TaxSlayer, LLC; Analysis To Aid Public Comment, 41959-41961 [2017-18706]
Download as PDF
<![CDATA[
Federal Register / Vol. 82, No. 170 / Tuesday, September 5, 2017 / Notices
address the responsibilities and liabilities of
the participants, agent, and operator in cases
of operational disruption, or erroneous or
fraudulent conduct.
Æ Requests for joint accounts involving a
financially unsound operator would not be
approved. Evaluation may include, among
other things, reviewing financial statements
of the operator, as well as cash flow
projections (including capital and operating
expenses).
Æ Evaluation under this principle will take
into account the applicable supervisory
framework for the private-sector
arrangement.22 The payment system
established by a private-sector arrangement
(including the operator) should be subject to
federal or state supervision and should also
be subject to the jurisdiction of a federal
banking agency with the authority to
examine or inspect the private-sector
arrangement and take supervisory actions
against the arrangement or its participants.23
This means for a payment system established
by a private-sector arrangement and
supervised by a state regulatory body, a
federal banking agency need not be engaging
in active supervision or examination, but
should have the authority to do so when the
risk, scope, and operations call for such
supervision or examination. For example,
under the Bank Service Company Act, federal
banking agencies have the authority to
examine third-party service providers that
perform services for depository institutions
that the depository institution could
otherwise do itself.
Æ An evaluation under this principle
would assess whether the system is widely
available for use by its intended end users,
is designed to minimize the risk of disruption
(rejection or delay of payments) to end users,
and promotes transparency for end users and
the public more broadly (for example, by
making its operating rules, rulemaking
processes, list of participants, or certain
network statistics publicly available).
Evaluation under this guideline would also
assess whether the system creates
inefficiencies in payment processes or
barriers to interoperability within the U.S.
dollar payment system. Also of relevance is
whether the private-sector arrangement
promotes payment system improvements and
innovations and the extent to which the
arrangement fosters competition in the
payment system (for example between
providers of payment services).
Æ Finally, the design and rules of the
private-sector arrangement, including rules
relating to the funding of and disbursements
from the joint account, should be consistent
with the intended use of the account, such
that a participant can only use the balances
for the intended purpose of settling payments
in the associated system.
4. The provision of the joint account
should not create undue credit, settlement, or
other risks to the Reserve Banks.
Æ The agent and the joint account holders
should demonstrate an ongoing ability to
meet all obligations under the joint account
agreement with the account-holding Reserve
Bank.
Æ The manner in which the joint account
will be used in support of the private-sector
arrangement and any anticipated use of
Reserve Bank services should be identified.
Æ Reserve Banks will not extend overnight
or intraday credit to a joint account. The
private-sector arrangement should structure
its use of the joint account and Reserve Bank
services in a manner that seeks to avoid
intraday overdrafts. The agent also should
demonstrate ways to monitor the joint
account on an ongoing basis to avoid
overdrafts and to promptly cover any
inadvertent overdrafts.
Æ Further, the agent should demonstrate
the ability to appropriately monitor
transactions into and out of the joint account.
5. The provision of a joint account should
not create undue risk to the overall payment
system.
Æ The private-sector arrangement should
not cause undue credit, settlement, or other
risks to the efficient operation of other
payment systems or the payment system as
a whole.
Æ The operational and financial interaction
with and use of other payment systems
should be identified.
Æ The extent to which the use of the joint
account may restrict a portion of funds from
being available to support liquidity needs of
depository institutions for other payment and
settlement activity will also be considered.
6. The provision of a joint account should
not adversely affect monetary policy
operations.
Æ Evaluation of the potential monetary
policy implications of the use of a joint
account will include whether the balance in
the joint account would be treated as reserves
(that is, treated as available to satisfy any
joint account holder’s reserve balance
requirements or as excess reserves), the
expected predictability and volatility of the
end-of-day joint account balances, and the
potential for the account agreement with the
account-holding Reserve Bank to impose
limitations on account volatility without
affecting the intended function of the
arrangement. This evaluation will occur
regardless of the current monetary policy
implementation framework in place.
