Table of Contents Table of Contents
Previous Page  143 / 284 Next Page
Information
Show Menu
Previous Page 143 / 284 Next Page
Page Background

HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

128

agency to have reasonable policies and procedures in place to form a reasonable belief that the consumer report

relates to the consumer about whom the report was requested. There are multiple John Smiths and this Rule

is intended for you to take appropriate steps to verify that you have the consumer report for the right one.

Dealers who establish a continuing relationship with consumers for whom they have received a notice of address

discrepancy and who routinely furnish information to consumer reporting agencies, must also reasonably confirm

the accuracy of the address provided by such consumers and furnish the verified address to the consumer reporting

agency that provided the consumer report and notice of address discrepancy.

CASE STUDY

Background

A dealership was “lackluster” in its compliance with the FTC Safeguards Rule by allowing a salesperson to access

the dealership server remotely via a “peer-to-peer” (P2P) file-sharing network on his home computer. This

compromised the nonpublic personal information of thousands of customers. In addition, the FTC also determined

that the dealer had failed to assess risks in consumer information it collected and stored online and didn’t adopt

any policies, such as an incident response plan, to limit the extent of disclosure. The dealer also failed to use

methods to detect and investigate unauthorized access to information or adequately train employees. Implied

but not stated was that the dealer did not have in place a formal Safeguards Information Security Program, as the

FTC cited the dealer for not designating an officer to head the Program. The dealer also had problems with privacy

notices.

The FTC determined that the dealer was not sending privacy notices to its customers and failing to provide a

mechanism for consumers to opt out of third-party data sharing.

Ruling and Cost

The FTC entered its first consent decree with the dealership for violations of the Gramm-Leach-Bliley Act, the

FTC Privacy and Safeguards Rules, and Section 5 of the FTC Act. The 20-year consent decree requires biannual

certifications from a professional security firm and makes clear that further violations will cost the dealer

significant sums of money, for each violation, over the course of the next 20 years. That’s in addition to the cost of

audits every two years.

Takeaway

Do an IT review of your system to see if a P2P network has been installed by any user. Your employees may use

them to share games, videos, and music, but P2P networks can share customer data as well. Also, ensure that you

have in place an acceptable incident disclosure plan and privacy/safeguards program.

Update: Future Harm

Recently, the Federal Seventh Circuit Court of Appeals ruled that the risk of future harm to affected customers

is enough to enable the customers to sue, including on a class action basis, the company that allowed their

personal information to be compromised. The Seventh Circuit Court held the likelihood of personal data exposure

following a system breach “is immediate and very real.” This was the first federal appellate court to rule on the

1 138 139 140 141 142 143 144 145 146 147 148 149 284  FlippingBook