The FTC announced a settlement in a data security enforcement action against InfoTrax Systems, L.C. and its former CEO, Mark Rawlins. Here is their press release, below, followed by InfoTrax’s comments on the settlement:
A Utah-based technology company has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.
InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training, and data security, as well as operating its clients’ website portals.
In its complaint, the FTC alleges that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. This includes failing to:
- inventory and delete personal information it no longer needed;
- conduct code review of its software and testing of its network;
- detect malicious file uploads;
- adequately segment its network; and
- implement cybersecurity safeguards to detect unusual activity on its network.
In addition, the FTC alleged that InfoTrax stored consumers’ personal information—such as Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.
“Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”
As a result of the company’s security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. In March 2016, the intruder accessed about one million consumers’ sensitive personal information, according to the complaint.
InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity. This alert was due to a data archive file created by the hacker who had infiltrated its network. InfoTrax’s security failures not only affected its network but also the websites of its clients, the FTC alleges.
The personal information that the intruder obtained can be used to commit identity theft and fraud. The FTC alleges that InfoTrax’s failure to provide reasonable security for personal data in its care violated the FTC’s prohibition against unfair practices.
As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.
In addition, the proposed settlement requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.
The Commission vote to issue the administrative complaint and to accept the proposed consent agreement with InfoTrax and Rawlins was 5-0. Commissioner Christine S. Wilson released a concurring statement.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.
Source: Federal Trade Commission
The following in InfoTrax’s comments:
InfoTrax is the leading global provider of innovative and reliable software and hosting solutions for direct selling companies around the world and has been for more than 20 years. We have a successful track record of providing support to companies of all sizes.
In early 2016, InfoTrax discovered that someone had illegally accessed our company’s servers. We took immediate action to secure the data stored on our servers and to shut down any further unauthorized access. We also promptly contacted our affected clients and voluntarily requested the support of law enforcement agencies, including the Federal Bureau of Investigation (FBI), to determine the nature and scope of the breach.
In addition, we immediately contracted with top forensic security experts to help us identify where our system was vulnerable and to take steps to improve our security and prevent further incidents like this.
Without agreeing with the FTC’s findings from their investigation, we have signed a consent order that outlines the security measures that we will maintain going forward, many of which were implemented before we received the FTC’s order.
We deeply regret that this security incident happened. Information security is critical and integral to our operations, and our clients’ and customers’ security and privacy is our top priority.
About InfoTrax Systems
InfoTrax® Systems, a trusted name in MLM software, is an industry-leading provider of commissions management software and online distributor tools for the Direct Sales industry. From fast, accurate, and reliable business data to a platform of easy-to-use communication and reporting tools, InfoTrax® provides commission solutions supporting organizations from growth-stage ventures to international corporations supporting millions of users.