Business Fined Quarter of a Million for Not Securing Customer Data

The Internet Patrol - Patrolling the Internet for You

The Federal Trade Commission (FTC) has fined game developer RockYou.com $250,000 for, among other things, failing to adequately secure their customers’ user data. While the FTC slammed Rock You for COPPA (the Children’s Online Privacy Protection Act rule) violations, in part because RockYou collected information from children under the age of 13 without parental consent, the Feds made a point of noting that “the company’s security failures put users’ including children’s personal information at risk” while at the same time claiming that they had adequate security measures in place.

Adequate security measures our foot! They stored their user data in plain – i.e. unencrypted – text! The FTC settlement and fine follows a 2 year investigation into the hacking of RockYou servers in 2009 which exposed the date of 32 million users.


In particular, even though, as we said, Rock You stored all of their user data in plain text, on their website they claimed that “RockYou uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information.”

In addition, the RockYou.com site sported this language:

Our Commitment To Children’s Privacy:

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

 

Protecting the privacy of young children is especially important. For that reason, RockYou! does not knowingly collect or maintain personally identifiable information or non-personally-identifiable information on the RockYoul Sites from persons under 13 years of age, and no part of our website is directed to persons under 13. If you are under 13 years of age, then please do not use or access the RockYou! Sites at any time or in any manner. If RockYou! learns that personally identifiable information of persons under 13 years of age has been collected on the RockYoul Sites without verified parental consent, then RockYou! will take the appropriate steps to delete this information

But, in fact, such information was not deleted, and so was exposed during the hack.

Here is the most important takeaway for anyone conducting business on the Internet: Do not store your customers’ or users’ data in plain text! And, ideally, don’t even store it on a machine that is connected to the Internet.

 

Here is the FTC announcement about the case:

FTC Charges That Security Flaws in RockYou Game Site Exposed 32 Million Email Addresses and Passwords
Settlement Order Requires Company to Implement Comprehensive Data Security Program

The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges.

The case against RockYou is part of the FTC’s ongoing effort to make sure companies live up to the privacy promises they make to consumers, and that kids’ information isn’t collected or shared online without their parents’ consent.

According to the FTC complaint, RockYou operated a website that allowed consumers to play games and use other applications. Many consumers used the site to assemble slide shows from their photos, using a caption capability and music supplied by the site. To save their slide shows, consumers had to enter their email address and email password.

The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.

The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online. The company asked for kids’ date of birth, and so accepted registrations from kids under 13. In addition, the company’s security failures put users’ including children’s personal information at risk, according to the FTC. The FTC charged that RockYou violated the COPPA Rule by:

not spelling out its collection, use and disclosure policy for children’s information;
not obtaining verifiable parental consent before collecting children’s personal information; and
not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.

The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.

The FTC has a new publication, Living Life Online, to help tweens and teens navigate the internet safely.

The Commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 4-0. The DOJ filed the complaint and proposed consent decree on behalf of the Commission in U.S. District Court for the Northern District of California on March 26, 2012. The proposed consent decree is subject to court approval.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendants have actually violated the law. This consent decree is for settlement purposes only and does not constitute an admission by the defendants of a law violation. Consent decrees have the force of law when signed by the District Court judge.FTC Charges That Security Flaws in RockYou Game Site Exposed 32 Million Email Addresses and Passwords
Settlement Order Requires Company to Implement Comprehensive Data Security Program

The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges.

The case against RockYou is part of the FTC’s ongoing effort to make sure companies live up to the privacy promises they make to consumers, and that kids’ information isn’t collected or shared online without their parents’ consent.

According to the FTC complaint, RockYou operated a website that allowed consumers to play games and use other applications. Many consumers used the site to assemble slide shows from their photos, using a caption capability and music supplied by the site. To save their slide shows, consumers had to enter their email address and email password.

The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.

The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online. The company asked for kids’ date of birth, and so accepted registrations from kids under 13. In addition, the company’s security failures put users’ including children’s personal information at risk, according to the FTC. The FTC charged that RockYou violated the COPPA Rule by:

not spelling out its collection, use and disclosure policy for children’s information;
not obtaining verifiable parental consent before collecting children’s personal information; and
not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.

The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.

The FTC has a new publication, Living Life Online, to help tweens and teens navigate the internet safely.

The Commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 4-0. The DOJ filed the complaint and proposed consent decree on behalf of the Commission in U.S. District Court for the Northern District of California on March 26, 2012. The proposed consent decree is subject to court approval.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendants have actually violated the law. This consent decree is for settlement purposes only and does not constitute an admission by the defendants of a law violation. Consent decrees have the force of law when signed by the District Court judge.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.