Failure To Protect Data May Violate The FTC Act

The Federal Trade Commission (“FTC”) has recently targeted dealers whose advertisements are deceptive or who engaged in unfair trade practices.  Because businesses from different industries may conduct their affairs in a similar fashion, it is important to monitor actions brought by the FTC against other businesses.  A recent enforcement action initiated by the FTC against a medical billing company may have a profound impact on automobile dealers.

Accretive Health, Inc. (“Accretive”), provides medical billing and revenue management services to medical providers throughout the United States.  Because of the services it provides, Accretive collects significant amounts of nonpublic personal information on patients.  This information includes social security numbers, dates of birth, billing information, and medical records.  The laptop of an employee of Accretive was stolen from the employee’s car.  The laptop contained twenty million pieces of information on twenty three thousand patients.  The FTC alleged in its complaint that Accretive’s practices were inadequate to safeguard against these kinds of thefts, and placed patients’ information at considerable risk.  Citing Section 5(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” the FTC claimed that Accretive’s practices likely caused “substantial injury to consumers that is not offset by countervailing benefits” and “is not reasonably avoidable by consumers.”

With the popularity of “Bring Your Own Device,” it is easy to imagine a situation where a dealership’s data is compromised in a similar manner as Accretive’s.  For example, suppose your employees use their personal smartphones or laptops to access your DMS or CRM.  The theft of a smartphone or laptop could allow an unauthorized individual access to consumers’ nonpublic personal information.  Without processes in place to safeguard consumers’ data, dealers may face liability for violating several laws, including the FTC Act.

Many dealers are aware of their responsibilities to protect nonpublic personal information from theft or other loss.  The Safeguards Rule of the Gramm-Leach-Bliley Act requires dealers to implement processes to safeguard consumers’ information, and make modifications to their processes that are necessary to protect this information.  The Red Flags Rule requires dealers to implement and maintain processes to detect identity theft, and make any changes required to improve the efficacy of the processes.  Each of these laws has its own enforcement mechanisms and civil penalties.  Now, the FTC appears willing to interpret Section 5 of the FTC Act to include data losses, under certain circumstances, as deceptive practices.  Unfortunately for dealers, this means that a data loss may trigger liability under the FTC Act, in addition to any liability under the Safeguards Rule or Red Flags Rule.

FTC’s “Operation Steer Clear” Targets Auto Dealers’ Deceptive Trade Practices

On January 9, 2013 the Federal Trade Commission (“FTC”) announced enforcement actions against nine automobile dealerships over allegations of deceptive and unfair trade practices.  The FTC alleged that these dealers violated the FTC Act, which prohibits businesses from making false or misleading statements regarding products and services.  The complaints filed by the FTC also included allegations that the dealers violated the Consumer Leasing Act and the Truth in Lending Act by failing to disclose fees, interest rates, and other credit related terms.

Of particular interest is the FTC’s complaint involving a dealer’s advertisement of a purchase price reduced by a down payment.  For example, the dealership advertised a 2008 Chevrolet Tahoe for $17,995 and included in the disclosure that the price was “after $5000 down.”  Even though the advertisement disclosed that the price was conditioned upon the consumer making a down payment of $5000, the FTC alleged that the advertisement was deceptive because the vehicles “are not available for purchase at the prices prominently advertised” since consumers “must pay an additional $5000 to purchase the advertised vehicle.”  Based on anecdotal observation, this practice is far more common than many dealers may believe.

Dealers should closely review their own advertisements to see whether they may be deemed deceptive.  If you have advertisements that show a price contingent upon making a down payment, you should  avoid making these kinds of offers.  If you advertise lease or installment payments, you must make sure that you properly disclose any “trigger terms,” such as APR, duration of the loan, and any additional fees associated with the purchase or lease.  Payments that are “No Money Down” must really be no money down.  If the consumer must pay more to obtain the advertised payment or price, then the offer may be deceptive.