Business Blog
Trash Talking
Some things you’d expect to find in a trash can: last night’s potato peelings, the casserole that looked so promising in the cookbook photo, and Oscar the Grouch. But if you run a business, the one thing you don’t want in the dumpster behind your office is paperwork containing sensitive information about your customers. Just ask PLS Financial Services, PLS Group, and the Payday Loan Store of Illinois.
PLS Group owns about two dozen companies, like the Payday Loan Store of Illinois, that in turn operate more than 300 payday loan and check cashing outlets in nine states. Consumers may know them as PLS Loan Stores and PLS Check Cashers. The businesses also do tax preparation, make car title loans, sell mobile phones, and handle a range of other financial transactions for customers. In the course of their business, they collect lots of sensitive information — like Social Security, driver’s license, and bank account numbers; dates of birth; credit reports; and other paperwork best kept private. PLS Financial Services provides management services to PLS Loan Stores and PLS Check Cashers, including establishing policies and procedures for handling all that info.
That’s where the FTC says something went wrong. According to the lawsuit, the defendants engaged in a number of practices that, when taken together, failed to provide reasonable and appropriate security for the sensitive consumer information they handled. As a result, the FTC says that confidential documents were found on multiple occasions in dumpsters near PLS locations. For example, boxes of documents were recovered from a dumpster near a PLS Loan Store in Bolingbrook, Illinois. Not long after, more paperwork was retrieved from dumpsters near locations in Chicago and Chicago Heights. What kind of stuff was available for the taking? Loan applications, credit reports, cancelled checks, and paperwork with customers’ Social Security numbers, wage information, and bank account data.
A walk through the complaint offers insights into where the FTC says the companies’ procedures fell short. Count 1 charges that the PLS Financial Services and the Payday Loan Store of Illinois violated the Disposal Rule, which requires companies to take reasonable measures to prevent unauthorized access when getting rid of information derived from consumer reports.
According to Count 2, those defendants also violated the GLB Safeguards Rule. Under the Safeguards Rule, financial institutions (a term defined more broadly than you might think) must protect customer information by developing a comprehensive written data security program that addresses access, collection, storage, transmission, disposal — pretty much the soup to nuts of how data moves through a business.
Consistent with dozens of other cases, Count 3 charges that the PLS Financial Services, the Payday Load Store of Illinois, and the PLS Group violated Section 5 of the FTC Act by falsely telling customers they had implemented reasonable and appropriate measure to protect sensitive info from unauthorized access.
Count 4 alleges violations of the GLB Privacy Rule, which requires financial institutions to give customers “a clear and conspicuous notice” that “accurately reflects [the financial institution’s] privacy policies and practices.” When does that have to happen? No later than when a customer relationship arises and annually after that for as long as the relationship continues. But according to the complaint, during various times in 2009 and 2010, the defendants didn’t give customers a copy of their privacy policy.
The settlement imposes a $101,500 civil penalty and puts in place a data security program with independent third-party audits every other year for the next 20 years.
Next: How this case can help you take a fresh look at your company’s procedures
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.