PLS Financial Services, Inc. and The Payday Loan Store of Illinois, Inc.—companies involved in the payday lending and check cashing industries—have agreed to pay a total of $101,500 to settle FTC charges that they violated federal law by improperly disposing of sensitive consumer in dumpsters. The FTC alleges that the defendants failed to take reasonable measures to protect consumer information, including Social Security numbers, employment information, loan applications, bank account information, and credit reports. Specifically, the complaint charges the companies with violating three laws enforced by the FTC. First, defendants were charged with violating the Fair Credit Reporting Act Disposal Rule by failing to take reasonable steps to protect against unauthorized access to consumer information in disposing credit reports. These steps could have included shredding the papers before throwing them away. Second, the companies allegedly violated the Gramm-Leach-Bliley Safeguards Rule by failing to implement a comprehensive data security plan. Under the Safeguards Rule, financial institutions must develop a written information security plan that is appropriate to the institution's size and complexity, nature of its activities, and the sensitivity of the information at issue. Third, the FTC claimed that the companies ran afoul of the Gramm-Leach-Bliley Privacy Rule by not providing its customers clear and conspicuous access to their privacy policies. The Privacy Rule requires financial institutions to provide its customers with a privacy notice, enable consumers to opt out of information sharing with certain third parties, and places limits on how third parties receiving nonpublic personal information from a financial institution can use or disclose the information.
TIP: Companies should take care when disposing of sensitive information. Materials should be shredded or otherwise securely destroyed. And, financial institutions that fall under the requirements of Gramm-Leach-Bliley should make sure to otherwise follow the Safeguards Rule, including having comprehensive data security plans. Even if not subject to this law, comprehensive plans (that take into account methods for destroying sensitive data) can help contain risks by managing against potential breach incidents.