One of the first things my firm does when conducting an on-site dealer or finance company compliance audit is to go Dumpster diving. We want to see whether confidential customer information protected by federal law is being tossed in the trash can for anyone to find. No, we don’t actually put on our garbage man overalls and crawl in the Dumpster, but we do ask a lot of pointed questions about what goes into the trash. We also ask for a copy of the dealership’s federally required disposal policy.

The whole process usually elicits a blank stare, which is a little odd given that federal requirements regarding the safeguarding and disposal of protected consumer information have been around now for several years.

Maybe the recent news that the Federal Trade Commission (FTC) tagged a company with a $100,000 civil penalty will make dealers pay attention.

Here’s what happened: A company that provides management services to more than 300 payday loan and check cashing stores, as well as an affiliated company that owns and operates several stores, agreed to pay $101,500 to settle FTC charges that they violated federal law by allowing sensitive consumer information to be tossed out with the trash.

The FTC charged that PLS Financial Services Inc. and The Payday Loan Store of Illinois Inc. violated its Disposal Rule by failing to take reasonable measures to protect consumer information, resulting in the disposal of credit reports containing sensitive personal identifying information in unsecured Dumpsters near several PLS Loan Stores and PLS Check Cashers locations. PLS Group Inc., which owns PLS Financial Services and The Payday Loan Store of Illinois, was also named in the complaint.

The FTC also charged the companies with violating the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule, which require financial institutions to develop and use safeguards to protect consumer information, as well as deliver privacy notices to consumers.

The FTC also charged that all three defendants violated the FTC Act by misrepresenting that they had implemented reasonable measures to protect sensitive consumer information. The apparent translation of this charge is that the companies had privacy policies but, apparently, ignored them.

The FTC alleged that PLS Group owns approximately two dozen operating companies, that in turn own and operate more than 300 retail stores in nine states under the names PLS Loan Stores and PLS Check Cashers. These stores offer a variety of products and services, including payday loans, check cashing, automobile title loans, debit cards, phone cards, and notary services. PLS Financial Services provides management services to these locations, including establishing their policies and procedures for the handling and disposal of consumer financial information.

In addition to the $101,500 civil penalty imposed on PLS Financial Services and the Payday Loan Store of Illinois, the settlement bars all of the companies from violating the Disposal, Safeguards Rule and Privacy Rule. It also prohibits them from misrepresenting the extent to which they maintain and protect the privacy and integrity of personal information.

The order also requires that the companies implement and maintain a data security program with independent third-party audits every other year for the next 20 years. It also imposes bookkeeping and record-keeping provisions to allow the FTC to monitor compliance with the order.

The consent judgment, by its terms, is for settlement purposes only, and does not constitute an admission that the law was violated. But they do have the force of law when approved and signed by the District Court judge.
This is the third time the FTC has charged a violation of the Disposal Rule.

So, it’s evident that the FTC is serious about enforcing the Privacy Rules. And you can’t comply with the mandate by crafting a policy and then putting it on a bookshelf and ignoring it. The policy needs to be one that the organization’s privacy officer is charged with implementing and maintaining, and the privacy officer needs to be fired if something like this happens.

At least that’s what would happen if he or she worked for me.
Thomas B. Hudson is a partner in the law firm of Hudson Cook LLP and the author of several widely read compliance manuals available at ©Counselor 2012, all rights reserved. Based on an article from Spot Delivery. Single print publication rights only, to F&I and Showroom magazine. HC# 4826-7282-4337 (12/12).