FTC settles breach case with Reed Elsevier and Seisint
In its action against Reed Elsevier and Seisint, the FTC alleged that Reed Elsevier, through its LexisNexis data broker business, and Seisint allowed customers to use easy-to-guess passwords to access Seisint's Accurint databases, which contained sensitive consumer information, including drivers' license numbers and Social Security numbers.
The FTC said identity thieves exploited these security failures and -- via multiple breaches -- accessed sensitive information of about at least 316,000 consumers from the Accurint databases.
The ID thieves used the stolen data to activate credit cards and open new accounts and made fraudulent purchases on the cards and new accounts.
Reed Elsevier acquired Seisint in late 2004, and the breaches continued for at least nine months after Reed Elsevier controlled Seisint's databases, according to the FTC.
Under the terms of the settlement, the FTC ordered the two companies to hire third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The FTC requires the auditors to certify that the companies' security programs meet or exceed the requirements of the FTC's orders. The audit must also prove that the companies are providing "reasonable assurance that the security of consumers' personal information is being protected."
The settlement also contains bookkeeping and record-keeping provisions to allow the agency to monitor compliance with its orders. As it did with TJX, the FTC ordered the companies to designate an employee to be responsible for the security program and identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes.
The FTC said it worked with the Hayward, Calif. Police Department and the REACT (Rapid Enforcement Allied Computer Team) Task Force in its investigation of Reed Elsevier and Seisint. This was the FTC's 19th challenge of data security practices.
The FTC is prohibited by law to assess fines.