We’ve been saying for some time that data security and privacy are at the top of the FTC’s priority list. On June 14, 2012, the FTC entered its first consent decree with an auto dealer for violating the Gramm-Leach-Bliley Act, the FTC Privacy and Safeguards Rules, and Section 5 of the FTC Act.
The 20-year consent decree which requires bi-annual certifications from a professional security firm was based on the dealer’s lackluster compliance with the FTC Safeguards Rule, particularly by allowing a P2P file sharing network to access its server compromising the non-public personal information of 95,000 customers. Any violation of the consent decree will cost the dealer $16,000 each and this figure will no doubt be amended upwards over the course of the 20 years. The security audits alone will cost the dealer a substantial sum every two years.
A P2P (peer-to-peer) file sharing network (think of Napster as an early version) refers to a computer network in which each computer in the network can act as a client or server for the other computers in the network, allowing shared access to files and peripherals without the need for a central server.
In effect, every person on the network can access data from every other person on the network and, in this case, that data included the customer information contained on the dealer’s central servers. Files shared on a P2P network are available for viewing or downloading by anyone using a PC with access to the P2P network. You really need to do an IT review of your system to see if a P2P network has been installed by any user. Typically, people use them to share games, videos, and music but P2P networks share data as well.
The FTC also determined that the dealer had failed to assess risks in consumer information it collected and stored online and didn’t adopt any policies, such as an incident response plan, to limit the extent of disclosure. The dealer also failed to use methods to detect and investigate unauthorized access to information or adequately train employees. Implied but not stated was that the dealer did not have in place a formal Safeguards Program as the FTC cited the dealer for not designating an officer to head the Program.
The dealer also had problems with privacy notices. The FTC determined that the dealer was not sending privacy notices to its customers and failing to provide a mechanism for consumers to opt out of third party data sharing. Their privacy notice is attached to the FTC’s complaint and it is woefully inadequate under GLB. Among other things, it says “We do not provide for an opt-out due to agreement made where the disclosure is necessary to process or service a transaction for you the consumer therefore not required.” I bet the FTC loved that one.
In the space of two months now, the FTC has brought enforcement proceedings against dealers for deceptive Internet advertising and Safeguards and privacy violations. This clearly signals a new aggressive policy at the agency against auto dealers as each of these enforcement proceedings were the first of their kind. With the CFPB lurking in the background having primary enforcement authority for consumer protection laws, it would appear the FTC is being effectively pushed into taking a much more aggressive enforcement, as opposed to merely rulewriting, means of regulating auto dealers. This doesn’t bode well and I would expect spot deliveries—the subject of increased private litigation especially in the south—to be the next unfair and deceptive action consent decree.
As we have been saying, 2012 is the year of enforcement on multiple fronts and now is most definitely not the time to play fast and loose with compliance.