In data-security and privacy efforts, the details make all the difference.
Franklin’s Budget Car Sales found this out in a recent tangle with the Federal Trade Commission. The case might just prompt you to take a hard look at your data-privacy and cybersecurity policies and ask yourself: How do you ensure employees are trained on and follow your policies?
“We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic and procedural safeguards that comply with federal regulations to guard nonpublic personal information.”
Pretty standard-looking language, right? Countless organizations, in fact, use similar or identical wording in their privacy policies. This one, in particular, belonged to Franklin’s Budget Car Sales, a Georgia auto dealer that sells and leases cars and provides financing for customers.
In Franklin’s case, however, what should stand out is not what’s contained in the policy, necessarily, but what isn’t there. What are those “physical, electronic, and procedural safeguards,” exactly? How can customers opt-out of having their data collected and shared with third parties? Most of all: How does the company ensure employees are trained in, and follow, its policy?
Enforcers at the FTC had the same questions on their minds when they learned of a data breach at Franklin’s several years ago. The FTC discovered that peer-to-peer software had been installed on the company’s network, exposing sensitive financial information – including names, addresses, Social Security numbers and driver’s-license numbers – belonging to 95,000 consumers.
As a result, the FTC charged Franklin’s with the following:
· Failure to employ reasonable measures to respond to unauthorized access to personal information.
· Failure to assess risks to the consumer information it collected and stored online.
· Failure to adopt policies to prevent or limit unauthorized disclosure of information.
· Failure to prevent, detect and investigate unauthorized access to personal information on its networks.
· Failure to adequately train employees.
Additionally, the FTC charged Franklin’s with violating the Gramm-Leach-Bliley Safeguards Rule, as well as Section 5 of the FTC Act, by failing “to provide annual privacy notices and a mechanism by which consumers could opt out of information sharing with third parties.”
What stands out to us about this case is the FTC’s focus on employee training. Franklin’s could have had any policy and advanced safeguards in place, but words mean little if they’re not backed up by actual employee conduct.
The next question, then, is what should employees be trained to do? At a presentation at the recent Auto Finance Performance and Compliance Summit, FTC Assistant Regional Director Jim Elliott discussed this case and offered the following general guidance:
1. Don’t collect personal information you don’t need.
2. Hold on to information only as long as you have a legitimate business need.
3. Don’t use personal information when it’s not necessary.
All in all, it’s another example of how cybersecurity preparedness frequently is a matter of common sense. The key is to demonstrate to your employees why it’s common sense and to develop and test their knowledge through continual training.
Kynzie Sims serves as Compli’s Legal Content Product Manager. She is an attorney and Certified Compliance and Ethics Professional with experience in HR, employment law and software compliance platforms.