Two companies that allegedly failed to safeguard discarded, sensitive
personal information will pay $101,500 to settle related Federal Trade
Commission charges filed in the U.S. District Court for the Northern District of
Illinois, according to a consent
order released Nov. 7 (United States v. PLS Financial Services Inc.,
N.D. Ill., No. 1:12-cv-08334, consent order entered 10/26/12).
PLS Financial Services Inc. provides management services to more than 300
payday loan and check cashing stores, and The Payday Loan Store of Illinois Inc.
is an affiliated company that owns and operates such stores, the FTC explained
in a Nov. 7 statement. The two companies are jointly and severally liable for
The companies allegedly discarded “documents containing sensitive personal
identifying information--including Social Security numbers, employment
information, loan applications, bank account information, and credit reports--in
unsecured dumpsters near several PLS Loan Stores or PLS Check Cashers
locations,” the commission explained in its statement.
The FTC's Oct. 17 complaint
also named PLS Group Inc., which owns the two companies, as a defendant. PLS
Group, however, is not subject to the consent order's penalty provision.
The commission's complaint alleged that the defendants violated the FTC's
Disposal Rule, the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule, and the
The FTC's Disposal Rule, 16 C.F.R. §§ 682.1-682.5, “requires that companies
dispose of credit reports and information derived from them in a safe and secure
manner,” the commission explained. PLS Financial Services and The Payday Loan
Store did not take reasonable steps to protect against the unauthorized access
to consumer information when disposing credit reports, the FTC alleged.
The commission said that this case is the third time it has brought charges
under the Disposal Rule.
The complaint further claimed that the companies violated the
Gramm-Leach-Bliley Safeguards Rule, 16 C.F.R. pt. 314, and Privacy Rule, 16
C.F.R. pt. 313. Those rules “require financial institutions to develop and use
safeguards to protect consumer information, and deliver privacy notices to
consumers,” the commission said.
The alleged violation under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a),
stems from the defendants' misrepresentations about the reasonable measures they
implemented to protect sensitive consumer information.
In addition to the civil penalty imposed on PLS Financial Services and The
Payday Loan Store, the consent order:
all of the defendants from misrepresenting the privacy and security of
consumers' personal information;
the defendants from further violating the Disposal Rule, Safeguards Rule, and
the defendants to establish and implement “a comprehensive information security
the defendants to obtain independent, third-party audits every other year for 20
each defendant to submit a compliance report to the FTC one year after the
order's entry, in addition to other recordkeeping and compliance monitoring
John W. Burke, of the Department of Justice, in Washington, and Maria Del
Monaco and Jonathan L. Kessler of the FTC, in Cleveland, Ohio, represented the
United States. Margo H.K. Tank and Kirk D. Jensen, of Buckley Sander LLP, in
Washington, represented the defendants.
The consent order is available at http://www.ftc.gov/os/caselist/1023172/121107plspaydaystip.pdf.
The FTC's complaint is available at http://www.ftc.gov/os/caselist/1023172/121107plspaydaycmpt.pdf.
To view additional stories from Privacy & Data Security Law Resource Center™ register for a free trial now