Posted on March 17, 2008 by Joseph K. Wright

FTC Sets Sights on Goal: Student Lender Taken to School for Data Security Breakdowns

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.

According to the FTC's Complaint, Goal Financial "failed to provide reasonable and appropriate security for consumers' sensitive personal information" starting no later than September 1, 2004. The company's faulty security practices allowed employees to transfer over 7000 consumer files containing personally identifying information and financial histories to third parties. Additionally, in 2006 a Goal Financial employee allegedly sold company hard drives containing sensitive personal information of approximately 34,000 consumers in readable text.

The complaint identified five specific security failures:

  • failure to adequately assess risks to the information stored on the network and in paper files,
  • failure to adequately restrict access to personal information to authorized employees only,
  • failure to implement a comprehensive information security program,
  • failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
  • failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.
Tags: , , , , , , , , ,
Posted on March 29, 2007 by Navid Soleymani

SEC Ratchets Up Privacy Enforcement Under Regulation S-P

Broker-dealer firms are well advised to review and update their privacy policies, in light of the Securities and Exchange Commission’s (“SEC”) recent enforcement and investigation activities arising from Regulation S-P.

According to trade press, recently the SEC informed one independent broker-dealer firm, Next Financial Group, Inc. of Houston, Texas, that it may file a “privacy” suit under Regulation S-P. The suit would be based on the practice, which Next maintains is common among independent broker-dealer firms, of requiring broker recruits from other firms to provide Next with customer information in anticipation of the move. According to the press, the SEC contends that before the brokers left their firms to join Next, they should have asked clients for their consent to use any information at the new firm. Alternatively, Next should have only required brokers to provide this information if the brokers’ prior firms had stated in their privacy policies that departing brokers may take certain customer information to competing firms (and the particular consumers had not opted-out of this policy). The SEC is reportedly considering suing Next for violations of Regulation S-P, as well as for aiding and abetting the violations by the brokers it recruited.  

 

Regulation S-P contains the privacy rules promulgated by the SEC under section 504 of the Gramm-Leach-Blilely Act. Section 504 requires the Commission and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution’s ability to disclose non-public personal information about consumers. Under the Gramm-Leach-Blilely Act, a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure. 

Regulation S-P requires brokers, dealers, and investment companies to provide “clear and conspicuous” notice to customers that accurately reflects their privacy policies and practices. The notices must be provided at the time a customer relationship is established, annually thereafter, and every time the privacy policy changes.

The privacy policy must state (among other things) the categories of: (1) nonpublic personal information that are collected and/or disclosed; (2) affiliates and nonaffiliated third parties to whom nonpublic personal information is disclosed; (3) nonpublic personal information about former customers that are disclosed; and (4) third parties to whom this information about former customers is disclosed. 

The privacy notice must explain the procedures by which consumers may opt out of a company’s policy to disclose nonpublic personal information to nonaffiliated third parties. The privacy notice must also describe the polices and procedures used to protect the confidentiality and security of nonpublic personal information.   A company can disclose non-public personal information to nonaffiliated third parties only if it complies with the privacy notice requirements and the consumer does not opt out of the privacy policy.

Regardless of the privacy policy, companies are prohibited from disclosing account numbers or similar forms of access numbers or access codes for consumers’ accounts to non-affiliated third parties for use in telemarketing, direct mail marketing, or other marketing through electronic means.

You can find more on Regulation S-P on the SEC’s website here.
Tags: , , , , ,