The FTC announced on March 4 a settlement with Goal Financial, LLC, a San Diego-based student loan company that allegedly violated information privacy laws. If accepted, the settlement will require Goal Financial to implement a comprehensive information security program and subject itself to independent, third-party audits every two years for 10 years.
Goal Financial provides a variety of loan services and collects personal information from loan applications and other sources. The information includes name, address, telephone number, driver’s license number, Social Security number, date of birth, and income, debt, and employment information in its course of business. The company is therefore a “financial institution” according to the Gramm-Leach-Bliley Act (“GLBA”) and is subject to the GLBA’s Safeguards Rule and Privacy Rule. Goal Financial stores the records in electronic and paper form.
The FTC’s complaint alleges that Goal Financial engaged in a number of practices that, taken together, failed to employ reasonable and appropriate security measures
to protect personal information. Specifically, the complaint alleges that Goal Financial placed at risk the personal information of over 41,000 consumers because it failed to:
(1) assess adequately risks to the information it collected and stored in its paper files and on its computer network;
(2) restrict adequately access to personal information stored in its paper files and on its computer network to authorized employees;
(3) implement a comprehensive information security program, including reasonable policies and procedures in key areas such as the collection, handling, and disposal of personal information;
(4) provide adequate training to employees about handling and protecting personal information and responding to security incidents; and
(5) require third-party service providers by contract to protect the security and confidentiality of personal information.
Goal Financial’s employees allegedly exploited these failures and removed more than 7000 consumer files containing sensitive information without authorization and transferred them to third parties. In 2006, a Goal Financial employee sold to the public computer hard drives containing personal information of approximately 34,000 consumers.
Due to such failures, Goal Financial also violated the Safeguards Rule of the GLBA which requires financial institutions to protect the security, confidentiality, and integrity of customer information be developing a comprehensive written information security program that contains reasonable administrative, technical, and physical safeguards.
Additionally, The Privacy Rule requires financial institutions to provide customers, no later than when a customer relationship arises and annually for the duration of that relationship, “a clear and conspicuous notice that accurately reflects [the financial institution’s] privacy policies and practices” including its security policies and practices. Goal Financial distributed to its customers a privacy policy that contained false or misleading statements regarding the measures implemented to protect its customers’ personal information.
The proposed settlement requires Goal Financial to institute measures to bring it into compliance with the rules stated above and to prevent it from committing future violations.
View the news release http://www.ftc.gov/opa/2008/03/studlend.shtm
View the complaint http://www.ftc.gov/os/caselist/0723013/080304complaint.pdf
View the proposed settlement http://www.ftc.gov/os/caselist/0723013/080304analysis.pdf