An interesting trend has been developing with Federal Trade Commission Civil Investigative Demands (CIDs). Of late, the agency has been focusing on deceptive and unfair trade practices related to consumer privacy and/or data security, including the collection, acquisition, use, disclosure, security, storage, retention and disposition of consumer information by financial institutions and/or their affiliates in violation of Section 5 of the FTC Act. Interestingly, CIDs that seek information regarding the public disclosure of consumers’ personal information and/or violations of the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act are becoming more and more commonplace.
Front and center are privacy policies and procedures, disclosures to non-affiliated third-parties and information security.
The Gramm-Leach-Bliley Act requires “financial institutions” to send consumers annual privacy notices and allow them to opt-out of sharing their information with unaffiliated third parties. It also requires financial institutions to implement reasonable security policies and procedures. While the FTC has brought dozens of cases for violations of the GLB Act since 2015, the uptick in related FTC investigations is palpable.
Financial institutions must comply with the Privacy Rule and the Safeguards Rule. The Privacy Rule requires covered companies to provide notices to consumers that explain their privacy policies and practices. The Safeguards Rule mandates that financial institutions protect the security, confidentiality, and integrity of customer information by implementing and maintaining a comprehensive written information security program.
A cut-and-paste job will no do.
The program has to include administrative, technical, and physical safeguards appropriate to the business’ size, the nature and scope of its activities, and the sensitivity of the customer information at issue. For example, companies have to conduct an assessment of how customers’ information could be at risk and then implement safeguards to address those risks.
Are you collecting Social Security number, phone number, address, income, marital status, debts, health insurance, bank names, account numbers, etc.? Is such information reasonably vulnerable to attack?
Privacy notices must be properly delivered. Become familiar with model notices. Appropriate authentication procedures should be utilized. Evaluate and adjust data privacy their programs in light of changes to business operations.
The same can be said of FCRA investigations. The Fair Credit Reporting Act sets out rules for companies that use data to determine creditworthiness, insurance eligibility, suitability for employment and to screen tenants. The FTC has brought over 100 FCRA cases against companies for credit-reporting problems, including, but not limited to, inadequate policies and procedures.
In addition to the foregoing privacy and data security-centric investigative matters, the FTC applies is core enforcement resources to protect consumers against misconduct by providers of financial services. From abusive debt collectors to unscrupulous payday lenders, and deceptive student loan debt-relief operators to phony credit-repair services. Lead generators that directly participate in another’s fraud or provide substantial support while ignoring obvious warning signs of another’s illegal activity are increasingly the subject of civil investigations and enforcement actions.
Learn more about recent Federal Trade Commission investigations and enforcement actions by contacting the author at rnewman@hinchnewman.com or by visiting his website at ftcdefenselawyer.com.
Richard B. Newman is an FTC compliance and defense lawyer at Hinch Newman LLP. Follow him on LinkedIn and Facebook.
Attorney advertising. Informational purposes only. These materials are not legal advice, nor do they create a lawyer-client relationship.
