Lookout Services, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 27056-27058 [2011-11182]

Download as PDF 27056 Federal Register / Vol. 76, No. 90 / Tuesday, May 10, 2011 / Notices • FR 2086: (12 U.S.C. 287, 248(a) and (i)) • FR 2086a: (12 U.S.C. 321, 287, 248(a)) • FR 2087: (12 U.S.C. 288, 248 (a) and (i)) Most individual respondent data are not considered confidential. Applicants may request that parts of their membership applications be kept confidential. Any request for confidentiality must be accompanied by a detailed justification for confidentiality. The confidentiality status of the information submitted will be judged on a case-by-case basis. Abstract: These application forms are required by the Federal Reserve Act and Regulation I. These forms must be used by a new or existing member bank (including a national bank) to request the issuance, and adjustment in, or cancellation of Federal Reserve Bank stock. The forms must contain certain certifications by the applicants, as well as certain other financial and shareholder data that is needed by the Federal Reserve to process the request. CONTACT PERSON FOR MORE INFORMATION: Thomas J. Trabucco, Director, Office of External Affairs, (202) 942–1640. Dated: May 6, 2011. Laurissa Stokes, Acting Secretary, Federal Retirement Thrift Investment Board. [FR Doc. 2011–11541 Filed 5–6–11; 4:15 pm] BILLING CODE 6760–01–P FEDERAL TRADE COMMISSION [File No. 102 3076] Lookout Services, Inc.; Analysis of Proposed Consent Order To Aid Public Comment Federal Trade Commission. Proposed consent agreement. AGENCY: ACTION: Board of Governors of the Federal Reserve System, May 4, 2011. Jennifer J. Johnson, Secretary of the Board. The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices or unfair methods of competition. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. [FR Doc. 2011–11323 Filed 5–9–11; 8:45 am] DATES: BILLING CODE 6210–01–P FEDERAL RETIREMENT THRIFT INVESTMENT BOARD Sunshine Act; Notice of Meeting 9:30 a.m. (Eastern Time), May 16, 2011. PLACE: 4th Floor Conference Room, 1250 H Street, NW., Washington, DC 20005. STATUS: Parts will be open to the public and parts closed to the public. TIME AND DATE: Matters To Be Considered jlentini on DSKJ8SOYB1PROD with NOTICES Parts Open to the Public 1. Approval of the minutes of the April 18, 2011 Board member meeting. 2. Thrift Savings Plan activity report by the Executive Director. a. Monthly Participant Activity Report. b. Monthly Investment Performance Report. c. Legislative Report. 3. Report from BlackRock Senior Management. 4. Mid-Year Budget Review. Parts Closed to the Public 5. Personnel. VerDate Mar<15>2010 18:02 May 09, 2011 Jkt 223001 SUMMARY: Comments must be received on or before June 2, 2011. ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Lookout Services, File No. 102 3076’’ on your comment, and file your comment online at https:// ftcpublic.commentworks.com/ftc/ lookout, by following the instructions on the Web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Room H–113 (Annex D), 600 Pennsylvania Avenue, NW., Washington, DC 20580. FOR FURTHER INFORMATION CONTACT: Kandi Parsons (202–326–2369) or Kristin Cohen (202–326–2276), FTC, Bureau of Consumer Protection, 600 Pennsylvania Avenue, NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and 2.34 the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on PO 00000 Frm 00056 Fmt 4703 Sfmt 4703 the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for May 3, 2011), on the World Wide Web, at https://www.ftc.gov/os/actions.shtm. A paper copy can be obtained from the FTC Public Reference Room, Room 130– H, 600 Pennsylvania Avenue, NW., Washington, DC 20580, either in person or by calling (202) 326–2222. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before June 2, 2011. Write ‘‘Lookout Services, File No. 102 3076’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at https://www.ftc.gov/os/ publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission Web site. Because your comment will be made public, you are solely responsible for making sure that your comment doesn’t include any sensitive personal information, like anyone’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment doesn’t include any sensitive health information, like medical records or other individually identifiable health information. In addition, don’t include any ‘‘[t]rade secret or any commercial or financial information which is obtained from any person and which is privileged or confidential,’’ as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, don’t include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR E:\FR\FM\10MYN1.SGM 10MYN1 Federal Register / Vol. 76, No. 90 / Tuesday, May 10, 2011 / Notices 4.9(c).1 Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ lookout, by following the instructions on the web-based form. If this Notice appears at https://www.regulations.gov/ #!home, you also may file a comment through that Web site. If you file your comment on paper, write ‘‘Lookout Services, File No. 102 3076’’ on your comment and on the envelope, and mail or deliver it to the following address: Federal Trade Commission, Office of the Secretary, Room H–113 (Annex D), 600 Pennsylvania Avenue, NW., Washington, DC 20580. If possible, submit your paper comment to the Commission by courier or overnight service. Visit the Commission Web site at https://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before June 2, 2011. You can find more information, including routine uses permitted