VOlUME 04 ISSUE 09 SEPTEMBER 2021
Donald L. Buresh, Ph.D., J.D., LL.M.
Morgan State University
Google Scholar Download Pdf
ABSTRACT
This paper discusses what legally happened to TaxSlayer, LLC after a cyber break-in that occurred in 2015. The Federal Trade Commission sued the company, demanding that the organization institute robust cyber protections to ensure financial customer information security, confidentiality, and integrity. The article argues that the federal government’s actions were entirely appropriate, given its constitutional mandate to regulate commerce and protect the general welfare. However, with the relentless onslaught of cybercriminal activity, the steps demanded by the federal government may prevent, but not stop, the cybercriminal tide from rising, as King Canute observed many years ago.
KEYWORDS:Covered Financial Institution, Gramm-Leach-Bliley Act, Safeguards Rule, Tax Slayer, LLC
REFERENCES
1) e-CFR Staff, Part 314—Standards for Safeguarding Customer Information, ELECTRONIC CODE OF FEDERAL REGULATIONS, (Current as of August 30, 20201), available at https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=1e9a81d52a0904d70a046d0675d613b0&rgn=div5&view=text&node=16%3A1.0.1.3.38&idno=16.
2) Gary Kranz, Graham-Leach-Bliley Act (GLBA), TECHTARGET, (Last updated June 2021), available at https://searchcio.techtarget.com/definition/Gramm-Leach-Bliley-Act.
3) FTC Staff, Financial Institutions and Customer Information: Complying with the Safeguards Rule, FEDERAL TRADE COMMISSION, (April 2006), available at https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying.
4) e-CFR Staff, supra, note 3.
5) Mike Nonaka, Libbie Canter, David Stein & Sam Adriance, FTC Proposes to Add Detailed Cybersecurity Requirements to the GLBA Safeguards Rule, INSIDE PRIVACY, (March 07, 2019), available at https://www.insideprivacy.com/financial-privacy/ftc-proposes-to-add-detailed-cybersecurity-requirements-to-the-glba-safeguards-rule/.
6) Donald L. Buresh, Should Personal Information and Biometric Data Be Protected under a Comprehensive Federal Privacy Statute that Uses the California Consumer Privacy Act and the Illinois Biometric Information Privacy Act as Model Laws?, SANTA CLARA UNIVERSITY HIGH TECH LAW JOURNAL, (Expected Publication Date: October 2021) (Here, it is interesting to observe that there has been administrative and legislative interest for several years in passing a comprehensive privacy law in the United States).
7) In the Matter of TaxSlayer, LLC, Complaint Docket No. C-2646 (n.d.), available at
https://www.ftc.gov/system/files/documents/cases/1623063_c4626_taxslayer_complaint.pdf.
8) See 16 C.F.R. § 313.3(b) and 12 C.F.R. § 1016.4 and 1016.5.
9) See 16 C.F.R. § 313.6 and 12 C.F.R. § 1016.6.
10) See 16 C.F.R. § 313.9 and 12 C.F.R. § 1016.9.
11) See 16 C.F.R. § 313.4 and 12 C.F.R. § 1016.4.
12) In the Matter of TaxSlayer, LLC, supra, note 37.
13) FTC Staff, Gramm-Leach-Bliley Act, FEDERAL TRADE COMMISSION, (n.d.), available at https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act (Here, according to the FTC, the Act became law on November 12, 1999).
14) In the Matter of TaxSlayer, LLC, supra, note 37.
15) In the Matter of TaxSlayer, LLC, Decision and Order Docket No. C-2646 (October 20, 2017), available at https://www.ftc.gov/system/files/documents/cases/1623063_c4626_taxslayer_decision_and_order.pdf.
16) Id. (See the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314).
17) In the Matter of TaxSlayer, LLC, supra, note 60.
18) Id. (First, the assessment report was due 60 days after the reporting period ended. Second, the individuals generating the assessment report must be a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA), an individual holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission. Finally, the assessment report was due to the Federal Trade Commission 10 days after the assessment report was completed).
19) Luke Irwin, How Long Does It Take to Detect a Cyber Attack?, IT GOVERNANCE, (March 14, 2019), available at https://www.itgovernanceusa.com/blog/how-long-does-it-take-to-detect-a-cyber-attack.
20) FireEye Staff, Mandiant Security Effectiveness Report: Deep Dive into Cybersecurity, FIREEYE, (n.d.), available at https://www.fireeye.com/current-threats/annual-threat-report/security-effectiveness-report.html.
21) In the Matter of TaxSlayer, LLC, supra, note 37.
22) TaxSlayer Staff, Malware Emails From TaxSlayer, TAXSLAYER, LLC, (May 14, 2012), available at https://www.taxslayer.com/links/secureemails.
23) Jake Olcott, TaxSlayer Breach: Dissecting The Latest Cyberhack, BITSIGHT, (February 25, 2016), available at https://www.bitsight.com/blog/taxslayer-breach.
24) Michael Swanagan, How to Prevent Cyber Attacks, PURPLESEC, (n.d.), available at https://purplesec.us/prevent-cyber-attacks/.
25) Ian Urbina, Hacker Tactic: Holding Data Hostage, THE NEW YORK TIMES, (June 14, 2014), available at https://www.nytimes.com/2014/06/22/sunday-review/hackers-find-new-ways-to-breach-computer-security.html.
26) TaxSlayer Staff, The Importance of Tax Preparers Owning Their Role in Cybersecurity, TAXSLAYER, LLC, (September 23, 2020), available at https://www.taxslayerpro.com/blog/post/tax-preparers-owning-their-role-in-cybersecurity.