Firms to Pay $101,500 to Settle FTC Charges Of Failing to Protect Discarded Consumer Data
The FTC’s Oct. 17 complaint also named PLS Group Inc., which owns the two companies, as a defendant. PLS Group, however, is not subject to the consent order’s penalty provision.
Third Disposal Rule Violation Case
The commission’s complaint alleged that the defendants violated the FTC’s Disposal Rule, the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule, and the FTC Act.
The FTC’s Disposal Rule, 16 C.F.R. §§ 682.1-682.5, “requires that companies dispose of credit reports and information derived from them in a safe and secure manner,” the commission explained. PLS Financial Services and The Payday Loan Store did not take reasonable steps to protect against the unauthorized access to consumer information when disposing credit reports, the FTC alleged.
The commission said that this case is the third time it has brought charges under the Disposal Rule.
The complaint further claimed that the companies violated the Gramm-Leach-Bliley Safeguards Rule, 16 C.F.R. pt. 314, and Privacy Rule, 16 C.F.R. pt. 313. Those rules “require financial institutions to develop and use safeguards to protect consumer information, and deliver privacy notices to consumers,” the commission said.
The alleged violation under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), stems from the defendants’ misrepresentations about the reasonable measures they implemented to protect sensitive consumer information.
In addition to the civil penalty imposed on PLS Financial Services and The Payday Loan Store, the consent order:
- prohibits all of the defendants from misrepresenting the privacy and security of consumers’ personal information;
- prohibits the defendants from further violating the Disposal Rule, Safeguards Rule, and Privacy Rule;
- requires the defendants to establish and implement “a comprehensive information security program”;
- requires the defendants to obtain independent, third-party audits every other year for 20 years; and
- requires each defendant to submit a compliance report to the FTC one year after the order’s entry, in addition to other recordkeeping and compliance monitoring requirements.
John W. Burke, of the Department of Justice, in Washington, and Maria Del Monaco and Jonathan L. Kessler of the FTC, in Cleveland, Ohio, represented the United States. Margo H.K. Tank and Kirk D. Jensen, of Buckley Sander LLP, in Washington, represented the defendants.
The consent order is available at http://www.ftc.gov/os/caselist/1023172/121107plspaydaystip.pdf.
The FTC’s complaint is available at http://www.ftc.gov/os/caselist/1023172/121107plspaydaycmpt.pdf.