Don’t Train in Vain: Cyber Security Lessons from the FTC
We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information.”
Pretty standard-looking language, right? Countless organizations, in fact, use similar or identical wording in their privacy policies. This one in particular belonged to Franklin’s Budget Car Sales, a Georgia auto dealer that sells and leases cars and provides financing for customers.
In Franklin’s case, however, what should stand out is not what’s contained in the policy, necessarily, but what isn’t there. What are those “physical, electronic, and procedural safeguards,” exactly? How can customers opt-out of having their data collected and shared with third parties? Most of all: How does the company ensure employees are trained on and follow its policy?
Enforcers at the Federal Trade Commission had the same questions on their minds when they learned of a data breach at Franklin several years ago. The FTC discovered that peer-to-peer software had been installed on the company’s network, exposing sensitive financial information—including names, addresses, Social Security Numbers, and driver’s license numbers—belonging to 95,000 consumers.
As a result, the FTC charged Franklin with the following:
- failure to employ reasonable measures to respond to unauthorized access to personal information;
- failure to assess risks to the consumer information it collected and stored online;
- failure to adopt policies to prevent or limit unauthorized disclosure of
- failure to prevent, detect and investigate unauthorized access to personal information on its networks; and
failure to adequately train employees.
Additionally, the FTC charged Franklin with violating the Gramm-Leach-Bliley Safeguards Rule, as well as Section 5 of the FTC Act, by failing “to provide annual privacy notices and a mechanism by which consumers could opt out of information sharing with third parties.”
If you couldn’t tell from the bolded text, what stands out to us about this case is the FTC’s focus on employee training. Franklin could have had any policy and advanced safeguards in place, but words mean little if they’re not backed up by actual employee conduct.
The next question, then, is what should employees be trained to do? At a presentation at the recent Auto Finance Performance and Compliance Summit, FTC Assistant Regional Director Jim Elliott discussed this case and offered the following general guidance:
- Don’t collect personal information you don’t need.
- Hold on to information only as long as you have a legitimate business need.
- Don’t use personal information when it’s not necessary.
All in all, it’s another example of how cybersecurity preparedness is frequently a matter of common sense. The key is to demonstrate to your employees why it’s common sense, and to develop and test their knowledge through continual training.
For more cybersecurity guidance, make sure to catch up on our on-demand webinar: How to be Cyber Secure.