82 FR 41959 - TaxSlayer, LLC; Analysis To Aid Public Comment

FEDERAL TRADE COMMISSION

Federal Register Volume 82, Issue 170 (September 5, 2017)

Page Range41959-41961
FR Document2017-18706

The consent agreement in this matter settles alleged violations of the Gramm-Leach-Bliley Act Privacy Rule, and of the Gramm-Leach-Bliley Act Safeguards Rule. The attached Analysis To Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

Federal Register, Volume 82 Issue 170 (Tuesday, September 5, 2017)
[Federal Register Volume 82, Number 170 (Tuesday, September 5, 2017)]
[Notices]
[Pages 41959-41961]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2017-18706]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 162 3063]


TaxSlayer, LLC; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of the Gramm-Leach-Bliley Act Privacy Rule, and of the 
Gramm-Leach-Bliley Act Safeguards Rule. The attached Analysis To Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before September 29, 2017.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write: ``In the Matter of 
TaxSlayer, LLC, File No. 1623063'' on your comment, and file your 
comment online at https://ftcpublic.commentworks.com/ftc/taxslayerconsent by following the instructions on the web-based form. 
If you prefer to file your comment on paper, write ``In the Matter of 
TaxSlayer, LLC, File No. 1623063'' on your comment and on the envelope, 
and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Katherine McCarron (202-326-2333) and 
Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis To Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for August 29, 2017), on the World Wide Web, at 
https://www.ftc.gov/news-events/commission-actions.

[[Page 41960]]

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before September 29, 
2017. Write ``In the Matter of TaxSlayer, LLC, File No. 1623063'' on 
your comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission Web site, at https://www.ftc.gov/policy/public-comments.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/taxslayerconsent by following the instructions on the web-based 
form. If this Notice appears at http://www.regulations.gov/#!home, you 
also may file a comment through that Web site.
    If you prefer to file your comment on paper, write ``In the Matter 
of TaxSlayer, LLC, File No. 1623063'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC. 20024. If possible, submit your paper comment to 
the Commission by courier or overnight service.
    Because your comment will be placed on the publicly accessible FTC 
Web site at https://www.ftc.gov, you are solely responsible for making 
sure that your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC Web site--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC Web site, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    Visit the FTC Web site at http://www.ftc.gov to read this Notice 
and the news release describing it. The FTC Act and other laws that the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding, as appropriate. The Commission 
will consider all timely and responsive public comments that it 
receives on or before September 29, 2017. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Agreement Containing Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing a consent order from TaxSlayer, LLC 
(``TaxSlayer'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission again will review the 
agreement and the comments received and will decide whether it should 
withdraw from the agreement or make final the agreement's proposed 
order.
    This matter involves TaxSlayer, a company that advertises, offers 
for sale, sells, and distributes products and services to consumers, 
including TaxSlayer Online, a browser-based tax return preparation and 
electronic filing software and service. TaxSlayer Online assists 
consumers, typically for a fee, in preparing and electronically filing 
federal and state income tax returns. In 2016, more than 950,000 
individuals filed tax returns using TaxSlayer Online.
    TaxSlayer Online users create an account by entering a username and 
password (``login credentials'') on an account creation page. They then 
input a host of personal information in order to create a tax return, 
including but not limited to: Name, Social Security number (``SSN''), 
telephone number, physical address, income, employment status, marital 
status, identity of dependents, financial assets, financial activities, 
receipt of government benefits, home ownership, indebtedness, health 
insurance, retirement information, charitable donations, tax payments, 
tax refunds, bank account numbers, and payment card numbers.
    TaxSlayer Online uses this personal information to prepare tax 
returns on behalf of customers. Once a tax return is prepared, a 
customer can file the return electronically through TaxSlayer Online 
with the Internal Revenue Service (``IRS'') and state departments of 
revenue. If a customer is entitled to a refund, TaxSlayer offers the 
option of directing the refund into a customer's bank account, or 
customers may elect to receive their refunds on a prepaid debit card.
    The complaint alleges that TaxSlayer became subject to a list 
validation attack that began in October 2015. List validation attacks 
occur when attackers use lists of stolen login credentials to attempt 
to access accounts across a number of Web sites, knowing that consumers 
often reuse login credentials. In an unknown number of instances, the 
attackers engaged in tax identity theft by e-filing fraudulent tax 
returns and diverting the fabricated refunds to themselves.
    The Commission's complaint alleges that TaxSlayer failed to comply 
with the Gramm-Leach-Bliley (``GLB'') Act Privacy Rule in two ways. 
First, TaxSlayer failed to provide a clear and conspicuous initial 
privacy notice. TaxSlayer's Privacy Policy was contained towards the 
end of a long License Agreement, and TaxSlayer did not convey the 
importance, nature, and relevance of this Privacy Policy to its 
customers. Second, TaxSlayer failed to deliver the initial privacy 
notice so that each customer could reasonably be expected to receive 
actual notice. For example, TaxSlayer did not require customers to 
acknowledge receipt of the

