Alert March 11, 2008

Student Lender Settles FTC Claims of Privacy Rules Violations

A student loan company agreed to settle claims brought by the FTC for allegedly failing to provide “reasonable and appropriate security” for consumers’ personal information in violation of the FTC’s safeguards and privacy rules. According to the FTC’s complaint, the lender transferred more than 7,000 files with consumer information to third parties without authorization, sold to the public surplus hard drives that contained information about 34,000 consumers, and had a privacy policy that contained false and misleading statements as to the “reasonable and appropriate” measures it had in place to protect consumers’ personal information. The FTC’s proposed consent order requires the lender to establish and maintain an information security program that includes administrative, technical, and physical safeguards, and bars the lender from future data security misrepresentations to consumers. In addition, the lender must undergo audits performed by independent third-party security professionals on a biennial basis for the next 10 years in order to ensure that its security program meets the standards set forth in the settlement agreement. The agreement is available for public comment until April 3, after which time the FTC will decide whether to make the it final. Click here for the FTC’s press release and here for a copy of the agreement.