16 Nov

We are pleased to post this article written by Leslie Fair from the Federal Trade Commission Business Center Blog

By Lesley Fair

November 16, 2012 – 11:32am

Every business generates paper destined for the circular file.  But if documents contain sensitive information, don’t toss them out in a way that could invite unauthorized access.  According to the FTC’s lawsuit against PLS Financial Services, PLS Group, and The Payday Loan Store of Illinois, loan applications, credit reports, and other confidential paperwork found their way into dumpsters near the defendants’ locations.  The settlement applies just to the entities specified in the order.  But is it a good time to take a look at how your business manages the paper flow?  The FTC has resources to make the job easier.

Trash and burn.  When making decisions about credit, employment, etc., companies often consult consumer reports.  But they’re jam-packed with confidential data that could be misused in the wrong hands.  That’s why the FTC’s Disposal Rule requires businesses to take appropriate steps when disposing of consumer reports and info derived from them.  What’s “proper disposal” under the Rule?  It’s a flexible standard based on the sensitivity of the information, the costs and benefits of different methods, and changes in technology.  Read Disposing of Consumer Report Information? New Rule Tells How for details.

Beyond the banks.  Remember watching “Mary Poppins” when you were a kid?  (Stick with us.  We promise this is relevant.)  The children’s father worked in the hushed Victorian halls of the Dawes Tomes Mousley Grubbs Fidelity Fiduciary Bank.  Say “financial institution” and that’s the kind of place most people think of.  But the Gramm-Leach-Bliley (GLB) Act, which requires companies to safeguard sensitive information, defines the term more broadly to include companies that are “significantly engaged” in providing financial products or services.  That could be businesses as different as payday lenders, real estate appraisers, and professional tax preparers.  The Safeguards Rule underscores that obligation for financial institutions within the FTC’s jurisdiction.  To find out more about security steps your company might consider, read Financial Institutions and Customer Information: Complying with the Safeguards Rule.  (Hey, we just realized the father in “Mary Poppins” was named Mr. Banks.  We didn’t catch that first time around.)

Get noticed.  Under GLB and the FTC’s Financial Privacy Rule, covered companies have to give their customers a clear and conspicuous notice describing their privacy policies and practices.  When you provide that notice and what you say depend on what you do with the information.  Take a look at this how-to publication from the FTC to see how your practices measure up.

It’s a team effort.  Even if you have a comprehensive data security plan in place — and it’s a legal requirement for businesses covered by the Safeguards Rule — it’s effective only if it’s part of the day-to-day DNA of your operations.  Get buy-in from top management, for sure, but ask for input from every department and employees at all levels.  Your sales staff will have ideas about safeguarding data when they’re on the road.  Your administrative professionals may suggest a shredder by the copier or changes to your HR procedures.  Employees are more likely to be invested in your security efforts if you acknowledge the key role they play and reinforce that message through periodic training.

The whole nine yards.  Speaking of teams, the FTC’s lawsuit names PLS Group, Inc., the corporate parent; The Payday Loan Store of Illinois, Inc., one of the consumer-facing companies that offered payday loans; and PLS Financial Services, Inc., which provided management services to payday loan and check cashing retailers, including establishing procedures for handling sensitive data.  The complaint outlines the particular allegations against each company, but the bigger point to bear in mind is that regardless of how you structure your operations, it’s unwise to assume data security is someone else’s responsibility.  Furthermore, the law enforcement implications can cross corporate lines.  An example of that:  Provisions in the FTC settlement that ban future violations and mandate a comprehensive information security program apply to any business entity controlled by the PLS Group that collects, handles, or stores personal information.