By order of the Board of Governors of the
Federal Reserve System, August 9, 2017.
Ann E. Misback,
Secretary of the Board.
[FR Doc. 2017–18705 Filed 9–1–17; 8:45 am]
BILLING CODE P
mstockstill on DSK30JT082PROD with NOTICES
22 Nothing
in the Board’s guidelines should be
interpreted to relieve any participant in the privatesector arrangement from compliance with
obligations imposed by an institution’s supervisor,
including for example related to financial resources,
liquidity, participant default management, and
other aspects of risk management.
23 A federal banking agency would include the
Board; the Federal Deposit Insurance Corporation
(FDIC); and the Office of the Comptroller of the
Currency (OCC).
VerDate Sep<11>2014
17:43 Sep 01, 2017
Jkt 241001
FEDERAL TRADE COMMISSION
[File No. 162 3063]
TaxSlayer, LLC; Analysis To Aid Public
Comment
AGENCY:
PO 00000
Federal Trade Commission.
Frm 00051
Fmt 4703
Sfmt 4703
ACTION:
41959
Proposed consent agreement.
The consent agreement in this
matter settles alleged violations of the
Gramm-Leach-Bliley Act Privacy Rule,
and of the Gramm-Leach-Bliley Act
Safeguards Rule. The attached Analysis
To Aid Public Comment describes both
the allegations in the complaint and the
terms of the consent order—embodied
in the consent agreement—that would
settle these allegations.
DATES: Comments must be received on
or before September 29, 2017.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write: ‘‘In the Matter of
TaxSlayer, LLC, File No. 1623063’’ on
your comment, and file your comment
online at https://
ftcpublic.commentworks.com/ftc/
taxslayerconsent by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, write ‘‘In the Matter of TaxSlayer,
LLC, File No. 1623063’’ on your
comment and on the envelope, and mail
your comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW., Suite CC–5610 (Annex D),
Washington, DC 20580, or deliver your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
Street SW., 5th Floor, Suite 5610
(Annex D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Katherine McCarron (202–326–2333)
and Jacqueline Connor (202–326–2844),
Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis To Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for August 29, 2017), on the
World Wide Web, at https://
www.ftc.gov/news-events/commissionactions.
SUMMARY:
E:\FR\FM\05SEN1.SGM
05SEN1
mstockstill on DSK30JT082PROD with NOTICES
41960
Federal Register / Vol. 82, No. 170 / Tuesday, September 5, 2017 / Notices
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before September 29, 2017. Write ‘‘In
the Matter of TaxSlayer, LLC, File No.
1623063’’ on your comment. Your
comment—including your name and
your state—will be placed on the public
record of this proceeding, including, to
the extent practicable, on the public
Commission Web site, at https://
www.ftc.gov/policy/public-comments.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
taxslayerconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you prefer to file your comment on
paper, write ‘‘In the Matter of TaxSlayer,
LLC, File No. 1623063’’ on your
comment and on the envelope, and mail
your comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW., Suite CC–5610 (Annex D),
Washington, DC 20580, or deliver your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
Street SW., 5th Floor, Suite 5610
(Annex D), Washington, DC. 20024. If
possible, submit your paper comment to
the Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible FTC Web site
at https://www.ftc.gov, you are solely
responsible for making sure that your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
VerDate Sep<11>2014
17:43 Sep 01, 2017
Jkt 241001
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the public FTC Web
site—as legally required by FTC Rule
4.9(b)—we cannot redact or remove
your comment from the FTC Web site,
unless you submit a confidentiality
request that meets the requirements for
such treatment under FTC Rule 4.9(c),
and the General Counsel grants that
request.
Visit the FTC Web site at https://
www.ftc.gov to read this Notice and the
news release describing it. The FTC Act
and other laws that the Commission
administers permit the collection of
public comments to consider and use in
this proceeding, as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before September 29,
2017. For information on the
Commission’s privacy policy, including
routine uses permitted by the Privacy
Act, see https://www.ftc.gov/siteinformation/privacy-policy.
