A recent Federal Trade Commission (FTC) announcement caught my eye because it illustrates so well a compliance lesson that I try to teach to dealers. On June 7, the FTC announced that it had charged EPN Inc., a Utah debt collector, and Franklin’s Budget Car Sales Inc., a Georgia car dealership, with illegally exposing sensitive consumer information through the use of peer-to-peer ("P2P") file-sharing software.
For you non-techie folks, files shared to a P2P network are available for viewing or downloading by any computer user with access to the network. In general, a shared file cannot be permanently removed from the network, and files can be shared among computers long after they have been deleted from the original computer.
EPN collects debts for a variety of clients, including healthcare providers. According to the FTC’s complaint, EPN’s installation of P2P file sharing software on its computer network caused consumers’ sensitive information, including Social Security numbers belonging to approximately 3,800 hospital patients, to be made available on the network.
The FTC alleged that EPN did not have an appropriate information security plan, failed to assess risks to the consumer information it collected and stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies and procedures, and did not use reasonable methods to prevent, detect and investigate unauthorized access to its networks.
Because of EPN’s failure to implement reasonable and appropriate data security measures, the FTC charged it with committing unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act.
Franklin’s Budget Car Sales also allegedly compromised consumers’ sensitive personal information using P2P software, and was charged with violating the FTC Act, the Safeguards Rule, which implements Section 501(b) of the Gramm-Leach-Bliley Act, and the Privacy Rule, which implements Section 503 of the GLB Act.
Because of the store’s alleged failure to implement reasonable security measures to protect its customers’ personal information, the FTC charged that, among other personal information, the names, addresses, Social Security numbers, dates of birth, and driver’s license numbers of approximately 95,000 consumers were exposed on the network. Franklin’s also allegedly failed to provide annual privacy notices or a mechanism by which consumers could opt out of information sharing with third parties, a violation of the GLB Privacy Rule.
Settlements with the debt collection business and dealership will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information, and will require the companies to establish and maintain comprehensive information security programs. They must also undergo data security audits.
Here’s my take on these two cases: Many dealers who have made an attempt to comply with the federal privacy laws and regulations, with the federal Red Flags requirements and with the federal Risk-Based Pricing rules have bought one-size-fits-all manuals for these programs. Other dealers have made more of an effort, some of them even enlisting their lawyers to assist with preparing the required manuals. But regardless of which compliance road the dealers have followed, most of them have one thing in common: Once they adopt the policy, they put it on the bookshelf and ignore it.
With technology developing at warp speed, those manuals need to be revisited, and frequently. When they are revisited, people who understand the technology developments need to be involved. These reviews need to be scheduled on a periodic basis, with the frequency determined after consultation with the lawyers and with the techies. And when the reviews are done, they should be documented so that the dealership can show its regulator that it does periodic reviews.
Would these steps have made any difference if they had been implemented by the debt collector and the dealer? Perhaps not, but you can bet your mama’s cornbread recipe that when it comes time to settle charges like these, the FTC will be a lot more lenient if its staffers believe that the dealer was making a real effort to do it right.
Thomas B. Hudson Esq. is a partner in the law firm of Hudson Cook LLP and the author of several books, available at CounselorLibrary.com. ©CounselorLibrary.com 2012, all rights reserved. Based on an article from Spot Delivery. Single print publication rights only, to F&I and Showroom magazine. HC# 4832-3040-7439 (6/12).