September 2021

The Application of the Federal Trade Commission Privacy and Safeguards Rules to the In the Matter Tax Slayer, LLC Case
Donald L. Buresh, Ph.D., J.D., LL.M.
Morgan State University

Google Scholar Download Pdf

This paper discusses what legally happened to TaxSlayer, LLC after a cyber break-in that occurred in 2015. The Federal Trade Commission sued the company, demanding that the organization institute robust cyber protections to ensure financial customer information security, confidentiality, and integrity. The article argues that the federal government’s actions were entirely appropriate, given its constitutional mandate to regulate commerce and protect the general welfare. However, with the relentless onslaught of cybercriminal activity, the steps demanded by the federal government may prevent, but not stop, the cybercriminal tide from rising, as King Canute observed many years ago.


Covered Financial Institution, Gramm-Leach-Bliley Act, Safeguards Rule, Tax Slayer, LLC


1) e-CFR Staff, Part 314—Standards for Safeguarding Customer Information, ELECTRONIC CODE OF FEDERAL REGULATIONS, (Current as of August 30, 20201), available at

2) Gary Kranz, Graham-Leach-Bliley Act (GLBA), TECHTARGET, (Last updated June 2021), available at

3) FTC Staff, Financial Institutions and Customer Information: Complying with the Safeguards Rule, FEDERAL TRADE COMMISSION, (April 2006), available at

4) e-CFR Staff, supra, note 3.

5) Mike Nonaka, Libbie Canter, David Stein & Sam Adriance, FTC Proposes to Add Detailed Cybersecurity Requirements to the GLBA Safeguards Rule, INSIDE PRIVACY, (March 07, 2019), available at

6) Donald L. Buresh, Should Personal Information and Biometric Data Be Protected under a Comprehensive Federal Privacy Statute that Uses the California Consumer Privacy Act and the Illinois Biometric Information Privacy Act as Model Laws?, SANTA CLARA UNIVERSITY HIGH TECH LAW JOURNAL, (Expected Publication Date: October 2021) (Here, it is interesting to observe that there has been administrative and legislative interest for several years in passing a comprehensive privacy law in the United States).

7) In the Matter of TaxSlayer, LLC, Complaint Docket No. C-2646 (n.d.), available at

8) See 16 C.F.R. § 313.3(b) and 12 C.F.R. § 1016.4 and 1016.5.

9) See 16 C.F.R. § 313.6 and 12 C.F.R. § 1016.6.

10) See 16 C.F.R. § 313.9 and 12 C.F.R. § 1016.9.

11) See 16 C.F.R. § 313.4 and 12 C.F.R. § 1016.4.

12) In the Matter of TaxSlayer, LLC, supra, note 37.

13) FTC Staff, Gramm-Leach-Bliley Act, FEDERAL TRADE COMMISSION, (n.d.), available at (Here, according to the FTC, the Act became law on November 12, 1999).

14) In the Matter of TaxSlayer, LLC, supra, note 37.

15) In the Matter of TaxSlayer, LLC, Decision and Order Docket No. C-2646 (October 20, 2017), available at

16) Id. (See the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314).

17) In the Matter of TaxSlayer, LLC, supra, note 60.

18) Id. (First, the assessment report was due 60 days after the reporting period ended. Second, the individuals generating the assessment report must be a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA), an individual holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission. Finally, the assessment report was due to the Federal Trade Commission 10 days after the assessment report was completed).

19) Luke Irwin, How Long Does It Take to Detect a Cyber Attack?, IT GOVERNANCE, (March 14, 2019), available at

20) FireEye Staff, Mandiant Security Effectiveness Report: Deep Dive into Cybersecurity, FIREEYE, (n.d.), available at

21) In the Matter of TaxSlayer, LLC, supra, note 37.

22) TaxSlayer Staff, Malware Emails From TaxSlayer, TAXSLAYER, LLC, (May 14, 2012), available at

23) Jake Olcott, TaxSlayer Breach: Dissecting The Latest Cyberhack, BITSIGHT, (February 25, 2016), available at

24) Michael Swanagan, How to Prevent Cyber Attacks, PURPLESEC, (n.d.), available at

25) Ian Urbina, Hacker Tactic: Holding Data Hostage, THE NEW YORK TIMES, (June 14, 2014), available at

26) TaxSlayer Staff, The Importance of Tax Preparers Owning Their Role in Cybersecurity, TAXSLAYER, LLC, (September 23, 2020), available at


Indexed In

Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar