On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.
According to the FTC’s Complaint, Goal Financial "failed to provide reasonable and appropriate security for consumers’ sensitive personal information" starting no later than September 1, 2004. The company’s faulty security practices allowed employees to transfer over 7000 consumer files containing personally identifying information and financial histories to third parties. Additionally, in 2006 a Goal Financial employee allegedly sold company hard drives containing sensitive personal information of approximately 34,000 consumers in readable text.
The complaint identified five specific security failures:
- failure to adequately assess risks to the information stored on the network and in paper files,
- failure to adequately restrict access to personal information to authorized employees only,
- failure to implement a comprehensive information security program,
- failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
- failure to require third-party service providers by contract to protect the security and confidentiality of personal information.
The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.