This month the FTC issued a press release regarding recent enforcement actions against businesses for breaches in their processes to safeguard consumers’ information. The press release is located here. You may recall that the Gramm-Leach-Bliley Act (“GLB”) mandates businesses that collect nonpublic personal information, like social security numbers, implement processes to safeguard this information. Your obligations under GLB include designating a person responsible for GLB implementation at the dealership, creating a written policy compliant with GLB requirements and continuous monitoring of your practices to detect safeguard breaches. You are then obligated to record these breaches and adapt your processes to avert such breaches in the future.
In this enforcement action, a dealership was found in breach of its obligations mandated under GLB because it failed to monitor its processes, thereby placing the information of 95,000 customers at risk of theft. One claim of the dealership’s safeguards breach arose from the installation of a Peer-to-Peer (“P2P”) application on one of the dealership’s computers, which allowed a party to transfer nonpublic personal information from the dealership’s computers to an outside computer. P2P applications range from music and photo sharing software to communication applications such as instant messaging clients (think America Online’s “AIM”) and Skype.
Enforcement actions such as the one mentioned above are good reminders of why it is important to implement sound processes that comply with GLB, which include continuous monitoring and auditing by your personnel to detect security breaches. Your GLB compliance efforts must also include review of what kinds of applications your employees install on your computers. Some dealerships use these kinds of applications to communicate with customers in a more efficient manner, so an outright ban on installing these kinds of P2P applications may be impractical. Periodic audits of work computers may detect unauthorized applications, used either for benign purposes or for more illicit activities. Expand your processes to include what kinds of safeguards you will put in place to detect safeguard breaches if you permit your employees to use P2P applications on work computers.