From the FTC:
Following a public comment period, the Federal Trade Commission finalized the orders in two cases settling charges that Ceridian Corporation and Lookout Services, Inc. claimed they would take reasonable measures to secure the consumer data they maintained, but failed to do so. The final orders require the companies to implement a comprehensive information security program and obtain independent, third-party security audits every other year for 20 years.
Additional documentation on each case is linked from the FTC case file page.