Dealer charged by FTC for alleged customer data security violations

Dealer charged by FTC for alleged customer data security violations

The Federal Trade Commission announced an enforcement action against, and a proposed settlement agreement with, a franchised new car dealer this week for allegedly violating the FTC Privacy Rule as a result of its failure to implement security measures to protect its customers’ personal information (including names, addresses, social security numbers, dates of birth, and drivers license numbers).

The FTC says the personal information of 95,000 consumers was made available on a peer-to-peer (P2P) network where it may be viewed or downloaded by any computer user with access to the network, and cannot be permanently removed from the network. In addition to the data security violations, the FTC alleged that the dealership engaged in a unfair or deceptive act or practice (UDAP) violation by misrepresenting in its privacy notice the measures it takes to protect customer information from unauthorized access. The proposed consent order between the parties contains, among other elements, a requirement that the dealership undergo data security audits by independent auditors every other year for 20 years.

The FTC has posted a Guide on the topic of P2P file sharing software that dealers should review by clicking here. It also noted that it is essential that dealers protect customer information against this threat regardless of where it arises in the dealership (even in non-finance and non-lease transactions that may not be covered by the FTC Privacy Rule or FTC Safeguards Rule).

In a related FTC enforcement action against a debt collector, the FTC used its UDAP enforcement authority to address the companys exposure of hospital patient information that allegedly resulted from the installation of P2P file sharing software on the companys computer system.

The FTC announcement states that this is the agencys first action charging an auto dealer with violations of the Gramm-Leach- Bliley Act (which the FTC Privacy and Safeguards Rules implement).