[[Page 41961]]

initial privacy notice as a necessary step to obtaining a particular 
financial product or service.
    In addition, the complaint alleges that TaxSlayer engaged in a 
number of practices that, taken together, failed to provide reasonable 
and appropriate security for sensitive information from consumers, in 
violation of the GLB Act Safeguards Rule. First, TaxSlayer failed to 
have a written information security program until November 2015. 
Second, TaxSlayer failed to conduct a risk assessment, which would have 
identified reasonably foreseeable risks to the security, 
confidentiality, and integrity of customer information, including risks 
associated with inadequate authentication. Third, TaxSlayer failed to 
implement information safeguards to control the risks to customer 
information from inadequate authentication.
    The proposed order contains provisions designed to prevent 
TaxSlayer from engaging in practices similar to those alleged in the 
complaint. Part I prohibits TaxSlayer from violating any provision of 
the GLB Act Privacy Rule and Safeguards Rule. Part II of the proposed 
order requires TaxSlayer to obtain, within the first one hundred eighty 
(180) days after service of the order and on a biennial basis 
thereafter for a period of ten (10) years, an assessment and report 
from a qualified, objective, independent third-party professional, 
certifying, among other things, that: (1) It has in place a security 
program that provides protections that meet or exceed the protections 
required by Part I.B of the order, and (2) its security program is 
operating with sufficient effectiveness to provide reasonable assurance 
that the security, confidentiality, and integrity of sensitive consumer 
information has been protected.
    Parts III through VII of the proposed order are reporting and 
compliance provisions. Part III requires dissemination of the order now 
and in the future to all current and future principals, offers, 
directors, and LLC managers and directors, and to persons with 
managerial or supervisory responsibilities relating to Parts I through 
IV of the order. Part IV ensures notification to the FTC of changes in 
corporate status and mandates that TaxSlayer submit an initial 
compliance report to the FTC. Part V requires TaxSlayer to retain 
documents relating to its compliance with the order for a five-year 
period. Part VI mandates that TaxSlayer make available to the FTC 
information or subsequent compliance reports, as requested. Part VII is 
a provision ``sunsetting'' the order after twenty (20) years, with 
certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed complaint or order, or to modify in any 
way the proposed order's terms.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2017-18706 Filed 9-1-17; 8:45 am]
 BILLING CODE 6750-01-P


Current View
CategoryRegulatory Information
CollectionFederal Register
sudoc ClassAE 2.7:
GS 4.107:
AE 2.106:
PublisherOffice of the Federal Register, National Archives and Records Administration
SectionNotices
ActionProposed consent agreement.
DatesComments must be received on or before September 29, 2017.
ContactKatherine McCarron (202-326-2333) and Jacqueline Connor (202-326-2844), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580.
FR Citation82 FR 41959 

2024 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR