Failure To Protect Data May Violate The FTC Act

The Federal Trade Commission (“FTC”) has recently targeted dealers whose advertisements are deceptive or who engaged in unfair trade practices.  Because businesses from different industries may conduct their affairs in a similar fashion, it is important to monitor actions brought by the FTC against other businesses.  A recent enforcement action initiated by the FTC against a medical billing company may have a profound impact on automobile dealers.

Accretive Health, Inc. (“Accretive”), provides medical billing and revenue management services to medical providers throughout the United States.  Because of the services it provides, Accretive collects significant amounts of nonpublic personal information on patients.  This information includes social security numbers, dates of birth, billing information, and medical records.  The laptop of an employee of Accretive was stolen from the employee’s car.  The laptop contained twenty million pieces of information on twenty three thousand patients.  The FTC alleged in its complaint that Accretive’s practices were inadequate to safeguard against these kinds of thefts, and placed patients’ information at considerable risk.  Citing Section 5(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” the FTC claimed that Accretive’s practices likely caused “substantial injury to consumers that is not offset by countervailing benefits” and “is not reasonably avoidable by consumers.”

With the popularity of “Bring Your Own Device,” it is easy to imagine a situation where a dealership’s data is compromised in a similar manner as Accretive’s.  For example, suppose your employees use their personal smartphones or laptops to access your DMS or CRM.  The theft of a smartphone or laptop could allow an unauthorized individual access to consumers’ nonpublic personal information.  Without processes in place to safeguard consumers’ data, dealers may face liability for violating several laws, including the FTC Act.

Many dealers are aware of their responsibilities to protect nonpublic personal information from theft or other loss.  The Safeguards Rule of the Gramm-Leach-Bliley Act requires dealers to implement processes to safeguard consumers’ information, and make modifications to their processes that are necessary to protect this information.  The Red Flags Rule requires dealers to implement and maintain processes to detect identity theft, and make any changes required to improve the efficacy of the processes.  Each of these laws has its own enforcement mechanisms and civil penalties.  Now, the FTC appears willing to interpret Section 5 of the FTC Act to include data losses, under certain circumstances, as deceptive practices.  Unfortunately for dealers, this means that a data loss may trigger liability under the FTC Act, in addition to any liability under the Safeguards Rule or Red Flags Rule.

FTC’s “Operation Steer Clear” Targets Auto Dealers’ Deceptive Trade Practices

On January 9, 2013 the Federal Trade Commission (“FTC”) announced enforcement actions against nine automobile dealerships over allegations of deceptive and unfair trade practices.  The FTC alleged that these dealers violated the FTC Act, which prohibits businesses from making false or misleading statements regarding products and services.  The complaints filed by the FTC also included allegations that the dealers violated the Consumer Leasing Act and the Truth in Lending Act by failing to disclose fees, interest rates, and other credit related terms.

Of particular interest is the FTC’s complaint involving a dealer’s advertisement of a purchase price reduced by a down payment.  For example, the dealership advertised a 2008 Chevrolet Tahoe for $17,995 and included in the disclosure that the price was “after $5000 down.”  Even though the advertisement disclosed that the price was conditioned upon the consumer making a down payment of $5000, the FTC alleged that the advertisement was deceptive because the vehicles “are not available for purchase at the prices prominently advertised” since consumers “must pay an additional $5000 to purchase the advertised vehicle.”  Based on anecdotal observation, this practice is far more common than many dealers may believe.

Dealers should closely review their own advertisements to see whether they may be deemed deceptive.  If you have advertisements that show a price contingent upon making a down payment, you should  avoid making these kinds of offers.  If you advertise lease or installment payments, you must make sure that you properly disclose any “trigger terms,” such as APR, duration of the loan, and any additional fees associated with the purchase or lease.  Payments that are “No Money Down” must really be no money down.  If the consumer must pay more to obtain the advertised payment or price, then the offer may be deceptive.

FTC Continues Crackdown On Dealers

I recently wrote about the Federal Trade Commission’s (“FTC”) vigorous enforcement of consumer protection and privacy laws against automobile dealers.  In these previous enforcement actions targeting dealers, the FTC found that advertisements related to negative equity were deceptive and unfair, and that dealers failed to take adequate steps to safeguard consumers’ nonpublic personal information from tampering via Peer to Peer (“P2P”) networks.  Now, two dealers entered into consent agreements with the FTC to settle claims of unfair and deceptive trade practices related to advertisements placed by the dealerships online and in print.

The FTC charged that dealers in Maryland and Ohio “violated the FTC Act by advertising discounts and prices that were not available to a typical consumer…[and] misrepresenting that vehicles were available at a specific dealer discount, when in fact the discounts only applied to specific, and more expensive, models of the advertised vehicles.”  The Maryland dealer’s website “touted specific “dealer discounts” and “internet prices,” but allegedly failed to disclose adequately that consumers would need to qualify for a series of smaller rebates not generally available to them.”  The Ohio dealer “allegedly failed to disclose that its advertised discounts generally only applied to more expensive versions of the vehicles advertised.”  To settle these actions, the dealers agreed to comply with the FTC’s order for twenty years, and maintain records of advertisements and promotional materials for the FTC’s inspection, upon request, for five years.

Once again the FTC demonstrated its willingness to extend protections offered by the FTC Act against deceptive and unfair practices to online advertisements placed by dealers.  The FTC’s scrutiny of dealers’ advertisements clearly is not limited to “traditional” media, such as television and newspaper.  Furthermore, the Maryland and Ohio dealer used advertising methods (combining rebates and stating a percentage discount from MSRP) that dealers use frequently.  Therefore, dealers must endeavor to curtail the use of terms and methods that the FTC has determined are deceptive and unfair.

If you have not done so, you should download the FTC’s “.com disclosures,” which offer guidance on what you must disclose in your online advertisements.  Your state’s Attorney General’s office may provide similar guidance.  For example, New York’s Attorney General publishes advertising guidelines for New York dealers.  While your state’s Attorney General may not have issued guidance regarding online advertising, you should not interpret this absence as carte blanch to advertise however you wish.  Each state has enacted its own version of the FTC Act, and many state Attorney General’s closely watch the FTC and adopt it’s posture related to enforcement of consumer protection laws.  So, even if your state’s Attorney General has yet to act, chances are that advertisements like the ones cited above may be deemed deceptive and unfair under your state’s law should a consumer or the Attorney General challenge the advertisements.