Among other things, the company allegedly failed to implement reasonable policies and procedures requiring the proper disposal of consumers’ personal information, including consumer reports; to take reasonable actions in disposing of such information; and to identify reasonably foreseeable internal and external risks to consumer information. The company also allegedly failed to develop, implement or maintain a comprehensive written information security program.
As a result of the company’s failures, the complaint alleges, on multiple occasions, the dealership’s documents containing consumers’ personal information were found in and around a dumpster near the dealership that was unsecured and easily accessible to the public. Does that sound like your dumpster? In February 2006, for example, hundreds of such documents were found, including consumer reports for 36 consumers, many of which were in open trash bags. In March 2006, FTC staff notified the company in writing about this situation, and on at least two occasions afterward, more such documents were found in and around the same dumpster.
The complaint charges the dealership with violating the FTC’s Disposal Rule, which requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner, and also the FTC’s Safeguards Rule, which requires financial institutions (remember, that term includes car dealers) to take appropriate measures to protect customer information. The complaint also alleges that from July 1, 2001 until March 2006, the dealership failed to provide its customers with a privacy notice describing its information collection and sharing practices with respect to affiliated and non-affiliated third parties, as required by the FTC’s Privacy Rule.
The stipulated judgment and final order requires the dealership to pay a $50,000 civil penalty for violations of the Disposal Rule and prohibits the company from further violations of the Disposal, Safeguards, and Privacy rules. The settlement also requires the dealership to obtain, every two years for the next decade, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.
This is the FTC’s first Disposal Rule case and its 15th case challenging faulty data security practices by companies that handle sensitive consumer information.
While, the FTC action described in the previous few paragraphs didn’t happen to a dealership, the text is a paraphrase, actually a near-quote, of an action that the FTC announced in mid-December involving a mortgage company. I changed the mortgage company’s name and any references to it to “dealership” and tweaked a couple of other details for the purpose of getting your attention.
So, I lied, and you’re probably thinking that the FTC might go after a mortgage company, but they wouldn’t go after a mere car dealership. You’d be wrong. We’ve seen a number of recent indications from the FTC that it is very, very interested in car dealers. If your privacy and safeguarding compliance isn’t what it should be, let this be a wake-up call.
Copies of the complaint, stipulated judgment and order (the real one, involving the mortgage company) are available from the FTC’s Web site at http://www.ftc.gov.
Vol 5, Issue 2