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, an
agreement containing a consent order
from TaxSlayer, LLC (‘‘TaxSlayer’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission again will review the
agreement and the comments received
and will decide whether it should
withdraw from the agreement or make
final the agreement’s proposed order.
This matter involves TaxSlayer, a
company that advertises, offers for sale,
sells, and distributes products and
services to consumers, including
TaxSlayer Online, a browser-based tax
PO 00000
Frm 00052
Fmt 4703
Sfmt 4703
return preparation and electronic filing
software and service. TaxSlayer Online
assists consumers, typically for a fee, in
preparing and electronically filing
federal and state income tax returns. In
2016, more than 950,000 individuals
filed tax returns using TaxSlayer
Online.
TaxSlayer Online users create an
account by entering a username and
password (‘‘login credentials’’) on an
account creation page. They then input
a host of personal information in order
to create a tax return, including but not
limited to: Name, Social Security
number (‘‘SSN’’), telephone number,
physical address, income, employment
status, marital status, identity of
dependents, financial assets, financial
activities, receipt of government
benefits, home ownership,
indebtedness, health insurance,
retirement information, charitable
donations, tax payments, tax refunds,
bank account numbers, and payment
card numbers.
TaxSlayer Online uses this personal
information to prepare tax returns on
behalf of customers. Once a tax return
is prepared, a customer can file the
return electronically through TaxSlayer
Online with the Internal Revenue
Service (‘‘IRS’’) and state departments of
revenue. If a customer is entitled to a
refund, TaxSlayer offers the option of
directing the refund into a customer’s
bank account, or customers may elect to
receive their refunds on a prepaid debit
card.
The complaint alleges that TaxSlayer
became subject to a list validation attack
that began in October 2015. List
validation attacks occur when attackers
use lists of stolen login credentials to
attempt to access accounts across a
number of Web sites, knowing that
consumers often reuse login credentials.
In an unknown number of instances, the
attackers engaged in tax identity theft by
e-filing fraudulent tax returns and
diverting the fabricated refunds to
themselves.
The Commission’s complaint alleges
that TaxSlayer failed to comply with the
Gramm-Leach-Bliley (‘‘GLB’’) Act
Privacy Rule in two ways. First,
TaxSlayer failed to provide a clear and
conspicuous initial privacy notice.
TaxSlayer’s Privacy Policy was
contained towards the end of a long
License Agreement, and TaxSlayer did
not convey the importance, nature, and
relevance of this Privacy Policy to its
customers. Second, TaxSlayer failed to
deliver the initial privacy notice so that
each customer could reasonably be
expected to receive actual notice. For
example, TaxSlayer did not require
customers to acknowledge receipt of the
E:\FR\FM\05SEN1.SGM
05SEN1
mstockstill on DSK30JT082PROD with NOTICES
Federal Register / Vol. 82, No. 170 / Tuesday, September 5, 2017 / Notices
initial privacy notice as a necessary step
to obtaining a particular financial
product or service.
In addition, the complaint alleges that
TaxSlayer engaged in a number of
practices that, taken together, failed to
provide reasonable and appropriate
security for sensitive information from
consumers, in violation of the GLB Act
Safeguards Rule. First, TaxSlayer failed
to have a written information security
program until November 2015. Second,
TaxSlayer failed to conduct a risk
assessment, which would have
identified reasonably foreseeable risks
to the security, confidentiality, and
integrity of customer information,
including risks associated with
inadequate authentication. Third,
TaxSlayer failed to implement
information safeguards to control the
risks to customer information from
inadequate authentication.
The proposed order contains
provisions designed to prevent
TaxSlayer from engaging in practices
similar to those alleged in the
complaint. Part I prohibits TaxSlayer
from violating any provision of the GLB
Act Privacy Rule and Safeguards Rule.
Part II of the proposed order requires
TaxSlayer to obtain, within the first one
hundred eighty (180) days after service
of the order and on a biennial basis
thereafter for a period of ten (10) years,
an assessment and report from a
qualified, objective, independent thirdparty professional, certifying, among
other things, that: (1) It has in place a
security program that provides
protections that meet or exceed the
protections required by Part I.B of the
order, and (2) its security program is
operating with sufficient effectiveness to
provide reasonable assurance that the
security, confidentiality, and integrity of
sensitive consumer information has
been protected.
Parts III through VII of the proposed
order are reporting and compliance
provisions. Part III requires
dissemination of the order now and in
the future to all current and future
principals, offers, directors, and LLC
managers and directors, and to persons
with managerial or supervisory
responsibilities relating to Parts I
through IV of the order. Part IV ensures
notification to the FTC of changes in
corporate status and mandates that
TaxSlayer submit an initial compliance
report to the FTC. Part V requires
TaxSlayer to retain documents relating
to its compliance with the order for a
five-year period. Part VI mandates that
TaxSlayer make available to the FTC
information or subsequent compliance
reports, as requested. Part VII is a
provision ‘‘sunsetting’’ the order after
VerDate Sep<11>2014
17:43 Sep 01, 2017
Jkt 241001
twenty (20) years, with certain
exceptions.
The purpose of this analysis is to
facilitate public comment on the
proposed order. It is not intended to
constitute an official interpretation of
the proposed complaint or order, or to
modify in any way the proposed order’s
terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2017–18706 Filed 9–1–17; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
[OMB Control No. 9000–0089: Docket No.
2017–0053; Sequence 3]
Submission for OMB Review; Request
for Authorization of Additional
Classification and Rate, Standard Form
1444
Department of Defense (DOD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Notice.
AGENCY:
Under the provisions of the
Paperwork Reduction Act of 1995, the
Regulatory Secretariat Division will be
submitting to the Office of Management
and Budget (OMB) a request to review
and approve an extension of a
previously approved information
collection requirement concerning
Request for Authorization of Additional
Classification and Rate, Standard Form
(SF) 1444. A notice was published in
the Federal Register at 82 FR 20340 on
May 1, 2017. No comments were
received.
DATES: Submit comments on or before
October 5, 2017.
ADDRESSES: Submit comments regarding
this burden estimate or any other aspect
of this collection of information,
including suggestions for reducing this
burden to: Office of Information and
Regulatory Affairs of OMB, Attention:
Desk Officer for GSA, Room 10236,
NEOB, Washington, DC 20503.
Additionally submit a copy to GSA by
any of the following methods:
• Regulations.gov: https://
www.regulations.gov. Submit comments
via the Federal eRulemaking portal by
searching the OMB control number
9000–0089. Select the link ‘‘Comment
SUMMARY:
PO 00000
Frm 00053
Fmt 4703
Sfmt 4703
41961
Now’’ that corresponds with
‘‘Information Collection 9000–0089,
Request for Authorization of Additional
Classification and Rate, SF 1444.’’
Follow the instructions provided on the
screen. Please include your name,
company name (if any), and
‘‘Information Collection 9000–0089,
Request for Authorization of Additional
Classification and Rate, SF 1444’’ on
your attached document.
• Mail: General Services
Administration, Regulatory Secretariat
Division (MVCB), 1800 F Street NW.,
Washington, DC 20405. ATTN: Ms.
Sosa/IC 9000–0089.
Instructions: Please submit comments
only and cite Information Collection
9000–0089, in all correspondence
related to this collection. Comments
received generally will be posted
without change to https://
www.regulations.gov, including any
personal and/or business confidential
information provided. To confirm
receipt of your comment(s), please
check www.regulations.gov,
approximately two to three days after
submission to verify posting (except
allow 30 days for posting of comments
submitted by mail).
FOR FURTHER INFORMATION CONTACT: Ms.
Zenaida Delgado, Procurement Analyst,
Federal Acquisition Policy Division,
GSA, 202–969–7207 or email
zenaida.delgado@gsa.gov.
SUPPLEMENTARY INFORMATION:
A. Purpose
Federal Acquisition Regulation (FAR)
22.406 prescribes labor standards for
federally financed and assisted
construction contracts subject to the
Davis-Bacon and Related Acts (DBRA),
as well as labor standards for nonconstruction contracts subject to the
Contract Work Hours and Safety
Standards Act (CWHSSA).