by the Privacy Act, in the Commission’s privacy policy, at https:// www.ftc.gov/ftc/privacy.htm. jlentini on DSKJ8SOYB1PROD with NOTICES Analysis of Agreement Containing Consent Order To Aid Public Comment The Federal Trade Commission has accepted, subject to final approval, a consent order applicable to Lookout Services, Inc. The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take 1 In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c). VerDate Mar<15>2010 18:02 May 09, 2011 Jkt 223001 appropriate action or make final the agreement’s proposed order. The Commission’s complaint alleges that Lookout sells a web-based computer product known as the I–9 Solution. This product is designed to help employers comply with their obligations under federal law to complete and maintain a U.S. Citizenship and Immigration Services Form I–9 about each employee in order to verify that the employee is eligible to work in the United States. The complaint alleges that the I–9 Solution routinely collects and stores information about Lookout’s customers’ employees, including, but not limited to: Names; addresses; dates of birth; Social Security numbers; passport numbers; alien registration numbers; driver’s license numbers; and military identification numbers. This highly sensitive information is maintained in Lookout’s database (the ‘‘I–9 database’’). The misuse of such information— particularly Social Security numbers, which do not expire—can facilitate identity theft, including existing and new account fraud, and related consumer harms. The complaint alleges that, since at least 2006, Lookout engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal information it collected and maintained. The challenged practices are fundamental security failures, most of which have been challenged in prior FTC data security cases. Among other things, Lookout: a. Failed to implement reasonable policies and procedures for the security of sensitive consumer information it collected and maintained; b. Failed to establish or enforce rules sufficient to make user credentials (i.e., user ID and password) hard to guess; c. Failed to require periodic changes of user credentials, such as every 90 days, for customers and employees with access to sensitive personal information; d. Failed to suspend user credentials after a certain number of unsuccessful login attempts; e. Did not adequately assess and address the vulnerability of its Web application to widely-known security flaws, such as ‘‘predictable resource location,’’ which enables users to easily predict patterns and manipulate the uniform resource locators (‘‘URL’’) to gain access to secure Web pages; f. Allowed users to bypass the authentication procedures on Lookout’s Web site when they typed in a specific URL; g. Failed to employ sufficient measures to detect and prevent PO 00000 Frm 00057 Fmt 4703 Sfmt 4703 27057 unauthorized access to computer networks, such as by employing an intrusion detection system and monitoring system logs; and h. Created an unnecessary risk to personal information by storing passwords used to access the I–9 database in clear text. Each of these failures could have been remedied using well-known, readily available, and/or free or low-cost data security measures. The complaint further alleges that, as a result of these failures, an employee of a Lookout customer was able to obtain unauthorized access to Lookout’s I–9 database on two separate occasions between October and December 2009. In both instances, the employee gained unauthorized access to the personal information, including Social Security numbers, of more than 37,000 consumers. Given the sensitive nature of the personal information exposed, the company’s failure to provide reasonable and appropriate security for this information is likely to cause consumers substantial injury as described above. That substantial injury is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers. The complaint alleges that Lookout’s failure to employ reasonable and appropriate measures to prevent unauthorized access to sensitive personal information is an unfair act or practice and that the company misrepresented that it had implemented such measures, in violation of Section 5 of the Federal Trade Commission Act. The proposed order applies to personal information that Lookout collects from or about consumers and employees. It contains provisions designed to prevent Lookout from engaging in the future in practices similar to those alleged in the complaint. Part I of the proposed order prohibits misrepresentations about the privacy, confidentiality, or integrity of personal information collected from or about consumers. Part II of the proposed order requires Lookout to establish and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. The security program must contain administrative, technical, and physical safeguards appropriate to Lookout’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Lookout to: E:\FR\FM\10MYN1.SGM 10MYN1 jlentini on DSKJ8SOYB1PROD with NOTICES 27058 Federal Register / Vol. 76, No. 90 / Tuesday, May 10, 2011 / Notices • Designate an employee or employees to coordinate and be accountable for the information security program; • Identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks; • Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures; • Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Lookout, and require service providers by contract to implement and maintain appropriate safeguards; and • Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program. Part III of the proposed order requires Lookout to obtain within the first one hundred eighty (180) days after service of the order, and on a biennial basis thereafter for a period of twenty (20) years, an assessment and report from a qualified, objective, independent thirdparty professional, certifying, among other things, that: (1) It has in place a security program that provides protections that meet or exceed the protections required by Part II of the proposed order; and (2) its security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of sensitive consumer, employee, and job applicant information has been protected. Parts IV through VIII of the proposed order are reporting and compliance provisions. Part IV requires Lookout to retain documents relating to its compliance with the order. For most records, the order requires that the documents be retained for a five-year period. For the third-party assessments and supporting documents, Lookout must retain the documents for a period of three years after the date that each assessment is prepared. Part V requires dissemination of the order now and in the future to all current and future VerDate Mar<15>2010 18:02 May 09, 2011 Jkt 223001 subsidiaries, current and future principals, officers, directors, and managers, and to persons with responsibilities relating to the subject matter of the order. Part VI ensures notification to the FTC of changes in corporate status. Part VII mandates that Lookout submit a compliance report to the FTC within 60 days, and periodically thereafter as requested. Part VIII is a provision ‘‘sunsetting’’ the order after twenty (20) years, with certain exceptions. The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed order or to modify its terms in any way. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2011–11182 Filed 5–9–11; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Submission for OMB Review; Comment Request Request; OMB No. 0925–0177 ‘‘Special Volunteer and Guest Researcher Assignment,’’ Form 590 SUMMARY: Under the provisions of Section 3507(a)(1)(D) of the Paperwork Reduction Act of 1995, the National Institutes of Health (NIH) has submitted to the Office of Management and Budget (OMB) a request for review and approval of the information collection listed below. This proposed information collection was previously published in the Federal Register on August 25, 2010, page 52351 and allowed 60 days for public comment. No public comments were received. The purpose of this notice is to allow an additional 30 days for public comment. The National Institutes of Health may not conduct or sponsor, and the respondent is not required to respond to, an information collection that has been extended, revised, or implemented on or after July 31, 2005, unless it displays a currently valid OMB control number. Proposed Collection: Title: Special Volunteer and Guest Researcher Assignment for use in NIH facilities. Type of Information Collection Request: Reinstatement, 0MB 0925–0177, Expiration Date July 31, 2005. Need and Use of Information Collection Request: Form Number: NIH–590. A single Form NIH–590 is completed by an NIH official for each Guest Researcher or PO 00000 Frm 00058 Fmt 4703 Sfmt 4703 Special Volunteer prior to his/her arrival at NIH. The information on the form is necessary for the approving official to reach a decision on whether to allow a Guest Researcher to use NIH facilities, or whether to accept volunteer services offered by a Special Volunteer. If the original assignment is extended, another form notating the extension is completed to update the file. Frequency of Response: once. Affected Public: Individuals. Type of Respondents: Nonfederal scientific professionals and/or individuals. The annual Reporting burden is as follows: Estimated Number of Respondents: 1660; Estimated Number of Responses per Respondent: 1.0; Average Burden Hours Per Response: 0.1; and Estimated Total Annual Burden Hours Requested: 166. The estimated annualized cost to respondents is $2,275. There are no Capital Costs to report. There are no Operating or Maintenance Costs to report. Request for Comments: Written comments and/or suggestions from the public and affected agencies are invited on one or more of the following points: (1) Whether the proposed collection of information is necessary for the proper performance of the function of the agency, including whether the information will have practical utility; (2) The accuracy of the agency’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) Ways to enhance the quality, utility, and clarity of the information to be collected; and (4) Ways to minimize the burden of the collection of information on those who are to respond, including the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. FOR FURTHER INFORMATION CONTACT: Written comments and/or suggestions regarding the item(s) contained in this notice, especially regarding the estimated public burden and associated response time, should be directed to the: Office of Management and Budget, Office of Regulatory Affairs, OIRA_submission@omb.eop.gov or by fax to 202–395–6974, Attention: Desk Officer for NIH. To request more information on the proposed project or to obtain a copy of the data collection plans and instruments, contact Mrs. Wanda Darwin, Office of Human Resources, Office of The Director, NIH, Building 31, Room 1C31E, One Center Drive, Bethesda, MD 20892–2269, or call non-toll-free number 301–402– E:\FR\FM\10MYN1.SGM 10MYN1

