The Federal Trade Commission has reached a settlement with gaming developer RockYou stemming from a breach incident that affected 32 million users.
The settlement includes a $250,000 civil penalty and requires the company to submit to biennial independent audits for 20 years. RockYou also must implement and maintain a data security program. And the settlement prohibits the company from making deceptive claims about its privacy and security practices.
In a March 27 statement, the FTC said that RockYou, while touting its security features, failed to protect users' privacy. The FTC also alleged in its complaint against the company that it violated the Children's Online Privacy Protection Act Rule by collecting information from approximately 179,000 children younger than age 13. That violation led to the monetary penalty.
RockYou CEO Lisa Marino said in a statement: "We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout. The event that led to this complaint occurred over two years ago, and we have long since removed the features that led to this investigation."
A December 2009 data breach at RockYou exposed username and password details on 32 million individuals, according to news reports. Reports say the usernames and passwords had been stored in clear text on the compromised database.
The FTC complaint explains that RockYou operates a website that allows users to play games and use other applications, such as assemble slide shows from their photos. To save the slide shows, users have to enter an e-mail address and password.
From December 2008 through January 2010, the complaint says that RockYou collected information, such as e-mail address, password, birth year, sex, ZIP code and country information, on children. Under the COPPA Rule, website operators have to notify parents and obtain their consent before collecting, using or disclosing personal information from children under 13.
The security failures of the company's website put the children's personal information at risk, the FTC claims.