The recordkeeping requirements in
this regulation, FAR 22.406, reflect the
requirements cleared under OMB
control numbers 1235–0023, 1235–0008,
and 1235–0018 for 29 CFR 5.5(a)(1)(i),
5.5(c), and 5.15 (records to be kept by
employers under the Fair Labor
Standards Act (FLSA)). The regulation
at 29 CFR 516 reflects the basic
recordkeeping and reporting
requirements for the laws administered
by the Department of Labor Wage and
Hour Division.
FAR 22.406–3, implements the
recordkeeping and information
collection requirements prescribed in 29
CFR 5.5(a)(1)(ii) cleared under OMB
control number 1235–0023 (also
prescribed at 48 CFR 22.406 under OMB
control number 9000–0089), by
E:\FR\FM\05SEN1.SGM
05SEN1
]]>Agencies
[Federal Register Volume 82, Number 170 (Tuesday, September 5, 2017)]
[Notices]
[Pages 41959-41961]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-18706]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 162 3063]
TaxSlayer, LLC; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of the Gramm-Leach-Bliley Act Privacy Rule, and of the
Gramm-Leach-Bliley Act Safeguards Rule. The attached Analysis To Aid
Public Comment describes both the allegations in the complaint and the
terms of the consent order--embodied in the consent agreement--that
would settle these allegations.
DATES: Comments must be received on or before September 29, 2017.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write: ``In the Matter of
TaxSlayer, LLC, File No. 1623063'' on your comment, and file your
comment online at https://ftcpublic.commentworks.com/ftc/taxslayerconsent by following the instructions on the web-based form.
If you prefer to file your comment on paper, write ``In the Matter of
TaxSlayer, LLC, File No. 1623063'' on your comment and on the envelope,
and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Katherine McCarron (202-326-2333) and
Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis To Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for August 29, 2017), on the World Wide Web, at
https://www.ftc.gov/news-events/commission-actions.
[[Page 41960]]
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before September 29,
2017. Write ``In the Matter of TaxSlayer, LLC, File No. 1623063'' on
your comment. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including, to the
extent practicable, on the public Commission Web site, at https://www.ftc.gov/policy/public-comments.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/taxslayerconsent by following the instructions on the web-based
form. If this Notice appears at https://www.regulations.gov/#!home, you
also may file a comment through that Web site.
If you prefer to file your comment on paper, write ``In the Matter
of TaxSlayer, LLC, File No. 1623063'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC. 20024. If possible, submit your paper comment to
the Commission by courier or overnight service.
Because your comment will be placed on the publicly accessible FTC
Web site at https://www.ftc.gov, you are solely responsible for making
sure that your comment does not include any sensitive or confidential
information. In particular, your comment should not include any
sensitive personal information, such as your or anyone else's Social
Security number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure that your comment does not include
any sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the public FTC Web site--as legally required by FTC Rule
4.9(b)--we cannot redact or remove your comment from the FTC Web site,
unless you submit a confidentiality request that meets the requirements
for such treatment under FTC Rule 4.9(c), and the General Counsel
grants that request.
Visit the FTC Web site at https://www.ftc.gov to read this Notice
and the news release describing it. The FTC Act and other laws that the
Commission administers permit the collection of public comments to
consider and use in this proceeding, as appropriate. The Commission
will consider all timely and responsive public comments that it
receives on or before September 29, 2017. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, an agreement containing a consent order from TaxSlayer, LLC
(``TaxSlayer'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission again will review the
agreement and the comments received and will decide whether it should
withdraw from the agreement or make final the agreement's proposed
order.
This matter involves TaxSlayer, a company that advertises, offers
for sale, sells, and distributes products and services to consumers,
including TaxSlayer Online, a browser-based tax return preparation and
electronic filing software and service. TaxSlayer Online assists
consumers, typically for a fee, in preparing and electronically filing
federal and state income tax returns. In 2016, more than 950,000
individuals filed tax returns using TaxSlayer Online.
