Failure To Protect Data May Violate The FTC Act

The Federal Trade Commission (“FTC”) has recently targeted dealers whose advertisements are deceptive or who engaged in unfair trade practices.  Because businesses from different industries may conduct their affairs in a similar fashion, it is important to monitor actions brought by the FTC against other businesses.  A recent enforcement action initiated by the FTC against a medical billing company may have a profound impact on automobile dealers.

Accretive Health, Inc. (“Accretive”), provides medical billing and revenue management services to medical providers throughout the United States.  Because of the services it provides, Accretive collects significant amounts of nonpublic personal information on patients.  This information includes social security numbers, dates of birth, billing information, and medical records.  The laptop of an employee of Accretive was stolen from the employee’s car.  The laptop contained twenty million pieces of information on twenty three thousand patients.  The FTC alleged in its complaint that Accretive’s practices were inadequate to safeguard against these kinds of thefts, and placed patients’ information at considerable risk.  Citing Section 5(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” the FTC claimed that Accretive’s practices likely caused “substantial injury to consumers that is not offset by countervailing benefits” and “is not reasonably avoidable by consumers.”

With the popularity of “Bring Your Own Device,” it is easy to imagine a situation where a dealership’s data is compromised in a similar manner as Accretive’s.  For example, suppose your employees use their personal smartphones or laptops to access your DMS or CRM.  The theft of a smartphone or laptop could allow an unauthorized individual access to consumers’ nonpublic personal information.  Without processes in place to safeguard consumers’ data, dealers may face liability for violating several laws, including the FTC Act.

Many dealers are aware of their responsibilities to protect nonpublic personal information from theft or other loss.  The Safeguards Rule of the Gramm-Leach-Bliley Act requires dealers to implement processes to safeguard consumers’ information, and make modifications to their processes that are necessary to protect this information.  The Red Flags Rule requires dealers to implement and maintain processes to detect identity theft, and make any changes required to improve the efficacy of the processes.  Each of these laws has its own enforcement mechanisms and civil penalties.  Now, the FTC appears willing to interpret Section 5 of the FTC Act to include data losses, under certain circumstances, as deceptive practices.  Unfortunately for dealers, this means that a data loss may trigger liability under the FTC Act, in addition to any liability under the Safeguards Rule or Red Flags Rule.

FTC Shakes Up Automotive Advertising with Recent Enforcement Action

A recent FTC investigation of several car dealerships sent ripples through the retail sector of the auto industry.  A copy of the FTC’s press release is here.  The FTC’s investigation of these particular dealerships reveals a shift in enforcement posture regarding “deceptive and unfair trade practices” in two major ways.  First, the FTC now classifies a promise to pay off a consumer’s vehicle, “no matter how much [he or she] owes,” as a deceptive and unfair trade practice when the dealer applies the existing loan balance to the new purchase without appropriate disclosure.  This is big for auto dealers because this advertising message is quite common in auto advertising.  Second, and equally profound, is that the FTC referenced videos posted by some of the dealerships to YouTube in the enforcement action.  This is one of the first, and if not, the most public, occasion that a FTC focused such attention on a dealership’s videos on YouTube.

What can you learn from this enforcement action?  First, the FTC is willing to broaden the scope of what constitutes “deceptive and unfair trade practices.”  Moreover, state and local administrative agencies that have similar mandates as the FTC often follow the FTC’s guidance when interpreting their own state and local laws and ordinances against deceptive and unfair trade practices.  So, when examining your advertisements, keep in mind the regulatory climate and that eager state attorney generals may wish to adopt the FTC’s ruling to enforce similar actions in your market.  Also and ask yourself whether the language in your advertisement can be reasonably construed as deceptive and unfair.  Don’t wait for an administrative agency to rule against you if you have advertisements that are in a “grey area” of interpretation.

Another lesson you can learn is that your social media content is not immune from investigation.  Use equal diligence when reviewing a video loaded on YouTube, status update on Facebook, or tweet on Twitter, that you would with an advertisement in your local newspaper.  If your content is problematic, remove it immediately.

Finally, if something like this happens to your dealership, you have many options to combat the negative publicity.  One example is to take your message to your consumers directly, like Frank Myers, owner of Auto Maxx (one of the dealers under investigation by the FTC), recently did.  I applaud Mr. Myers for taking the initiative to air his side of the story and showing the importance of sharing your perspective on matters that directly impact your business. Here is the first video he posted soon after the FTC released its statement:

And here is the next video: