Trash Talking

Some things you’d expect to find in a trash can:  last night’s potato peelings, the casserole that looked so promising in the cookbook photo, and Oscar the Grouch.  But if you run a business, the one thing you don’t want in the dumpster behind your office is paperwork containing sensitive information about your customers.  Just ask PLS Financial Services, PLS Group, and the Payday Loan Store of Illinois.

PLS Group owns about two dozen companies, like the Payday Loan Store of Illinois, that in turn operate more than 300 payday loan and check cashing outlets in nine states.  Consumers may know them as PLS Loan Stores and PLS Check Cashers.  The businesses also do tax preparation, make car title loans, sell mobile phones, and handle a range of other financial transactions for customers.  In the course of their business, they collect lots of sensitive information — like Social Security, driver’s license, and bank account numbers; dates of birth; credit reports; and other paperwork best kept private.  PLS Financial Services provides management services to PLS Loan Stores and PLS Check Cashers, including establishing policies and procedures for handling all that info.

That’s where the FTC says something went wrong.  According to the lawsuit, the defendants engaged in a number of practices that, when taken together, failed to provide reasonable and appropriate security for the sensitive consumer information they handled.  As a result, the FTC says that confidential documents were found on multiple occasions in dumpsters near PLS locations.  For example, boxes of documents were recovered from a dumpster near a PLS Loan Store in Bolingbrook, Illinois.  Not long after, more paperwork was retrieved from dumpsters near locations in Chicago and Chicago Heights.  What kind of stuff was available for the taking?  Loan applications, credit reports, cancelled checks, and paperwork with customers’ Social Security numbers, wage information, and bank account data.

A walk through the complaint offers insights into where the FTC says the companies’ procedures fell short.  Count 1 charges that the PLS Financial Services and the Payday Loan Store of Illinois violated the Disposal Rule, which requires companies to take reasonable measures to prevent unauthorized access when getting rid of information derived from consumer reports.  

According to Count 2, those defendants also violated the GLB Safeguards Rule.  Under the Safeguards Rule, financial institutions (a term defined more broadly than you might think) must protect customer information by developing a comprehensive written data security program that addresses access, collection, storage, transmission, disposal — pretty much the soup to nuts of how data moves through a business.

Consistent with dozens of other cases, Count 3 charges that the PLS Financial Services, the Payday Load Store of Illinois, and the PLS Group violated Section 5 of the FTC Act by falsely telling customers they had implemented reasonable and appropriate measure to protect sensitive info from unauthorized access.

Count 4 alleges violations of the GLB Privacy Rule, which requires financial institutions to give customers “a clear and conspicuous notice” that “accurately reflects [the financial institution’s] privacy policies and practices.”  When does that have to happen?  No later than when a customer relationship arises and annually after that for as long as the relationship continues.  But according to the complaint, during various times in 2009 and 2010, the defendants didn’t give customers a copy of their privacy policy.

The settlement imposes a $101,500 civil penalty and puts in place a data security program with independent third-party audits every other year for the next 20 years.

Next:   How this case can help you take a fresh look at your company’s procedures