January 6, 2020

Utah technology company settles FTC allegations that it failed to protect consumer data

On January 6, 2020, the Federal Trade Commission granted final approval of a settlement with InfoTrax Systems, L.C., a Utah-based company that provides back-end operations systems and online distributor tools for the direct sales industry.  The FTC alleged in its complaint thatthe company failed to use reasonable, readily available security protections to safeguard its clients’ personal information,  and as a result a hacker was able  to access the sensitive information of a million consumers on at least twenty occasions between May 2014 and March 2016. The FTC also alleged that InfoTrax stored unencrypted social security numbers, and bank account and payment card information on its network. 

The settlement requires InfoTrax and its founder and former Chief Executive Officer to implement, maintain and document an information security program, and to engage a qualified third party to produce biannual reports on the program.  Mandatory elements of the program include: 

• The designation of a qualified employee to be responsible for the program;
• Provision of annual security risk assessments;
• The design and implementation of safeguards to limit access points for third parties, increase segmentation and detect unknown file uploads; 
• Encryption of social security numbers, payment card information, and authentication credentials;
• periodic vulnerability and penetration tests.

Pursuant to the FTC’s decision, senior InfoTrax management must certify compliance annually, and promptly report security incidents to the Commission.  The FTC order is valid for twenty years from the date of issue, December 30, 2019.

FTC press release | FTC decision  and order | FTC complaint