InfoTrax Systems, L.C. and Mark Rawlins; Analysis To Aid Public Comment, 64074-64076 [2019-25109]
Download as PDF
<![CDATA[
64074
Federal Register / Vol. 84, No. 224 / Wednesday, November 20, 2019 / Notices
of information unless it displays a valid
OMB control number.
Your comment—including your name
and your state—will be placed on the
public record of this proceeding.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which is . . .
privileged or confidential’’ as provided
in Section 6(f) of the FTC Act 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16CFR
4.10(a)(2). In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns devices,
manufacturing processes, or customer
names.
Heather Hippsley,
Deputy General Counsel.
[FR Doc. 2019–25110 Filed 11–19–19; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
[File No. 162 3130]
InfoTrax Systems, L.C. and Mark
Rawlins; Analysis To Aid Public
Comment
Federal Trade Commission.
Proposed consent agreement;
Request for comment.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis to Aid Public Comment
describes both the allegations in the
complaint and the terms of the consent
order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before December 20, 2019.
ADDRESSES: Interested parties may file
comments online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write: ‘‘InfoTrax Systems, L.C.
and Mark Rawlins; File No. 162 3130’’
SUMMARY:
VerDate Sep<11>2014
17:21 Nov 19, 2019
Jkt 250001
on your comment, and file your
comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Andrea Arias (202–326–2715), Bureau
of Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for November 12, 2019), on
the World Wide Web, at https://
www.ftc.gov/news-events/commissionactions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before December 20, 2019. Write
‘‘InfoTrax Systems, L.C. and Mark
Rawlins; File No. 162 3130’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the https://
www.regulations.gov website.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online through the https://
www.regulations.gov website.
If you prefer to file your comment on
paper, write ‘‘InfoTrax Systems, L.C.
and Mark Rawlins; File No. 162 3130’’
on your comment and on the envelope,
and mail your comment to the following
address: Federal Trade Commission,
Office of the Secretary, 600
Pennsylvania Avenue NW, Suite CC–
PO 00000
Frm 00037
Fmt 4703
Sfmt 4703
5610 (Annex D), Washington, DC 20580;
or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible website at
https://www.regulations.gov, you are
solely responsible for making sure that
your comment does not include any
sensitive or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the public FTC
website—as legally required by FTC
Rule 4.9(b)—we cannot redact or
remove your comment from the FTC
website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
Visit the FTC website at https://
www.ftc.gov to read this Notice and the
E:\FR\FM\20NON1.SGM
20NON1
Federal Register / Vol. 84, No. 224 / Wednesday, November 20, 2019 / Notices
news release describing it. The FTC Act
and other laws that the Commission
administers permit the collection of
public comments to consider and use in
this proceeding, as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before December 20,
2019. For information on the
Commission’s privacy policy, including
routine uses permitted by the Privacy
Act, see https://www.ftc.gov/siteinformation/privacy-policy.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission
(‘‘Commission’’) has accepted, subject to
final approval, an agreement containing
a consent order from InfoTrax Systems,
L.C. (‘‘InfoTrax’’) and Mark Rawlins
(collectively ‘‘Respondents’’).
The proposed consent order
(‘‘proposed order’’) has been placed on
the public record for thirty (30) days for
receipt of comments from interested
persons. Comments received during this
period will become part of the public
record. After thirty (30) days, the
Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
This matter involves InfoTrax, a
technology company that provides
backend operations systems and online
distributor tools for the direct sales
industry. Respondents have stored
personal information about more than
eleven million consumers.
The Commission’s proposed
complaint alleges that Respondents
violated Section 5(a) of the Federal
Trade Commission Act (‘‘FTC Act’’).
The proposed complaint alleges that
Respondents engaged in a number of
unreasonable security practices and
that, as a result of these practices, an
intruder, or intruders, were able to gain
unauthorized access to consumers’
personal information in March 2016.
During multiple breaches, intruder(s)
accessed and/or downloaded the
personal information of over one
million consumers. The types of
information exposed included full
names; physical addresses; email
addresses; telephone numbers; Social
Security Numbers (‘‘SSNs’’) or other
government identification numbers;
clients’ distributors’ user IDs and
passwords; admin IDs and passwords;
payment card information including
credit or debit card numbers, Card
Verification Values (‘‘CVVs’’) and
expiration dates; and bank account
information including bank account and
VerDate Sep<11>2014
17:21 Nov 19, 2019
Jkt 250001
routing numbers. (However, a particular
individual’s record does not necessarily
contain every one of these data types.)
