Dumpster Diving in Your Dealership

When we do a dealer F&I compliance audit, one of the things we do is to go dumpster diving, or at least “trash can rummaging.” That’s because there seem to be an awful lot of dealers out there who haven’t yet gotten the word that we have laws protecting the privacy of their customers.

A January 20, 2010 release from the Federal Trade Commission shows just how much mischief a dealer can get into by just emptying the trash, and illustrates the FTC’s enforcement interest in careless disposal practices.

A mortgage broker (don’t quit reading – these laws apply to car dealers, too, and in much the same way) who discarded consumers’ personal financial records in a publicly-accessible dumpster paid a $35,000 civil penalty to settle Federal Trade Commission charges. Ouch.

According to an FTC complaint filed in December 2008, the defendant improperly tossed out about 40 boxes of sensitive consumer records collected by companies he had owned. The documents included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and at least 230 credit reports. On top of that, two mortgage brokerage companies he previously owned failed to provide reasonable and appropriate security for sensitive consumer information, despite promises that they would do so.??The FTC charged the defendant with failing to take reasonable measures to protect credit report information from unauthorized access during its disposal, in violation of the Fair Credit Reporting Act and the FTC’s Disposal Rule. The complaint also charged him with violating the FTC Act, based on his companies’ misrepresentations about their data security practices.

The settlement order also bars the defendant from misrepresenting measures taken to protect sensitive consumer information and failing to take reasonable measures to protect credit report information during its disposal. The order also requires him to employ a comprehensive information security program for sensitive consumer information, and to hire an independent, third-party security professional to review the program every year for 10 years to ensure that it meets or exceeds the order’s requirements.

I’ll make you a bet. Go out back to the dumpster right now and check what your employees are throwing away. I’ll bet that you will find customer information protected by either state or federal privacy laws. If you do, or even if you don’t but were afraid you would, use this mortgage broker’s story as a teachable moment to get your staff focused on their duties under the privacy laws.

The defendant’s total tab for this mess will include the $35,000 for the FTC’s cash register, his own lawyer’s fees (say, $25,000), and 10 years’ worth of fees to the third-party security company (who knows what this number would be, but even at $5,000 per year, that would be $50,000). It’s just a guess, you understand, but I suspect you have some better places to put something north of $100,000.

Vol. 7, Issue 3