The RockYou breach, disclosed in December 2009, stands as the 10th largest breach on DataLossDB’s counter after 32 million login credentials were compromised. A civil suit, Claridge v. RockYou, is still unsettled, although a proposed settlement was submitted to the court in November 2011. Previous coverage on this breach can be found here. Now the FTC has issued a statement on a proposed settlement of its charges against the firm:
The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges.
The case against RockYou is part of the FTC’s ongoing effort to make sure companies live up to the privacy promises they make to consumers, and that kids’ information isn’t collected or shared online without their parents’ consent.
According to the FTC complaint, RockYou operated a website that allowed consumers to play games and use other applications. Many consumers used the site to assemble slide shows from their photos, using a caption capability and music supplied by the site. To save their slide shows, consumers had to enter their email address and email password.
The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.
The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online. The company asked for kids’ date of birth, and so accepted registrations from kids under 13. In addition, the company’s security failures put users’ including children’s personal information at risk, according to the FTC. The FTC charged that RockYou violated the COPPA Rule by:
- not spelling out its collection, use and disclosure policy for children’s information;
- not obtaining verifiable parental consent before collecting children’s personal information; and
- not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.
The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.
The FTC has a new publication, Living Life Online, to help tweens and teens navigate the internet safely.
The Commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 4-0. The DOJ filed the complaint and proposed consent decree on behalf of the Commission in U.S. District Court for the Northern District of California on March 26, 2012. The proposed consent decree is subject to court approval.
So… if it wasn’t for the children’s data, would the FTC have gone after RockYou or fined them? The passwords were stored plain-text, but the only reference to encryption in this release applies to children’s data, not the adults’.
Update: I see that in his coverage of the proposed order, Jaikumar Vijayan reports that the civil suit against RockYou settled in December. If he’s referring to Claridge v. RockYou, the motion for settlement is due to be heard tomorrow (March 28).