TaxSlayer Online users create an account by entering a username and
password (``login credentials'') on an account creation page. They then
input a host of personal information in order to create a tax return,
including but not limited to: Name, Social Security number (``SSN''),
telephone number, physical address, income, employment status, marital
status, identity of dependents, financial assets, financial activities,
receipt of government benefits, home ownership, indebtedness, health
insurance, retirement information, charitable donations, tax payments,
tax refunds, bank account numbers, and payment card numbers.
TaxSlayer Online uses this personal information to prepare tax
returns on behalf of customers. Once a tax return is prepared, a
customer can file the return electronically through TaxSlayer Online
with the Internal Revenue Service (``IRS'') and state departments of
revenue. If a customer is entitled to a refund, TaxSlayer offers the
option of directing the refund into a customer's bank account, or
customers may elect to receive their refunds on a prepaid debit card.
The complaint alleges that TaxSlayer became subject to a list
validation attack that began in October 2015. List validation attacks
occur when attackers use lists of stolen login credentials to attempt
to access accounts across a number of Web sites, knowing that consumers
often reuse login credentials. In an unknown number of instances, the
attackers engaged in tax identity theft by e-filing fraudulent tax
returns and diverting the fabricated refunds to themselves.
The Commission's complaint alleges that TaxSlayer failed to comply
with the Gramm-Leach-Bliley (``GLB'') Act Privacy Rule in two ways.
First, TaxSlayer failed to provide a clear and conspicuous initial
privacy notice. TaxSlayer's Privacy Policy was contained towards the
end of a long License Agreement, and TaxSlayer did not convey the
importance, nature, and relevance of this Privacy Policy to its
customers. Second, TaxSlayer failed to deliver the initial privacy
notice so that each customer could reasonably be expected to receive
actual notice. For example, TaxSlayer did not require customers to
acknowledge receipt of the
[[Page 41961]]
initial privacy notice as a necessary step to obtaining a particular
financial product or service.
In addition, the complaint alleges that TaxSlayer engaged in a
number of practices that, taken together, failed to provide reasonable
and appropriate security for sensitive information from consumers, in
violation of the GLB Act Safeguards Rule. First, TaxSlayer failed to
have a written information security program until November 2015.
Second, TaxSlayer failed to conduct a risk assessment, which would have
identified reasonably foreseeable risks to the security,
confidentiality, and integrity of customer information, including risks
associated with inadequate authentication. Third, TaxSlayer failed to
implement information safeguards to control the risks to customer
information from inadequate authentication.
The proposed order contains provisions designed to prevent
TaxSlayer from engaging in practices similar to those alleged in the
complaint. Part I prohibits TaxSlayer from violating any provision of
the GLB Act Privacy Rule and Safeguards Rule. Part II of the proposed
order requires TaxSlayer to obtain, within the first one hundred eighty
(180) days after service of the order and on a biennial basis
thereafter for a period of ten (10) years, an assessment and report
from a qualified, objective, independent third-party professional,
certifying, among other things, that: (1) It has in place a security
program that provides protections that meet or exceed the protections
required by Part I.B of the order, and (2) its security program is
operating with sufficient effectiveness to provide reasonable assurance
that the security, confidentiality, and integrity of sensitive consumer
information has been protected.
Parts III through VII of the proposed order are reporting and
compliance provisions. Part III requires dissemination of the order now
and in the future to all current and future principals, offers,
directors, and LLC managers and directors, and to persons with
managerial or supervisory responsibilities relating to Parts I through
IV of the order. Part IV ensures notification to the FTC of changes in
corporate status and mandates that TaxSlayer submit an initial
compliance report to the FTC. Part V requires TaxSlayer to retain
documents relating to its compliance with the order for a five-year
period. Part VI mandates that TaxSlayer make available to the FTC
information or subsequent compliance reports, as requested. Part VII is
a provision ``sunsetting'' the order after twenty (20) years, with
certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed complaint or order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2017-18706 Filed 9-1-17; 8:45 am]
BILLING CODE 6750-01-P
