TaxSlayer, LLC; Analysis To Aid Public Comment, 41959-41961 [2017-18706]

Download as PDF Federal Register / Vol. 82, No. 170 / Tuesday, September 5, 2017 / Notices address the responsibilities and liabilities of the participants, agent, and operator in cases of operational disruption, or erroneous or fraudulent conduct. Æ Requests for joint accounts involving a financially unsound operator would not be approved. Evaluation may include, among other things, reviewing financial statements of the operator, as well as cash flow projections (including capital and operating expenses). Æ Evaluation under this principle will take into account the applicable supervisory framework for the private-sector arrangement.22 The payment system established by a private-sector arrangement (including the operator) should be subject to federal or state supervision and should also be subject to the jurisdiction of a federal banking agency with the authority to examine or inspect the private-sector arrangement and take supervisory actions against the arrangement or its participants.23 This means for a payment system established by a private-sector arrangement and supervised by a state regulatory body, a federal banking agency need not be engaging in active supervision or examination, but should have the authority to do so when the risk, scope, and operations call for such supervision or examination. For example, under the Bank Service Company Act, federal banking agencies have the authority to examine third-party service providers that perform services for depository institutions that the depository institution could otherwise do itself. Æ An evaluation under this principle would assess whether the system is widely available for use by its intended end users, is designed to minimize the risk of disruption (rejection or delay of payments) to end users, and promotes transparency for end users and the public more broadly (for example, by making its operating rules, rulemaking processes, list of participants, or certain network statistics publicly available). Evaluation under this guideline would also assess whether the system creates inefficiencies in payment processes or barriers to interoperability within the U.S. dollar payment system. Also of relevance is whether the private-sector arrangement promotes payment system improvements and innovations and the extent to which the arrangement fosters competition in the payment system (for example between providers of payment services). Æ Finally, the design and rules of the private-sector arrangement, including rules relating to the funding of and disbursements from the joint account, should be consistent with the intended use of the account, such that a participant can only use the balances for the intended purpose of settling payments in the associated system. 4. The provision of the joint account should not create undue credit, settlement, or other risks to the Reserve Banks. Æ The agent and the joint account holders should demonstrate an ongoing ability to meet all obligations under the joint account agreement with the account-holding Reserve Bank. Æ The manner in which the joint account will be used in support of the private-sector arrangement and any anticipated use of Reserve Bank services should be identified. Æ Reserve Banks will not extend overnight or intraday credit to a joint account. The private-sector arrangement should structure its use of the joint account and Reserve Bank services in a manner that seeks to avoid intraday overdrafts. The agent also should demonstrate ways to monitor the joint account on an ongoing basis to avoid overdrafts and to promptly cover any inadvertent overdrafts. Æ Further, the agent should demonstrate the ability to appropriately monitor transactions into and out of the joint account. 5. The provision of a joint account should not create undue risk to the overall payment system. Æ The private-sector arrangement should not cause undue credit, settlement, or other risks to the efficient operation of other payment systems or the payment system as a whole. Æ The operational and financial interaction with and use of other payment systems should be identified. Æ The extent to which the use of the joint account may restrict a portion of funds from being available to support liquidity needs of depository institutions for other payment and settlement activity will also be considered. 6. The provision of a joint account should not adversely affect monetary policy operations. Æ Evaluation of the potential monetary policy implications of the use of a joint account will include whether the balance in the joint account would be treated as reserves (that is, treated as available to satisfy any joint account holder’s reserve balance requirements or as excess reserves), the expected predictability and volatility of the end-of-day joint account balances, and the potential for the account agreement with the account-holding Reserve Bank to impose limitations on account volatility without affecting the intended function of the arrangement. This evaluation will occur regardless of the current monetary policy implementation framework in place. By order of the Board of Governors of the Federal Reserve System, August 9, 2017. Ann E. Misback, Secretary of the Board. [FR Doc. 2017–18705 Filed 9–1–17; 8:45 am] BILLING CODE P mstockstill on DSK30JT082PROD with NOTICES 22 Nothing in the Board’s guidelines should be interpreted to relieve any participant in the privatesector arrangement from compliance with obligations imposed by an institution’s supervisor, including for example related to financial resources, liquidity, participant default management, and other aspects of risk management. 