The defendant, Greg Navone, owned two mortgage brokers and disseminated privacy policies that contain standard claims about data security: “We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.”
According to the FTC’s complaint, Navone stored some paper files containing sensitive customer information in his garage and disposed of 40 boxes of customer information in a dumpster.
As a result of this alleged failure to meet its data security commitments, the FTC is seeking injunctive relief and civil penalties.
Frequently, the FTC addresses data security failures in the event of a loss or theft of consumer data. In this case, the FTC is not alleging any consumer harm. While harm is not required to show deception under the FTC Act or a violation of the Disposal Rule, this complaint marks a departure from the FTC’s typical prosecutorial discretion regarding data breaches and thus underscores the need for companies to ensure they properly store and dispose of consumer data, both in hard copy and electronic form.