A recent Federal Trade Commission (“FTC”) announcement caught my eye because it illustrates so well a compliance lesson that I try to teach to dealers and lenders. On June 7, 2012, the FTC announced that it had charged EPN, Inc., a Utah debt collector, and Franklin’s Budget Car Sales, Inc., a Georgia car dealership, with illegally exposing sensitive personal information of consumers by allowing peer-to-peer (“P2P”) file sharing software to be installed on the companies’ computer systems. Files shared to a P2P network are available for viewing or downloading by any computer user with access to the network. In general, a shared file cannot be permanently removed from the P2P network. In addition, files can be shared among computers long after they have been deleted from the original source computer.
EPN collects debts for a variety of clients, such as healthcare providers, commercial credit organizations and retailers. According to the FTC’s complaint, EPN’s installation of P2P file sharing software on its computer network caused consumers’ sensitive information, including Social Security numbers, employer names, health insurance information, and medical diagnosis codes of approximately 3,800 hospital patients, to be made available to any computer connected to the P2P network. The FTC alleged that EPN did not have an appropriate information security plan, failed to assess risks to the consumer information it collected and stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies and procedures, and did not use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on its networks. Because of EPN’s failure to implement reasonable and appropriate data security measures, the FTC charged EPN with committing unfair or deceptive acts or practices in violation of Section 5(a) of the Federal Trade Commission Act.
Franklin’s Budget Car Sales allegedly compromised consumers’ sensitive personal information by allowing P2P software to be installed on its computer network as well, in violation of the FTC Act, the Safeguards Rule, which implements Section 501(b) of the Gramm-Leach-Bliley Act, and the Privacy Rule, which implements Section 503 of the GLB Act. The dealership sells and leases new and used vehicles and also provides financing for its customers. Because of its alleged failure to implement reasonable security measures to protect its customers’ personal information, the FTC charged that, among other personal information, the names, addresses, Social Security numbers, dates of birth, and driver’s license numbers of approximately 95,000 consumers were made available to the P2P network. Franklin’s also allegedly failed to provide annual privacy notices and failed to provide a mechanism by which consumers could opt out of information sharing with third parties, in violation of the GLB Privacy Rule.
Settlements with the debt collection business and car dealership will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information, and will require the companies to establish and maintain comprehensive information security programs as well as undergo data security audits.
Here’s the lesson that I took from the FTC’s announcement.
Many dealers and lenders who have made an attempt to comply with the federal privacy laws and regulations, with the federal “Red Flags” requirements and with the federal “Risk-Based Pricing” rules have bought “one-size fits all” manuals for these programs. Other dealers and lenders have made more of an effort, some of them even enlisting their lawyers to assist with preparing the required manuals. But regardless of which compliance road the dealers and lenders have followed, most of them have one thing in common. Once they adopt the policy, they put it on the bookshelf and ignore it.
With technology developing at warp speed, those manuals need to be revisited, and revisited frequently. When they are revisited, people who understand the technology developments need to be involved. These reviews need to be scheduled on a periodic basis, with the frequency determined after consultation with the lawyers and with the techies. And when the reviews are done, they should be documented so that the dealership can show its regulator that it does periodic reviews.
Would these steps have made any difference if they had been implemented by the debt collector and the dealer? Perhaps not, but you can bet your Mama’s cornbread recipe that when it comes time to settle charges like these, the FTC will be a lot more lenient if its staffers believe that the dealer was making a real effort to do it right.
Catherine Worthington is a Managing Editor of Hudson Cook, LLP’s CARLAW and HouseLaw publications. Catherine can be reached at 410-419-1228 or by e-mail at cworthington@hudco.com.
Thomas B. Hudson is a partner in the Hanover office of Hudson Cook, LLP. Tom can be reached at 410-865-5411 or by email at thudson@hudco.com.
Copyright © 2024 CounselorLibrary.com, LLC. All rights reserved.