23 A federal banking agency would include the Board; the Federal Deposit Insurance Corporation (FDIC); and the Office of the Comptroller of the Currency (OCC). VerDate Sep<11>2014 17:43 Sep 01, 2017 Jkt 241001 FEDERAL TRADE COMMISSION [File No. 162 3063] TaxSlayer, LLC; Analysis To Aid Public Comment AGENCY: PO 00000 Federal Trade Commission. Frm 00051 Fmt 4703 Sfmt 4703 ACTION: 41959 Proposed consent agreement. The consent agreement in this matter settles alleged violations of the Gramm-Leach-Bliley Act Privacy Rule, and of the Gramm-Leach-Bliley Act Safeguards Rule. The attached Analysis To Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. DATES: Comments must be received on or before September 29, 2017. ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write: ‘‘In the Matter of TaxSlayer, LLC, File No. 1623063’’ on your comment, and file your comment online at https:// ftcpublic.commentworks.com/ftc/ taxslayerconsent by following the instructions on the web-based form. If you prefer to file your comment on paper, write ‘‘In the Matter of TaxSlayer, LLC, File No. 1623063’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Katherine McCarron (202–326–2333) and Jacqueline Connor (202–326–2844), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis To Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for August 29, 2017), on the World Wide Web, at https:// www.ftc.gov/news-events/commissionactions. SUMMARY: E:\FR\FM\05SEN1.SGM 05SEN1 mstockstill on DSK30JT082PROD with NOTICES 41960 Federal Register / Vol. 82, No. 170 / Tuesday, September 5, 2017 / Notices You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before September 29, 2017. Write ‘‘In the Matter of TaxSlayer, LLC, File No. 1623063’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at https:// www.ftc.gov/policy/public-comments. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ taxslayerconsent by following the instructions on the web-based form. If this Notice appears at http:// www.regulations.gov/#!home, you also may file a comment through that Web site. If you prefer to file your comment on paper, write ‘‘In the Matter of TaxSlayer, LLC, File No. 1623063’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC. 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible FTC Web site at https://www.ftc.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and VerDate Sep<11>2014 17:43 Sep 01, 2017 Jkt 241001 FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public FTC Web site—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC Web site, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC Web site at http:// www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before September 29, 2017. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/siteinformation/privacy-policy. Analysis of Agreement Containing Consent Order To Aid Public Comment The Federal Trade Commission has accepted, subject to final approval, an agreement containing a consent order from TaxSlayer, LLC (‘‘TaxSlayer’’). The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission again will review the agreement and the comments received and will decide whether it should withdraw from the agreement or make final the agreement’s proposed order. This matter involves TaxSlayer, a company that advertises, offers for sale, sells, and distributes products and services to consumers, including TaxSlayer Online, a browser-based tax PO 00000 Frm 00052 Fmt 4703 Sfmt 4703 return preparation and electronic filing software and service. TaxSlayer Online assists consumers, typically for a fee, in preparing and electronically filing federal and state income tax returns. In 2016, more than 950,000 individuals filed tax returns using TaxSlayer Online. TaxSlayer Online users create an account by entering a username and password (‘‘login credentials’’) on an account creation page. They then input a host of personal information in order to create a tax return, including but not limited to: Name, Social Security number (‘‘SSN’’), telephone number, physical address, income, employment status, marital status, identity of dependents, financial assets, financial activities, receipt of government benefits, home ownership, indebtedness, health insurance, retirement information, charitable donations, tax payments, tax refunds, bank account numbers, and payment card numbers. TaxSlayer Online uses this personal information to prepare tax returns on behalf of customers. Once a tax return is prepared, a customer can file the return electronically through TaxSlayer Online with the Internal Revenue Service (‘‘IRS’’) and state departments of revenue. If a customer is entitled to a refund, TaxSlayer offers the option of directing the refund into a customer’s bank account, or customers may elect to receive their refunds on a prepaid debit card. The complaint alleges that TaxSlayer became subject to a list validation attack that began in October 2015. List validation attacks occur when attackers use lists of stolen login credentials to attempt to