Failure To Protect Data May Violate The FTC Act

The Federal Trade Commission (“FTC”) has recently targeted dealers whose advertisements are deceptive or who engaged in unfair trade practices.  Because businesses from different industries may conduct their affairs in a similar fashion, it is important to monitor actions brought by the FTC against other businesses.  A recent enforcement action initiated by the FTC against a medical billing company may have a profound impact on automobile dealers.

Accretive Health, Inc. (“Accretive”), provides medical billing and revenue management services to medical providers throughout the United States.  Because of the services it provides, Accretive collects significant amounts of nonpublic personal information on patients.  This information includes social security numbers, dates of birth, billing information, and medical records.  The laptop of an employee of Accretive was stolen from the employee’s car.  The laptop contained twenty million pieces of information on twenty three thousand patients.  The FTC alleged in its complaint that Accretive’s practices were inadequate to safeguard against these kinds of thefts, and placed patients’ information at considerable risk.  Citing Section 5(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” the FTC claimed that Accretive’s practices likely caused “substantial injury to consumers that is not offset by countervailing benefits” and “is not reasonably avoidable by consumers.”

With the popularity of “Bring Your Own Device,” it is easy to imagine a situation where a dealership’s data is compromised in a similar manner as Accretive’s.  For example, suppose your employees use their personal smartphones or laptops to access your DMS or CRM.  The theft of a smartphone or laptop could allow an unauthorized individual access to consumers’ nonpublic personal information.  Without processes in place to safeguard consumers’ data, dealers may face liability for violating several laws, including the FTC Act.

Many dealers are aware of their responsibilities to protect nonpublic personal information from theft or other loss.  The Safeguards Rule of the Gramm-Leach-Bliley Act requires dealers to implement processes to safeguard consumers’ information, and make modifications to their processes that are necessary to protect this information.  The Red Flags Rule requires dealers to implement and maintain processes to detect identity theft, and make any changes required to improve the efficacy of the processes.  Each of these laws has its own enforcement mechanisms and civil penalties.  Now, the FTC appears willing to interpret Section 5 of the FTC Act to include data losses, under certain circumstances, as deceptive practices.  Unfortunately for dealers, this means that a data loss may trigger liability under the FTC Act, in addition to any liability under the Safeguards Rule or Red Flags Rule.