On October 26, 2012, the FTC finalized settlements with Georgia auto dealer Franklin Budget Car Sales, Inc. and Utah-based debt collector EPN Inc. over charges that each company illegally exposed sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.  The final settlements follow a notice-and-comment period opened to the public in June 2012.

Franklin Budget Car Sales is an automobile dealership that sells new and used automobiles, leases automobiles, provides repair services for automobiles, and sells automobile parts.  Franklin also provides financing for consumers’ purchases of automobiles.  EPN is in the business of collecting debts for clients in a variety of industries, including the commercial credit, retail, and healthcare industries.  Both companies allowed P2P file sharing software, which the FTC in 2010 had warned posed significant data security risks, to be installed on corporate computer systems.  As a result, thousands of consumers’ personal information was potentially shared with other users on the P2P network.  Specifically with respect to EPN, the FTC alleged that the company actually shared the personal information of approximately 3,800 consumers with other users on the P2P network.

The FTC charged Franklin Budget Car Sales with violations of the Gramm-Leach-Bliley Act (GLBA).  GLBA applies to financial institutions, and the FTC treated Franklin as a financial institution because of the financing services it provides consumers in connection with the purchase of automobiles.  In particular, the FTC alleged that Franklin failed to give consumers annual privacy notices and opt-out notices, as required under the GLBA privacy rule, and failed to protect the security, confidentiality, and integrity of customer information, as required under the GLBA safeguards rule.  The FTC also alleged that Franklin violated section 5 of the FTC Act because the privacy statement it gave consumers claimed that the dealership restricted access to consumers’ nonpublic personal information to only employees.  The FTC alleged that EPN violated section 5 of the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information.

The settlement agreements require both companies to implement comprehensive information security programs to protect the security, confidentiality, and integrity of consumer information.  In addition, Franklin is required to comply with the GLBA privacy rule by sending annual privacy notices to consumers and, if applicable, opt-out notices if the company shares consumer information with nonaffiliated third-parties.  Both companies also are required to obtain initial and biennial information security assessments and reports from an independent third-party to validate the effectiveness of their information security programs.  Among other requirements, the agreements also require the companies to satisfy recordkeeping and reporting requirements.

Although the agreements do not impose civil fines, if either company violates its settlement agreement, the company may be liable for a fine of up to $16,000 per violation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.