Wednesday, March 5, 2008

FTC settles breach complaint with student lender

I suppose in this instance, the good news is the U.S. Federal Trade Commission (FTC) has settled a complaint against student lender Goal Financial for failing to safeguard personal data - including Social Security numbers - of thousands of its customers. This marks the 17th such case the FTC has brought against companies that violate data security practices.

The bad news is not only was Goal Financial guilty of a major breach of their customers right to privacy, they blatantly LIED and misrepresented their own privacy protection standards in the contracts signed by students whose information was compromised.

Infoworld reports:

Goal Financial allowed two employees to access the personal information of about 7,000 customers and take the information to a competing firm between 2005 and 2006, and the company allowed an employee to sell a hard drive containing the unencrypted personal information of 34,000 customers sometime in 2006, the FTC said. The company failed to protect personal information such as birth dates, Social Security numbers, and income and employment information...

...

As part of the settlement, Goal Financial must implement a comprehensive information security program and be audited by an independent security professional every other year for 10 years.

...

The FTC accused the company of violating the agency's Safeguards Rule by failing to adequately assess the risks to consumers’ personal information, adequately restrict access to this information to authorized employees, implement a comprehensive information security program, provide adequate employee training, and, in some instances, contractually require third-party service providers to protect the information.

Goal Financial also violated the FTC's Privacy Rule by providing customers with a privacy policy that contained false or misleading statements and violated the FTC Act by falsely representing to consumers that it implemented reasonable and appropriate measures to protect personal information, the FTC said.

No comments: