Since 2003, I’ve been running around the country trying to impress upon people the fact that the Federal Trade Commission (FTC) is serious when it comes to safeguarding consumer information. My finance company clients get it — they were doing many of the things that are necessary long before it was required and they were the first to step up to the plate after the rules came out. Unfortunately, my sense is that some in the dealer community have been slower to get up to speed.

Don’t get me wrong — many of you are doing the right thing. Unfortunately, my perception is that dealers just don’t see why they should bother maintaining an effective information security program as is required by the FTC’s Information Safeguarding Rule. One dealer bluntly told me that until someone “gets whacked,” he wasn’t going to “waste the money.”

Well, someone got whacked. It wasn’t a dealer, but the facts suggest it could have been.

In one case, American United Mortgage Company (AUM) agreed to pay a $50,000 fine after the FTC charged the company with violating the Disposal, Safeguards and Privacy rules for improperly disposing of credit report information, failing to develop an information security program, and failing to provide customers with privacy notices.

Let me remind you that the FTC’s Disposal Rule requires all companies to dispose of information from credit reports in a safe and appropriate manner. The Safeguards Rule requires financial institutions (including dealers) to take appropriate measures to protect customer information. Finally, the Privacy Rule requires financial institutions provide their customers with a privacy notice describing their information collection and sharing practices with respect to affiliated and non-affiliated third parties.

According to the complaint, AUM left loan documents containing consumers’ personal and financial information in and around an unsecured dumpster. Further, the complaint alleges that AUM failed to implement reasonable policies and procedures requiring the proper disposal of consumers’ personal information, including consumer reports. It also charged AUM with failing to take reasonable actions in disposing of consumer-report information, and for not identifying reasonably foreseeable internal and external risks to consumer information.

The FTC alleged that in February 2006, hundreds of documents containing consumers’ personal information (including credit reports for 36 consumers) were found, many in open trash bags located around a dumpster near the AUM offices. In March 2006, the FTC notified the company of the situation, but the company was apparently not paying close enough attention. According to the FTC, more such documents were found in and around the same dumpster on at least two occasions after AUM was notified.

In addition to the civil fine, the stipulated judgment and final order prohibited AUM from further violations of the Disposal, Safeguards and Privacy rules. The company was also required to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. Stop for a moment and think about the cost of five independent audits, and the $50,000 fine starts looking like small potatoes. Not to mention the attorneys’ fees AUM almost certainly incurred in defending itself, and will incur in every interaction it has with the agency over the next 10 years.

“Every business, whether large or small, must take reasonable and appropriate measures to protect sensitive consumer information, from acquisition to disposal,” FTC Chairman Deborah Platt Majoras said. “This agency will continue to prosecute companies that fail to fulfill their legal responsibility to protect consumers’ personal information.”

So, why pay attention? Because even if paying attention costs money, it almost assuredly costs less than not paying attention. Just ask AUM.

 

Michael Benoit is a partner in the Washington, D.C., office of Hudson Cook LLP. He is a frequent speaker and writer on a variety of consumer credit topics. He can be reached at [email protected]. Nothing in this article is intended to be legal advice and should not be taken as such. All legal questions should be addressed to competent counsel.

 

 

 

 

 

0 Comments