By Stacy Anderson and Gabriel M. Helmer.
Anyone required to comply with the FTC’s Disposal Rule [the text of the rule can be found here], which requires companies to take reasonable steps to dispose of information contained in consumer credit reports, should take note of a recent FTC enforcement action in federal court from the District of Nevada. On December 30, 2008, the FTC filed a complaint against Las Vegas businessman Gregory Navone alleging that he violated the Disposal Rule and the Fair Credit Reporting Act (FCRA) when he discarded forty boxes of documents into a public dumpster behind an office building in Las Vegas. The boxes contained tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and other sensitive customer information collected by Navone’s businesses. The FTC seeks monetary damages and an injunction against further violations under the Disposal Rule and the FRCA for Navone’s alleged failure to take reasonable measures to protect customer information. Interestingly, the complaint also asserts claims under the FTC Act on the basis that Navone failed to abide by his own customer privacy policy, which stated:
We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. . . . From time to time, we enter into agreements with other companies to provide services to us or make products and services available to you. Under these agreements, the company may receive information about you but they must safeguard this information and they may not use it for any other purposes
While the case remains pending, it serves as a reminder from the FTC on the importance of not only taking reasonable steps to protect sensitive customer information, but also living up to customer assurances regarding information security.
Links: