The Federal Trade Commission (FTC) recently finalized a settlement and Consent Order with Franklin Budget Car Sales over its inadvertent disclosure of customers’ personal information over a peer-to-peer (“P2P”) network. Under this settlement, Franklin is obligated to perform costly and burdensome remedial actions, such as biennial data security audits from independent third parties for the next 20 years. Auto dealers should note this settlement and assess their own information collection practices, as the risks identified by the FTC can be proactively and cost-effectively mitigated.
Franklin’s Business Practices
Franklin is a franchise auto dealership that sells automobiles, provides repair services and sells automotive parts. Franklin also provides financial services to its customers and routinely collects customers’ personal information, such as Social Security numbers, addresses, telephone numbers, dates of birth and drivers’ license numbers.
Like other dealers, Franklin uses computer networks and the Internet to conduct business and collect consumer information. The networks were used to obtain online credit applications and lead information, maintain automobile and payment records and manage customers’ sales, finance and insurance records.
When initially collecting customers’ private information, Franklin provided privacy notices stating that access was restricted to “those employees who need to know” and that its physical, electronic and procedural safeguards “comply with federal regulations” to guard personal information.
FTC’s Allegations and Consent Order
The FTC alleged that Franklin misrepresented its data collection practices and failed to implement reasonable security measures to protect consumers’ personal information. Consequently, personal information for 95,000 consumers was made available over a P2P network and could be viewed or downloaded by anyone with a compatible P2P application.
Two notable deficiencies were identified. First, the FTC alleged that Franklin’s privacy notice violated the Gramm Leach Bliley Act’s (GLBA) Privacy Rule and section 5(a) of the FTC Act. Allegedly, Franklin’s privacy notice was only provided during the initial collection of information and not updated annually. Franklin’s privacy notice also did not contain an opt-out clause explaining how consumers can prevent their information from being shared with third parties. Also, Franklin’s privacy notice misrepresented its data protection practices because it did not implement reasonable safeguards to protect consumers’ information from unauthorized access over its P2P network.
Second, Franklin allegedly violated the GLBA Safeguards Rule by failing to implement an information security plan that contained reasonable safeguards to protect the confidentiality of customers’ information. Notably, Franklin allegedly failed to identify the foreseeable risks posed by P2P networks to consumers’ personal information or implement safeguards to control these risks.
Without admitting any facts or liability, Franklin agreed to a Consent Order that prohibits misrepresenting its protection for the privacy and security of customers’ personal information or from violating any provision of the GLBA Safeguards and Privacy Rules. Franklin is also required to implement an information security program; obtain initial and biennial third-party security audits for 20 years; send these audits to the FTC; maintain copies of compliance-related documents for five years; and other remedial actions. The Consent Order was finalized on Oct. 26, 2012, and any failures to comply can result in fines of $16,000 per violation.
Lessons for Automotive Dealers
Dealers can take several proactive steps to minimize the risks identified by the FTC.
First, dealers should decide whether to permit P2P technology on their network and then determine whether any P2P applications are currently installed. Prohibiting the use of P2P technology and removing the applications is the best way to handle this risk, but dealers who permit P2P technology can implement other cost-effective safeguards to mitigate the risks of improper disclosure of files containing personal information. These safeguards include training employees about the risks and proper use of P2P technology, isolating P2P applications to computers without customers’ personal information or encrypting customers’ personal information.
Second, dealers should evaluate their information security program to ensure it is up-to-date and accurately reflects the risks posed by dealers’ current business practices to the security of personal information. If P2P technology is on the network, it should be identified and safeguards proposed to mitigate the risk to customers’ information. The program should be continuously evaluated and amended as needed to reflect changes in business operations or the shortfalls of present safeguards.
Third, dealers should assess their current privacy notice to ensure it accurately reflects the organizations’ collection, use and protection of customers’ information. The notice should be provided before initially collecting a customer’s personal information and annually thereafter. It should also contain an express opt-out provision that clearly explains how customers can prevent their information from being shared with third parties.
Dealers who implement these steps can reduce the risks of an improper disclosure of their customers’ private information that might significantly harm the dealer’s good will and reputation and possibly trigger a burdensome FTC investigation.