Interested parties are invited to submit written comments.
Comments should refer to ``Reed Elsevier and Seisint, File No. 052
3094,'' to facilitate the organization of comments. A comment filed in
paper form should include this reference both in the text and on the
envelope, and should be mailed or delivered to the following address:
Federal Trade Commission/Office of the Secretary, Room 135-H, 600
Pennsylvania Avenue, N.W., Washington, D.C. 20580. Comments containing
confidential material must be filed in paper form, must be clearly
labeled ``Confidential,'' and must comply with Commission Rule 4.9(c).
16 CFR 4.9(c) (2005).\1\ The FTC is requesting that any comment filed
in paper form be sent by courier or overnight service, if possible,
because U.S. postal mail in the Washington area and at the Commission
is subject to delay due to heightened security precautions. Comments
that do not contain any nonpublic information may instead be filed in
electronic form by following the instructions on the web-based form at
https://secure.commentworks.com/ftc-ReedElsevierSeisint. To ensure that
the Commission considers an electronic comment, you must file it on
that web-based form.
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See Commission Rule 4.9(c),
16 CFR 4.9(c).
---------------------------------------------------------------------------
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC website, to the extent
practicable, at www.ftc.gov. As a matter of discretion, the FTC makes
every effort to remove home contact information for
[[Page 18280]]
individuals from the public comments it receives before placing those
comments on the FTC website. More information, including routine uses
permitted by the Privacy Act, may be found in the FTC's privacy policy,
---------------------------------------------------------------------------
at https://www.ftc.gov/ftc/privacy.shtm.
FOR FURTHER INFORMATION CONTACT: Alain Sheer, FTC Bureau of Consumer
Protection, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580, (202)
326-2252.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 of
the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given
that the above-captioned consent agreement containing a consent order
to cease and desist, having been filed with and accepted, subject to
final approval, by the Commission, has been placed on the public record
for a period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for March 27, 2008), on the World Wide Web, at https://www.ftc.gov/os/
2008/03/index.htm. A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW, Washington,
D.C. 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order to Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from Reed Elsevier Inc. (``REI'') and
Seisint, Inc. (``Seisint'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
The Commission's proposed complaint alleges that REI (through its
LexisNexis division) and Seisint are data brokers. REI acquired Seisint
on September 1, 2004 and has continued to operate Seisint under the
Seisint name; REI also uses Seisint's technologies and facilities in
REI's LexisNexis data broker business. In connection with Seisint's
business, proposed respondents collect, and store in electronic
databases, information about millions of consumers, including names,
current and prior addresses, dates of birth, driver's license numbers,
and Social Security numbers (``SSNs''). They also sell products
customers use to retrieve information from the databases, including
products to locate assets and people, authenticate identities, and
verify credentials. Until at least mid-2005, access to information in
Seisint databases was controlled using only user IDs and passwords
(``credentials''). Seisint customers include insurance companies, debt
collectors, employers, landlords, law firms, and law enforcement and
other government agencies.
The complaint further alleges that REI and Seisint engaged in a
number of practices that, taken together, failed to provide reasonable
and appropriate security for sensitive consumer information stored in
Seisint databases. In particular, they: (1) failed to make credentials
hard to guess; (2) failed to require periodic changes of credentials
(such as every 90 days, for customers with access to sensitive consumer
information); (3) failed to suspend credentials after a certain number
of unsuccessful log-in attempts; (4) allowed customers to store their
credentials in a vulnerable format in cookies on their computers; (5)
failed to require customers to encrypt or otherwise protect
credentials, search queries, and/or search results in transit between
customer computers and Seisint websites; (6) allowed customers to
create new credentials without confirming that the new credentials were
created by customers rather than identity thieves; (7) permitted users
to share credentials; (8) did not adequately assess the vulnerability
of Seisint's web application and computer network to commonly known or
reasonably foreseeable attacks, such as ``Cross-Site Scripting``
attacks; and (9) did not implement simple, low-cost, and readily
available defenses to such attacks. As a result, an attacker could
easily guess or intercept the user credentials of legitimate customers
and use them to access sensitive information--including SSNs--about
millions of consumers.
