Table of Contents Table of Contents
Previous Page  139 / 266 Next Page
Information
Show Menu
Previous Page 139 / 266 Next Page
Page Background

HOT TOPICS

2016

MEMBERSHIP

DIRECTORY

124

IMPORTANT LAWS AND REGULATIONS

On June 14, 2012, the FTC entered its first consent decree with an

auto dealer for violating the Gramm-Leach-Bliley Act, the FTC

Privacy and Safeguards Rules, and Section 5 of the FTC Act.

The 20-year consent decree which requires biannual certifications from

a professional security firmwas based on the dealer’s lackluster compliance

with the FTC Safeguards Rule, particularly by allowing a salesman who had

downloaded a P2P file-sharing network on his home computer to access the

dealership server remotely, compromising the non-public personal information of

95,000 customers. Any violation of the consent decree will cost the dealer $16,000 each and this figure will

no doubt be amended upwards over the course of the 20 years. The security audits alone will cost the dealer a

substantial sum every two years.

A P2P (peer-to-peer) file-sharing network (think of Napster as an early version) refers to a computer network

in which each computer in the network can act as a client or server for the other computers in the network,

allowing shared access to files and peripherals such as music or videos, without the need for a central server.

P2P networks are commonly used to share and play videos, music, games, and other interactive content. In

effect however, every person on the P2P network can access data from every other person on the network

and, in this case, that data included the customer information contained on the dealer’s central servers. Files

shared on a P2P network are available for viewing or downloading by anyone using a PC with access to the

P2P network, and data frequently can’t be deleted from the network. You really need to do an IT review of

your system to see if a P2P network has been installed by any user. Your people may use them to share games,

videos, and music, but P2P networks can share customer data as well.

The FTC also determined that the dealer had failed to assess risks in consumer information it collected and

stored online and didn’t adopt any policies, such as an incident response plan,

to limit the extent of disclosure. The dealer also failed to use

methods to detect and investigate unauthorized

access to information or adequately train

employees. Implied but not stated was that the

dealer did not have in place a formal Safeguards

Information Security Program, as the FTC cited

the dealer for not designating an officer to head

the Program. The dealer also had problems with

privacy notices. The FTC determined that the dealer

was not sending privacy notices to its customers and

failing to provide a mechanism for consumers to opt

out of third-party data sharing. Their privacy notice

is attached to the FTC’s complaint, and it is woefully

inadequate under GLB. Among other things, it says, “We

1 134 135 136 137 138 139 140 141 142 143 144 145 266  FlippingBook