2017 GNYADA Membership Directory

HOT TOPICS

agency to have reasonable policies and procedures in place to form a reasonable belief that the consumer report relates to the consumer about whom the report was requested. There are multiple John Smiths and this Rule is intended for you to take appropriate steps to verify that you have the consumer report for the right one. Dealers who establish a continuing relationship with consumers for whom they have received a notice of address discrepancy and who routinely furnish information to consumer reporting agencies, must also reasonably confirm the accuracy of the address provided by such consumers and furnish the verified address to the consumer reporting agency that provided the consumer report and notice of address discrepancy.

CASE STUDY

Background A dealership was “lackluster” in its compliance with the FTC Safeguards Rule by allowing a salesperson to access the dealership server remotely via a “peer-to-peer” (P2P) file-sharing network on his home computer. This compromised the nonpublic personal information of thousands of customers. In addition, the FTC also determined that the dealer had failed to assess risks in consumer information it collected and stored online and didn’t adopt any policies, such as an incident response plan, to limit the extent of disclosure. The dealer also failed to use methods to detect and investigate unauthorized access to information or adequately train employees. Implied but not stated was that the dealer did not have in place a formal Safeguards Information Security Program, as the FTC cited the dealer for not designating an officer to head the Program. The dealer also had problems with privacy notices. The FTC determined that the dealer was not sending privacy notices to its customers and failing to provide a mechanism for consumers to opt out of third-party data sharing. Ruling and Cost The FTC entered its first consent decree with the dealership for violations of the Gramm-Leach-Bliley Act, the FTC Privacy and Safeguards Rules, and Section 5 of the FTC Act. The 20-year consent decree requires biannual certifications from a professional security firm and makes clear that further violations will cost the dealer significant sums of money, for each violation, over the course of the next 20 years. That’s in addition to the cost of audits every two years. Takeaway Do an IT review of your system to see if a P2P network has been installed by any user. Your employees may use them to share games, videos, and music, but P2P networks can share customer data as well. Also, ensure that you have in place an acceptable incident disclosure plan and privacy/safeguards program. Update: Future Harm Recently, the Federal Seventh Circuit Court of Appeals ruled that the risk of future harm to affected customers is enough to enable the customers to sue, including on a class action basis, the company that allowed their personal information to be compromised. The Seventh Circuit Court held the likelihood of personal data exposure following a system breach “is immediate and very real.” This was the first federal appellate court to rule on the

MEMBERSHIP

DIRECTORY

2017

128

Made with FlippingBook - Online catalogs