access accounts across a number of Web sites, knowing that consumers often reuse login credentials. In an unknown number of instances, the attackers engaged in tax identity theft by e-filing fraudulent tax returns and diverting the fabricated refunds to themselves. The Commission’s complaint alleges that TaxSlayer failed to comply with the Gramm-Leach-Bliley (‘‘GLB’’) Act Privacy Rule in two ways. First, TaxSlayer failed to provide a clear and conspicuous initial privacy notice. TaxSlayer’s Privacy Policy was contained towards the end of a long License Agreement, and TaxSlayer did not convey the importance, nature, and relevance of this Privacy Policy to its customers. Second, TaxSlayer failed to deliver the initial privacy notice so that each customer could reasonably be expected to receive actual notice. For example, TaxSlayer did not require customers to acknowledge receipt of the E:\FR\FM\05SEN1.SGM 05SEN1 mstockstill on DSK30JT082PROD with NOTICES Federal Register / Vol. 82, No. 170 / Tuesday, September 5, 2017 / Notices initial privacy notice as a necessary step to obtaining a particular financial product or service. In addition, the complaint alleges that TaxSlayer engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive information from consumers, in violation of the GLB Act Safeguards Rule. First, TaxSlayer failed to have a written information security program until November 2015. Second, TaxSlayer failed to conduct a risk assessment, which would have identified reasonably foreseeable risks to the security, confidentiality, and integrity of customer information, including risks associated with inadequate authentication. Third, TaxSlayer failed to implement information safeguards to control the risks to customer information from inadequate authentication. The proposed order contains provisions designed to prevent TaxSlayer from engaging in practices similar to those alleged in the complaint. Part I prohibits TaxSlayer from violating any provision of the GLB Act Privacy Rule and Safeguards Rule. Part II of the proposed order requires TaxSlayer to obtain, within the first one hundred eighty (180) days after service of the order and on a biennial basis thereafter for a period of ten (10) years, an assessment and report from a qualified, objective, independent thirdparty professional, certifying, among other things, that: (1) It has in place a security program that provides protections that meet or exceed the protections required by Part I.B of the order, and (2) its security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of sensitive consumer information has been protected. Parts III through VII of the proposed order are reporting and compliance provisions. Part III requires dissemination of the order now and in the future to all current and future principals, offers, directors, and LLC managers and directors, and to persons with managerial or supervisory responsibilities relating to Parts I through IV of the order. Part IV ensures notification to the FTC of changes in corporate status and mandates that TaxSlayer submit an initial compliance report to the FTC. Part V requires TaxSlayer to retain documents relating to its compliance with the order for a five-year period. Part VI mandates that TaxSlayer make available to the FTC information or subsequent compliance reports, as requested. Part VII is a provision ‘‘sunsetting’’ the order after VerDate Sep<11>2014 17:43 Sep 01, 2017 Jkt 241001 twenty (20) years, with certain exceptions. The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed complaint or order, or to modify in any way the proposed order’s terms. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2017–18706 Filed 9–1–17; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION [OMB Control No. 9000–0089: Docket No. 2017–0053; Sequence 3] Submission for OMB Review; Request for Authorization of Additional Classification and Rate, Standard Form 1444 Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Notice. AGENCY: Under the provisions of the Paperwork Reduction Act of 1995, the Regulatory Secretariat Division will be submitting to the Office of Management and Budget (OMB) a request to review and approve an extension of a previously approved information collection requirement concerning Request for Authorization of Additional Classification and Rate, Standard Form (SF) 1444. A notice was published in the Federal Register at 82 FR 20340 on May 1, 2017. No comments were received. DATES: Submit comments on or before October 5, 2017. ADDRESSES: Submit comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to: Office of Information and Regulatory Affairs of OMB, Attention: Desk Officer for GSA, Room 10236, NEOB, Washington, DC 20503. Additionally submit a copy to GSA by any of the following methods: • Regulations.gov: http:// www.regulations.gov. Submit comments via the Federal eRulemaking portal by searching the OMB control number 9000–0089. Select the link ‘‘Comment SUMMARY: PO 00000 Frm 00053 Fmt 4703 Sfmt 4703 41961 Now’’ that corresponds with ‘‘Information Collection 9000–0089, Request for Authorization of Additional Classification and Rate, SF 1444.’’ Follow the instructions provided on the screen. Please include your name, company name (if any), and ‘‘Information Collection 9000–0089, Request for Authorization of Additional Classification and Rate, SF 1444’’ on your attached document. • Mail: General Services Administration, Regulatory Secretariat Division (MVCB), 1800 F Street NW., Washington, DC 20405. ATTN: Ms. Sosa/IC 9000–0089. Instructions: Please submit comments only and cite Information Collection 9000–0089, in all correspondence related to this collection. Comments received generally will be posted without change to http:// www.regulations.gov, including any personal and/or business confidential information provided. To confirm receipt of your comment(s), please check www.regulations.gov, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail). FOR FURTHER INFORMATION CONTACT: Ms. Zenaida Delgado, Procurement Analyst, Federal Acquisition Policy Division, GSA, 202–969–7207 or email zenaida.delgado@gsa.gov. SUPPLEMENTARY INFORMATION: A. Purpose Federal Acquisition Regulation (FAR) 22.406 prescribes labor standards for federally financed and assisted construction contracts subject to the Davis-Bacon and Related Acts (DBRA), as well as labor standards for nonconstruction contracts subject to the Contract Work Hours and Safety Standards Act (CWHSSA). The recordkeeping requirements in this regulation, FAR 22.406, reflect the requirements cleared under OMB control numbers 1235–0023, 1235–0008, and 1235–0018 for 29 CFR 5.5(a)(1)(i), 5.5(c), and 5.15 (records to be kept by employers under the Fair Labor Standards Act (FLSA)). The regulation at 29 CFR 516 reflects the basic recordkeeping and reporting requirements for the laws administered by the Department of Labor Wage and Hour Division. FAR 22.406–3, implements the recordkeeping and information collection requirements prescribed in 29 CFR 5.5(a)(1)(ii) cleared under OMB control number 1235–0023 (also prescribed at 48 CFR 22.406 under OMB control number 9000–0089), by E:\FR\FM\05SEN1.SGM 05SEN1

Agencies

[Federal Register Volume 82, Number 170 (Tuesday, September 5, 2017)]
[Notices]
[Pages 41959-41961]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-18706]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 162 3063]


TaxSlayer, LLC; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of the Gramm-Leach-Bliley Act Privacy Rule, and of the 
Gramm-Leach-Bliley Act Safeguards Rule. The attached Analysis To Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before September 29, 2017.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write: ``In the Matter of 
TaxSlayer, LLC, File No. 1623063'' on your comment, and file your 
comment online at https://ftcpublic.commentworks.com/ftc/taxslayerconsent by following the instructions on the web-based form. 
If you prefer to file your comment on paper, write ``In the Matter of 
TaxSlayer, LLC, File No. 1623063'' on your comment and on the envelope, 
and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Katherine McCarron (202-326-2333) and 
Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis To Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for August 29, 2017), on the World Wide Web, at 
https://www.ftc.gov/news-events/commission-actions.

[[Page 41960]]

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before September 29, 
2017. Write ``In the Matter of TaxSlayer, LLC, File No. 1623063'' on 
your comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission Web site, at https://www.ftc.gov/policy/public-comments.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/taxslayerconsent by following the instructions on the web-based 
form. If this Notice appears at http://www.regulations.gov/#!home, you 
also may file a comment through that Web site.
    If you prefer to file your comment on paper, write ``In the Matter 
of TaxSlayer, LLC, File No. 1623063'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC. 20024. If possible, submit your paper comment to 
the Commission by courier or overnight service.
    Because your comment will be placed on the publicly accessible FTC 
Web site at https://www.ftc.gov, you are solely responsible for making 
sure that your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC Web site--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC Web site, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    Visit the FTC Web site at http://www.ftc.gov to read this Notice 
and the news release describing it. The FTC Act and other laws that the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding, as appropriate. The Commission 
will consider all timely and responsive public comments that it 
receives on or before September 29, 2017. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Agreement Containing Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing a consent order from TaxSlayer, LLC 
(``TaxSlayer'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission again will review the 
agreement and the comments received and will decide whether it should 
withdraw from the agreement or make final the agreement's proposed 
order.
    This matter involves TaxSlayer, a company that advertises, offers 
for sale, sells, and distributes products and services to consumers, 
including TaxSlayer Online, a browser-based tax return preparation and 
electronic filing software and service. TaxSlayer Online assists 
consumers, typically for a fee, in preparing and electronically filing 
federal and state income tax returns. In 2016, more than 950,000 
individuals filed tax returns using TaxSlayer Online.
    TaxSlayer Online users create an account by entering a username and 
password (``login credentials'') on an account creation page. They then 
input a host of personal information in order to create a tax return, 
including but not limited to: Name, Social Security number (``SSN''), 
telephone number, physical address, income, employment status, marital 
status, identity of dependents, financial assets, financial activities, 
receipt of government benefits, home ownership, indebtedness, health 
insurance, retirement information, charitable donations, tax payments, 
tax refunds, bank account numbers, and payment card numbers.
    TaxSlayer Online uses this personal information to prepare tax 
returns on behalf of customers. Once a tax return is prepared, a 
customer can file the return electronically through TaxSlayer Online 
with the Internal Revenue Service (``IRS'') and state departments of 
revenue. If a customer is entitled to a refund, TaxSlayer offers the 
option of directing the refund into a customer's bank account, or 
customers may elect to receive their refunds on a prepaid debit card.
    The complaint alleges that TaxSlayer became subject to a list 
validation attack that began in October 2015. List validation attacks 
occur when attackers use lists of stolen login credentials to attempt 
to access accounts across a number of Web sites, knowing that consumers 
often reuse login credentials. In an unknown number of instances, the 
attackers engaged in tax identity theft by e-filing fraudulent tax 
returns and diverting the fabricated refunds to themselves.
    The Commission's complaint alleges that TaxSlayer failed to comply 
with the Gramm-Leach-Bliley (``GLB'') Act Privacy Rule in two ways. 
First, TaxSlayer failed to provide a clear and conspicuous initial 
privacy notice. TaxSlayer's Privacy Policy was contained towards the 
end of a long License Agreement, and TaxSlayer did not convey the 
importance, nature, and relevance of this Privacy Policy to its 
customers. Second, TaxSlayer failed to deliver the initial privacy 
notice so that each customer could reasonably be expected to receive 
actual notice. For example, TaxSlayer did not require customers to 
acknowledge receipt of the

[[Page 41961]]

initial privacy notice as a necessary step to obtaining a particular 
financial product or service.
    In addition, the complaint alleges that TaxSlayer engaged in a 
number of practices that, taken together, failed to provide reasonable 
and appropriate security for sensitive information from consumers, in 
violation of the GLB Act Safeguards Rule. First, TaxSlayer failed to 
have a written information security program until November 2015. 
Second, TaxSlayer failed to conduct a risk assessment, which would have 
identified reasonably foreseeable risks to the security, 
confidentiality, and integrity of customer information, including risks 
associated with inadequate authentication. Third, TaxSlayer failed to 
implement information safeguards to control the risks to customer 
information from inadequate authentication.
    The proposed order contains provisions designed to prevent 
TaxSlayer from engaging in practices similar to those alleged in the 
complaint. Part I prohibits TaxSlayer from violating any provision of 
the GLB Act Privacy Rule and Safeguards Rule. Part II of the proposed 
order requires TaxSlayer to obtain, within the first one hundred eighty 
(180) days after service of the order and on a biennial basis 
thereafter for a period of ten (10) years, an assessment and report 
from a qualified, objective, independent third-party professional, 
certifying, among other things, that: (1) It has in place a security 
program that provides protections that meet or exceed the protections 
required by Part I.B of the order, and (2) its security program is 
operating with sufficient effectiveness to provide reasonable assurance 
that the security, confidentiality, and integrity of sensitive consumer 
information has been protected.
    Parts III through VII of the proposed order are reporting and 
compliance provisions. Part III requires dissemination of the order now 
and in the future to all current and future principals, offers, 
directors, and LLC managers and directors, and to persons with 
managerial or supervisory responsibilities relating to Parts I through 
IV of the order. Part IV ensures notification to the FTC of changes in 
corporate status and mandates that TaxSlayer submit an initial 
compliance report to the FTC. Part V requires TaxSlayer to retain 
documents relating to its compliance with the order for a five-year 
period. Part VI mandates that TaxSlayer make available to the FTC 
information or subsequent compliance reports, as requested. Part VII is 
a provision ``sunsetting'' the order after twenty (20) years, with 
certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed complaint or order, or to modify in any 
way the proposed order's terms.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2017-18706 Filed 9-1-17; 8:45 am]
 BILLING CODE 6750-01-P