The proposed complaint alleges that
Respondents:
• Failed to have a systematic process
for inventorying and deleting
consumers’ personal information stored
on InfoTrax’s network that is no longer
necessary;
• Failed to adequately assess the
cybersecurity risk posed to consumers’
personal information stored on
InfoTrax’s network by performing
adequate code review of InfoTrax’s
software, and penetration testing of
InfoTrax’s network and software;
• Failed to detect malicious file
uploads by implementing protections
such as adequate input validation;
• Failed to adequately limit the
locations to which third parties could
upload unknown files on InfoTrax’s
network;
• Failed to adequately segment
InfoTrax’s network to ensure that one
client’s distributors could not access
another client’s data on the network;
• Failed to implement safeguards to
detect anomalous activity and/or
cybersecurity events. For example,
Respondents failed to: (1) Implement an
intrusion prevention or detection
system to alert Respondents of
potentially unauthorized queries and/or
access to InfoTrax’s network; (2) use file
integrity monitoring tools to determine
whether any files on InfoTrax’s network
had been altered; and (3) use data loss
prevention tools to regularly monitor for
unauthorized attempts to exfiltrate
consumers’ personal information
outside InfoTrax’s network boundaries;
and
• Stored consumers’ personal
information, including consumers’
SSNs, payment card information
(including full or partial credit card and
debit card numbers, CVVs, and
expiration dates), bank account
information (including account and
routing numbers), and authentication
credentials such as user IDs and
passwords, in clear, readable text on
InfoTrax’s network.
The proposed complaint alleges that
Respondents could have addressed each
of the failures described above by
implementing readily available and
relatively low-cost security measures.
The proposed complaint alleges that
Respondents’ failure to employ
reasonable data security practices to
protect personal information—including
names, addresses, SSNs, other
government identifiers, and financial
account information—caused or is likely
to cause substantial injury to consumers
that is not outweighed by countervailing
PO 00000
Frm 00038
Fmt 4703
Sfmt 4703
64075
benefits to consumers or competition
and is not reasonably avoidable by
consumers themselves. Respondents’
failure to employ reasonable data
security practices constitutes an unfair
act or practice under Section 5 of the
FTC Act.
The proposed order contains
injunctive provisions addressing the
alleged unfair conduct. Part I of the
proposed order prohibits each Covered
Business from transferring, selling,
sharing, collecting, maintaining, or
storing personal information unless
each Covered Business establishes and
implements, and thereafter maintains, a
comprehensive information security
program that protects the security,
confidentiality, and integrity of such
personal information.1
Part II of the proposed order requires
Respondents to obtain initial and
biennial data security assessments for
twenty (20) years.
Part III of the proposed order requires
Respondents to disclose all material
facts to the assessor; prohibits
Respondents from misrepresenting any
fact material to the assessments required
by Part II; and requires Respondents to
provide or otherwise make available to
the assessor all information and material
that is relevant to the assessment for
which there is no reasonable claim of
privilege.
Part IV requires Respondents to
submit an annual certification from a
senior corporate manager (or senior
officer of each Covered Business
responsible for each Covered Business’s
information security program) that: (1)
Each Covered Business has
implemented the requirements of the
Order; (2) each Covered Business is not
aware of any material noncompliance
that has not been corrected or disclosed
to the Commission; and (3) includes a
brief description of any covered
incident involving unauthorized access
to or acquisition of personal
information.
Part V requires Respondents to submit
a report to the Commission of the
discovery of any covered incident.
Parts VI through IX of the proposed
order are reporting and compliance
provisions, which include
recordkeeping requirements and
provisions requiring Respondents to
provide information or documents
necessary for the Commission to
1 ‘‘Covered Business’’ includes InfoTrax; any
business that InfoTrax controls, directly or
indirectly; and any business that Mr. Rawlins
controls, directly or indirectly, except for the
businesses that own, lease, and/or operate a
campground in Bunkerville, Nevada, and solely to
the extent that the businesses are engaged in the
operation of that campground.
E:\FR\FM\20NON1.SGM
20NON1
64076
Federal Register / Vol. 84, No. 224 / Wednesday, November 20, 2019 / Notices
monitor compliance. Part X states that
the proposed order will remain in effect
for twenty (20) years, with certain
exceptions.
The purpose of this analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the complaint
or proposed order, or to modify in any
way the proposed order’s terms.
By direction of the Commission.
Joel Christie,
Acting Secretary.