Agencies

[Federal Register Volume 76, Number 90 (Tuesday, May 10, 2011)]
[Notices]
[Pages 27056-27058]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-11182]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 102 3076]


Lookout Services, Inc.; Analysis of Proposed Consent Order To Aid 
Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices or unfair methods of competition. The attached Analysis to 
Aid Public Comment describes both the allegations in the draft 
complaint and the terms of the consent order--embodied in the consent 
agreement--that would settle these allegations.

DATES: Comments must be received on or before June 2, 2011.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Lookout Services, File 
No. 102 3076'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/lookout, by following the instructions 
on the Web-based form. If you prefer to file your comment on paper, 
mail or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Room H-113 (Annex D), 600 
Pennsylvania Avenue, NW., Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Kandi Parsons (202-326-2369) or 
Kristin Cohen (202-326-2276), FTC, Bureau of Consumer Protection, 600 
Pennsylvania Avenue, NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and 2.34 the 
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that 
the above-captioned consent agreement containing a consent order to 
cease and desist, having been filed with and accepted, subject to final 
approval, by the Commission, has been placed on the public record for a 
period of thirty (30) days. The following Analysis to Aid Public 
Comment describes the terms of the consent agreement, and the 
allegations in the complaint. An electronic copy of the full text of 
the consent agreement package can be obtained from the FTC Home Page 
(for May 3, 2011), on the World Wide Web, at https://www.ftc.gov/os/actions.shtm. A paper copy can be obtained from the FTC Public 
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington, 
DC 20580, either in person or by calling (202) 326-2222.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before June 2, 2011. 
Write ``Lookout Services, File No. 102 3076'' on your comment. Your 
comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to 
remove individuals' home contact information from comments before 
placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment doesn't include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment doesn't include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, don't 
include any ``[t]rade secret or any commercial or financial information 
which is obtained from any person and which is privileged or 
confidential,'' as provided in Section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, don't 
include competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR

[[Page 27057]]

4.9(c).\1\ Your comment will be kept confidential only if the FTC 
General Counsel, in his or her sole discretion, grants your request in 
accordance with the law and the public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/lookout, by following the instructions on the web-based form. If 
this Notice appears at https://www.regulations.gov/#!home, you also may 
file a comment through that Web site.
    If you file your comment on paper, write ``Lookout Services, File 
No. 102 3076'' on your comment and on the envelope, and mail or deliver 
it to the following address: Federal Trade Commission, Office of the 
Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, NW., 
Washington, DC 20580. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Visit the Commission Web site at https://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before June 2, 2011. You can find more information, 
including routine uses permitted by the Privacy Act, in the 
Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.

Analysis of Agreement Containing Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, a consent order applicable to Lookout Services, Inc.
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    The Commission's complaint alleges that Lookout sells a web-based 
computer product known as the I-9 Solution. This product is designed to 
help employers comply with their obligations under federal law to 
complete and maintain a U.S. Citizenship and Immigration Services Form 
I-9 about each employee in order to verify that the employee is 
eligible to work in the United States. The complaint alleges that the 
I-9 Solution routinely collects and stores information about Lookout's 
customers' employees, including, but not limited to: Names; addresses; 
dates of birth; Social Security numbers; passport numbers; alien 
registration numbers; driver's license numbers; and military 
identification numbers. This highly sensitive information is maintained 
in Lookout's database (the ``I-9 database''). The misuse of such 
information--particularly Social Security numbers, which do not 
expire--can facilitate identity theft, including existing and new 
account fraud, and related consumer harms.
    The complaint alleges that, since at least 2006, Lookout engaged in 
a number of practices that, taken together, failed to provide 
reasonable and appropriate security for the personal information it 
collected and maintained. The challenged practices are fundamental 
security failures, most of which have been challenged in prior FTC data 
security cases. Among other things, Lookout:
    a. Failed to implement reasonable policies and procedures for the 
security of sensitive consumer information it collected and maintained;
    b. Failed to establish or enforce rules sufficient to make user 
credentials (i.e., user ID and password) hard to guess;
    c. Failed to require periodic changes of user credentials, such as 
every 90 days, for customers and employees with access to sensitive 
personal information;
    d. Failed to suspend user credentials after a certain number of 
unsuccessful login attempts;
    e. Did not adequately assess and address the vulnerability of its 
Web application to widely-known security flaws, such as ``predictable 
resource location,'' which enables users to easily predict patterns and 
manipulate the uniform resource locators (``URL'') to gain access to 
secure Web pages;
    f. Allowed users to bypass the authentication procedures on 
Lookout's Web site when they typed in a specific URL;
    g. Failed to employ sufficient measures to detect and prevent 
unauthorized access to computer networks, such as by employing an 
intrusion detection system and monitoring system logs; and
    h. Created an unnecessary risk to personal information by storing 
passwords used to access the I-9 database in clear text.

