2016 GNYADA Membership Directory

HOT TOPICS

IMPORTANT LAWS AND REGULATIONS

On June 14, 2012, the FTC entered its first consent decree with an auto dealer for violating the Gramm-Leach-Bliley Act, the FTC Privacy and Safeguards Rules, and Section 5 of the FTC Act.

The 20-year consent decree which requires biannual certifications from a professional security firmwas based on the dealer’s lackluster compliance with the FTC Safeguards Rule, particularly by allowing a salesman who had downloaded a P2P file-sharing network on his home computer to access the dealership server remotely, compromising the non-public personal information of

95,000 customers. Any violation of the consent decree will cost the dealer $16,000 each and this figure will no doubt be amended upwards over the course of the 20 years. The security audits alone will cost the dealer a substantial sum every two years. A P2P (peer-to-peer) file-sharing network (think of Napster as an early version) refers to a computer network in which each computer in the network can act as a client or server for the other computers in the network, allowing shared access to files and peripherals such as music or videos, without the need for a central server. P2P networks are commonly used to share and play videos, music, games, and other interactive content. In effect however, every person on the P2P network can access data from every other person on the network and, in this case, that data included the customer information contained on the dealer’s central servers. Files shared on a P2P network are available for viewing or downloading by anyone using a PC with access to the P2P network, and data frequently can’t be deleted from the network. You really need to do an IT review of your system to see if a P2P network has been installed by any user. Your people may use them to share games, videos, and music, but P2P networks can share customer data as well. The FTC also determined that the dealer had failed to assess risks in consumer information it collected and stored online and didn’t adopt any policies, such as an incident response plan, to limit the extent of disclosure. The dealer also failed to use

methods to detect and investigate unauthorized access to information or adequately train employees. Implied but not stated was that the dealer did not have in place a formal Safeguards Information Security Program, as the FTC cited the dealer for not designating an officer to head the Program. The dealer also had problems with privacy notices. The FTC determined that the dealer was not sending privacy notices to its customers and failing to provide a mechanism for consumers to opt out of third-party data sharing. Their privacy notice is attached to the FTC’s complaint, and it is woefully inadequate under GLB. Among other things, it says, “We

2016 MEMBERSHIP DIRECTORY

124