[FR Doc. 2019–25109 Filed 11–19–19; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
[60Day–20–20BY; Docket No. CDC–2019–
0104]
Proposed Data Collection Submitted
for Public Comment and
Recommendations
Centers for Disease Control and
Prevention (CDC), Department of Health
and Human Services (HHS)
ACTION: Notice with comment period.
AGENCY:
The Centers for Disease
Control and Prevention (CDC), as part of
its continuing effort to reduce public
burden and maximize the utility of
government information, invites the
general public and other Federal
agencies the opportunity to comment on
a proposed and/or continuing
information collection, as required by
the Paperwork Reduction Act of 1995.
This notice invites comment on a
proposed information collection project
titled Pilot Project: Work Organization
Risks to Short-haul Truck Drivers’
Health & Safety. This study is designed
to assess how local/short haul drivers
perceive their work environments, and
how that relates to their well-being.
DATES: CDC must receive written
comments on or before January 21,
2020.
ADDRESSES: You may submit comments,
identified by Docket No. CDC–2019–
0104 by any of the following methods:
• Federal eRulemaking Portal:
Regulations.gov. Follow the instructions
for submitting comments.
• Mail: Jeffrey M. Zirger, Information
Collection Review Office, Centers for
Disease Control and Prevention, 1600
Clifton Road NE, MS–D74, Atlanta,
Georgia 30329.
Instructions: All submissions received
must include the agency name and
SUMMARY:
VerDate Sep<11>2014
17:21 Nov 19, 2019
Jkt 250001
Docket Number. CDC will post, without
change, all relevant comments to
Regulations.gov.
Please note: Submit all comments
through the Federal eRulemaking portal
(regulations.gov) or by U.S. mail to the
address listed above.
FOR FURTHER INFORMATION: To request
more information on the proposed
project or to obtain a copy of the
information collection plan and
instruments, contact Jeffrey M. Zirger,
Information Collection Review Office,
Centers for Disease Control and
Prevention, 1600 Clifton Road NE, MS–
D74, Atlanta, Georgia 30329; phone:
404–639–7570; Email: omb@cdc.gov.
SUPPLEMENTARY INFORMATION: Under the
Paperwork Reduction Act of 1995 (PRA)
(44 U.S.C. 3501–3520), Federal agencies
must obtain approval from the Office of
Management and Budget (OMB) for each
collection of information they conduct
or sponsor. In addition, the PRA also
requires Federal agencies to provide a
60-day notice in the Federal Register
concerning each proposed collection of
information, including each new
proposed collection, each proposed
extension of existing collection of
information, and each reinstatement of
previously approved information
collection before submitting the
collection to the OMB for approval. To
comply with this requirement, we are
publishing this notice of a proposed
data collection as described below.
The OMB is particularly interested in
comments that will help:
1. Evaluate whether the proposed
collection of information is necessary
for the proper performance of the
functions of the agency, including
whether the information will have
practical utility;
2. Evaluate the accuracy of the
agency’s estimate of the burden of the
proposed collection of information,
including the validity of the
methodology and assumptions used;
3. Enhance the quality, utility, and
clarity of the information to be
collected; and
4. Minimize the burden of the
collection of information on those who
are to respond, including through the
use of appropriate automated,
electronic, mechanical, or other
technological collection techniques or
other forms of information technology,
e.g., permitting electronic submissions
of responses.
5. Assess information collection costs.
Proposed Project
Pilot Project: Work Organization Risks
to Short-haul Truck Drivers’ Health &
Safety—New—National Institute for
PO 00000
Frm 00039
Fmt 4703
Sfmt 4703
Occupational Safety and Health
(NIOSH), Centers for Disease Control
and Prevention (CDC).
Background and Brief Description
Commercial truck drivers face widely
acknowledged safety risks on the job
and are at an increased risk for heart
disease, diabetes, hypertension, and
obesity. Long and irregular work hours,
lack of breaks, inadequate sleep, and
little access to exercise facilities and
healthy eating options contribute to
drivers’ health and safety problems.
Additionally, health complications of
obesity (e.g., sleep apnea, type II
diabetes) place truckers at even greater
risk of roadway crashes. Much of what
we know about work and health is
based on knowledge gleaned from
research on long-haul commercial
drivers. Local short haul drivers are
those who generally return home each
night after work, and who travel no
more than 150 miles from the
employer’s terminal each day (whereas
long-haul drivers are away from home
for long periods of time and drive much
greater distances daily). This research
addresses a gap in knowledge and
responds to stakeholders’ requests for
research that examines work
organization in local short-haul
commercial driving. The purpose of this
data collection is to learn more about
the local short-haul trucking industry
and how the complex interplay between
job design and individual health
behaviors affects the safety, health, and
well-being of commercial drivers.
NIOSH is requesting a 12-month OMB
approval.
A survey will be used to collect crosssectional data from 300 local short-haul
commercial drivers. Drivers will answer
questions about work design,
organizational policies, occupational
stressors, physical health, safety, and
mental well-being. The data collected
will be used to characterize work
organization in local short-haul
commercial driving, and analyzed to
examine the association between work
design and driver physical health,
mental health, well-being, and safety.
Stakeholders in trucking associations
have agreed to promote participation in
the study amongst their member
organizations. A sample of 300 drivers
will be recruited from across several
commercial driving companies over a
six-month time period. This is a crosssectional survey. Drivers will complete
the survey only one time. It is estimated
that the survey will take about 30
minutes to complete. All responses are
anonymous, and no personally
identifiable information will be
collected. There are no costs to
E:\FR\FM\20NON1.SGM
20NON1
]]>Agencies
[Federal Register Volume 84, Number 224 (Wednesday, November 20, 2019)]
[Notices]
[Pages 64074-64076]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-25109]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 162 3130]
InfoTrax Systems, L.C. and Mark Rawlins; Analysis To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; Request for comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before December 20, 2019.
ADDRESSES: Interested parties may file comments online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write: ``InfoTrax Systems,
L.C. and Mark Rawlins; File No. 162 3130'' on your comment, and file
your comment online at https://www.regulations.gov by following the
instructions on the web-based form. If you prefer to file your comment
on paper, mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Andrea Arias (202-326-2715), Bureau of
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for November 12, 2019), on the World Wide Web,
at https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before December 20,
2019. Write ``InfoTrax Systems, L.C. and Mark Rawlins; File No. 162
3130'' on your comment. Your comment--including your name and your
state--will be placed on the public record of this proceeding,
including, to the extent practicable, on the https://www.regulations.gov website.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online through the https://www.regulations.gov website.
If you prefer to file your comment on paper, write ``InfoTrax
Systems, L.C. and Mark Rawlins; File No. 162 3130'' on your comment and
on the envelope, and mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW, Suite CC-5610 (Annex D), Washington, DC 20580; or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor,
Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your
paper comment to the Commission by courier or overnight service.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure that your comment does not include any sensitive or
confidential information. In particular, your comment should not
include any sensitive personal information, such as your or anyone
else's Social Security number; date of birth; driver's license number
or other state identification number, or foreign country equivalent;
passport number; financial account number; or credit or debit card
number. You are also solely responsible for making sure that your
comment does not include any sensitive health information, such as
medical records or other individually identifiable health information.
In addition, your comment should not include any ``trade secret or any
commercial or financial information which . . . is privileged or
confidential''--as provided by Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--including in
particular competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the public FTC website--as legally required by FTC Rule
4.9(b)--we cannot redact or remove your comment from the FTC website,
unless you submit a confidentiality request that meets the requirements
for such treatment under FTC Rule 4.9(c), and the General Counsel
grants that request.
Visit the FTC website at https://www.ftc.gov to read this Notice and
the
[[Page 64075]]
news release describing it. The FTC Act and other laws that the
Commission administers permit the collection of public comments to
consider and use in this proceeding, as appropriate. The Commission
will consider all timely and responsive public comments that it
receives on or before December 20, 2019. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a consent order from
InfoTrax Systems, L.C. (``InfoTrax'') and Mark Rawlins (collectively
``Respondents'').
The proposed consent order (``proposed order'') has been placed on
the public record for thirty (30) days for receipt of comments from
interested persons. Comments received during this period will become
part of the public record. After thirty (30) days, the Commission will
again review the agreement and the comments received, and will decide
whether it should withdraw from the agreement and take appropriate
action or make final the agreement's proposed order.
This matter involves InfoTrax, a technology company that provides
backend operations systems and online distributor tools for the direct
sales industry. Respondents have stored personal information about more
than eleven million consumers.
The Commission's proposed complaint alleges that Respondents
violated Section 5(a) of the Federal Trade Commission Act (``FTC
Act''). The proposed complaint alleges that Respondents engaged in a
number of unreasonable security practices and that, as a result of
these practices, an intruder, or intruders, were able to gain
unauthorized access to consumers' personal information in March 2016.
During multiple breaches, intruder(s) accessed and/or downloaded the
personal information of over one million consumers. The types of
information exposed included full names; physical addresses; email
addresses; telephone numbers; Social Security Numbers (``SSNs'') or
other government identification numbers; clients' distributors' user
IDs and passwords; admin IDs and passwords; payment card information
including credit or debit card numbers, Card Verification Values
(``CVVs'') and expiration dates; and bank account information including
bank account and routing numbers. (However, a particular individual's
record does not necessarily contain every one of these data types.)
The proposed complaint alleges that Respondents:
Failed to have a systematic process for inventorying and
deleting consumers' personal information stored on InfoTrax's network
that is no longer necessary;
Failed to adequately assess the cybersecurity risk posed
to consumers' personal information stored on InfoTrax's network by
performing adequate code review of InfoTrax's software, and penetration
testing of InfoTrax's network and software;
Failed to detect malicious file uploads by implementing
protections such as adequate input validation;
Failed to adequately limit the locations to which third
parties could upload unknown files on InfoTrax's network;
Failed to adequately segment InfoTrax's network to ensure
that one client's distributors could not access another client's data
on the network;
Failed to implement safeguards to detect anomalous
activity and/or cybersecurity events. For example, Respondents failed
to: (1) Implement an intrusion prevention or detection system to alert
Respondents of potentially unauthorized queries and/or access to
InfoTrax's network; (2) use file integrity monitoring tools to
determine whether any files on InfoTrax's network had been altered; and
(3) use data loss prevention tools to regularly monitor for
unauthorized attempts to exfiltrate consumers' personal information
outside InfoTrax's network boundaries; and
Stored consumers' personal information, including
consumers' SSNs, payment card information (including full or partial
credit card and debit card numbers, CVVs, and expiration dates), bank
account information (including account and routing numbers), and
authentication credentials such as user IDs and passwords, in clear,
readable text on InfoTrax's network.
The proposed complaint alleges that Respondents could have
addressed each of the failures described above by implementing readily
available and relatively low-cost security measures.
The proposed complaint alleges that Respondents' failure to employ
reasonable data security practices to protect personal information--
including names, addresses, SSNs, other government identifiers, and
financial account information--caused or is likely to cause substantial
injury to consumers that is not outweighed by countervailing benefits
to consumers or competition and is not reasonably avoidable by
consumers themselves. Respondents' failure to employ reasonable data
security practices constitutes an unfair act or practice under Section
5 of the FTC Act.
The proposed order contains injunctive provisions addressing the
alleged unfair conduct. Part I of the proposed order prohibits each
Covered Business from transferring, selling, sharing, collecting,
maintaining, or storing personal information unless each Covered
Business establishes and implements, and thereafter maintains, a
comprehensive information security program that protects the security,
confidentiality, and integrity of such personal information.\1\
---------------------------------------------------------------------------
\1\ ``Covered Business'' includes InfoTrax; any business that
InfoTrax controls, directly or indirectly; and any business that Mr.
Rawlins controls, directly or indirectly, except for the businesses
that own, lease, and/or operate a campground in Bunkerville, Nevada,
and solely to the extent that the businesses are engaged in the
operation of that campground.
---------------------------------------------------------------------------
Part II of the proposed order requires Respondents to obtain
initial and biennial data security assessments for twenty (20) years.
Part III of the proposed order requires Respondents to disclose all
material facts to the assessor; prohibits Respondents from
misrepresenting any fact material to the assessments required by Part
II; and requires Respondents to provide or otherwise make available to
the assessor all information and material that is relevant to the
assessment for which there is no reasonable claim of privilege.
Part IV requires Respondents to submit an annual certification from
a senior corporate manager (or senior officer of each Covered Business
responsible for each Covered Business's information security program)
that: (1) Each Covered Business has implemented the requirements of the
Order; (2) each Covered Business is not aware of any material
noncompliance that has not been corrected or disclosed to the
Commission; and (3) includes a brief description of any covered
incident involving unauthorized access to or acquisition of personal
information.
Part V requires Respondents to submit a report to the Commission of
the discovery of any covered incident.
Parts VI through IX of the proposed order are reporting and
compliance provisions, which include recordkeeping requirements and
provisions requiring Respondents to provide information or documents
necessary for the Commission to
[[Page 64076]]
monitor compliance. Part X states that the proposed order will remain
in effect for twenty (20) years, with certain exceptions.
The purpose of this analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
Joel Christie,
Acting Secretary.
[FR Doc. 2019-25109 Filed 11-19-19; 8:45 am]
BILLING CODE 6750-01-P
