The Federal Trade Commission (FTC) has issued a complaint against a mortgage broker for allegedly violating the FTC Act and the Fair Credit Reporting Act’s “Disposal Rule.”  

The defendant, Greg Navone, owned two mortgage brokers and disseminated privacy policies that contain standard claims about data security: “We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.”  

According to the FTC’s complaint, Navone stored some paper files containing sensitive customer information in his garage and disposed of 40 boxes of customer information in a dumpster.  

As a result of this alleged failure to meet its data security commitments, the FTC is seeking injunctive relief and civil penalties.  

Frequently, the FTC addresses data security failures in the event of a loss or theft of consumer data. In this case, the FTC is not alleging any consumer harm. While harm is not required to show deception under the FTC Act or a violation of the Disposal Rule, this complaint marks a departure from the FTC’s typical prosecutorial discretion regarding data breaches and thus underscores the need for companies to ensure they properly store and dispose of consumer data, both in hard copy and electronic form.  

Under no circumstances should sensitive consumer data be disposed of in recycling bins or trash without shredding or other destruction. Moreover, companies must confirm compliance with any data security commitments in a privacy policy, terms of service, or even marketing materials.