Each of these failures could have been remedied using well-known, 
readily available, and/or free or low-cost data security measures.

    The complaint further alleges that, as a result of these failures, 
an employee of a Lookout customer was able to obtain unauthorized 
access to Lookout's I-9 database on two separate occasions between 
October and December 2009. In both instances, the employee gained 
unauthorized access to the personal information, including Social 
Security numbers, of more than 37,000 consumers. Given the sensitive 
nature of the personal information exposed, the company's failure to 
provide reasonable and appropriate security for this information is 
likely to cause consumers substantial injury as described above. That 
substantial injury is not offset by countervailing benefits to 
consumers or competition and is not reasonably avoidable by consumers. 
The complaint alleges that Lookout's failure to employ reasonable and 
appropriate measures to prevent unauthorized access to sensitive 
personal information is an unfair act or practice and that the company 
misrepresented that it had implemented such measures, in violation of 
Section 5 of the Federal Trade Commission Act.
    The proposed order applies to personal information that Lookout 
collects from or about consumers and employees. It contains provisions 
designed to prevent Lookout from engaging in the future in practices 
similar to those alleged in the complaint.
    Part I of the proposed order prohibits misrepresentations about the 
privacy, confidentiality, or integrity of personal information 
collected from or about consumers. Part II of the proposed order 
requires Lookout to establish and maintain a comprehensive information 
security program that is reasonably designed to protect the security, 
confidentiality, and integrity of personal information collected from 
or about consumers. The security program must contain administrative, 
technical, and physical safeguards appropriate to Lookout's size and 
complexity, the nature and scope of its activities, and the sensitivity 
of the information collected from or about consumers and employees. 
Specifically, the proposed order requires Lookout to:

[[Page 27058]]

     Designate an employee or employees to coordinate and be 
accountable for the information security program;
     Identify material internal and external risks to the 
security, confidentiality, and integrity of personal information that 
could result in the unauthorized disclosure, misuse, loss, alteration, 
destruction, or other compromise of such information, and assess the 
sufficiency of any safeguards in place to control these risks;
     Design and implement reasonable safeguards to control the 
risks identified through risk assessment, and regularly test or monitor 
the effectiveness of the safeguards' key controls, systems, and 
procedures;
     Develop and use reasonable steps to select and retain 
service providers capable of appropriately safeguarding personal 
information they receive from Lookout, and require service providers by 
contract to implement and maintain appropriate safeguards; and
     Evaluate and adjust its information security programs in 
light of the results of testing and monitoring, any material changes to 
operations or business arrangements, or any other circumstances that it 
knows or has reason to know may have a material impact on its 
information security program.
    Part III of the proposed order requires Lookout to obtain within 
the first one hundred eighty (180) days after service of the order, and 
on a biennial basis thereafter for a period of twenty (20) years, an 
assessment and report from a qualified, objective, independent third-
party professional, certifying, among other things, that: (1) It has in 
place a security program that provides protections that meet or exceed 
the protections required by Part II of the proposed order; and (2) its 
security program is operating with sufficient effectiveness to provide 
reasonable assurance that the security, confidentiality, and integrity 
of sensitive consumer, employee, and job applicant information has been 
protected.
    Parts IV through VIII of the proposed order are reporting and 
compliance provisions. Part IV requires Lookout to retain documents 
relating to its compliance with the order. For most records, the order 
requires that the documents be retained for a five-year period. For the 
third-party assessments and supporting documents, Lookout must retain 
the documents for a period of three years after the date that each 
assessment is prepared. Part V requires dissemination of the order now 
and in the future to all current and future subsidiaries, current and 
future principals, officers, directors, and managers, and to persons 
with responsibilities relating to the subject matter of the order. Part 
VI ensures notification to the FTC of changes in corporate status.
    Part VII mandates that Lookout submit a compliance report to the 
FTC within 60 days, and periodically thereafter as requested. Part VIII 
is a provision ``sunsetting'' the order after twenty (20) years, with 
certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed order or to modify its terms in any way.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2011-11182 Filed 5-9-11; 8:45 am]
BILLING CODE 6750-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.