The complaint alleges that on multiple occasions since January
2003, identity thieves exploited these vulnerabilities to obtain the
credentials of legitimate Seisint customers. The thieves then used the
credentials to make thousands of unauthorized searches for consumer
information in Seisint databases. These breaches disclosed sensitive
information about more than 300,000 consumers, including, in many
instances, names, current and prior addresses, dates of birth, and
SSNs. In some instances, the thieves opened new credit accounts in the
names of consumers whose information was disclosed and made purchases
on the new accounts. In other instances, they used the information to
activate newly-issued credit cards stolen from legitimate cardholders
and then made fraudulent purchases on the cards. Although some of these
breaches occurred before REI acquired Seisint on September 1, 2004,
they continued for at least 9 months after the acquisition, during
which time Seisint was under REI's control.
The proposed order applies to nonpublic information sold by Seisint
and LexisNexis, as well as by any other business within REI to the
extent that the business sells products that include an SSN, driver's
license number; date of birth; or bank, credit card, or other financial
account number or information. The order also contains provisions
designed to prevent respondents from engaging in the future in
practices similar to those alleged in the complaint.
Part I of the proposed order requires each respondent to establish
and maintain a comprehensive information security program that is
reasonably designed to protect the security, confidentiality, and
integrity of nonpublic personal information collected from or about
consumers. The security programs must contain administrative,
technical, and physical safeguards appropriate to the respondent's size
and complexity, the nature and scope of its activities, and the
sensitivity of the personal information collected from or about
consumers. Specifically, the order requires each respondent to:
Designate an employee or employees to coordinate and be
accountable for the information security program.
Identify material internal and external risks to the
security, confidentiality, and integrity of customer information that
could result in the unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.
Design and implement reasonable safeguards to control the
risks identified through risk assessment, and regularly
[[Page 18281]]
test or monitor the effectiveness of the safeguards' key controls,
systems, and procedures.
Develop and use reasonable steps to select and retain
service providers capable of appropriately safeguarding personal
information they receive from the respondent, and require service
providers by contract to implement and maintain appropriate safeguards.
Evaluate and adjust its information security programs in
light of the results of testing and monitoring, any material changes to
operations or business arrangements, or any other circumstances that it
knows or has reason to know may have material impact on its information
security program.
Part II of the proposed order requires each respondent to obtain
within 180 days, and on a biennial basis thereafter for a period of
twenty (20) years, an assessment and report from a qualified,
objective, independent third-party professional, certifying, among
other things, that: (1) it has in place a security program that
provides protections that meet or exceed the protections required by
Part I of the proposed order; and (2) its security program is operating
with sufficient effectiveness to provide reasonable assurance that the
security, confidentiality, and integrity of consumers' personal
information has been protected.
Parts III through VII of the proposed order are reporting and
compliance provisions. Part III requires respondents to retain
documents relating to their compliance with the order. For most
records, the order requires that the documents be retained for a five-
year period. For the third-party assessments and supporting documents,
respondents must retain the documents for a period of three years after
the date that each assessment is prepared. Part IV requires
dissemination of the order now and in the future to persons with
responsibilities relating to the subject matter of the order. Part V
ensures notification to the FTC of changes in corporate status. Part VI
mandates that each respondent submit a compliance report to the FTC
within 180 days, and periodically thereafter as requested. Part VII is
a provision ``sunsetting'' the order after twenty (20) years, with
certain exceptions.
This is the Commission's nineteenth case to challenge the failure
by a company to implement reasonable information security practices.
Each of the Commission's cases to date has alleged that a number of
security practices, taken together, failed to provide reasonable and
appropriate security to prevent unauthorized access to consumers'
information. The practices challenged in the cases have included, but
are not limited to: (1) creating unnecessary risks to sensitive
information by storing it on computer networks without a business need
to do so; (2) storing sensitive information on networks in a vulnerable
format; (3) failing to use readily available security measures to limit
access to a computer network through wireless access points on the
network; (4) failing to adequately assess the vulnerability of a web
application and computer network to commonly known or reasonably
foreseeable attacks; (5) failing to implement simple, low-cost, and
readily available defenses to such attacks; and (6) failing to use
readily available security measures to limit access between computers
on a network and between such computers and the Internet. This proposed
action against REI and Seisint is the first to challenge alleged
security failures involving the security of passwords. Passwords are a
critical part of a reasonable and appropriate security program because
passwords are typically the first (and are often the only) method used
to authenticate (or authorize) users to access resources, such as
programs and databases, available on a computer network or online.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed order or to modify its terms in any way.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E8-6952 Filed 4-2-08: 8:45 am]
[BILLING CODE 6750-01-S]
