Firms to Pay $101,500 to Settle FTC Charges Of Failing to Protect Discarded Consumer Data

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Two companies that allegedly failed to safeguard discarded, sensitive personal information will pay $101,500 to settle related Federal Trade Commission charges filed in the U.S. District Court for the Northern District of Illinois, according to a consent order released Nov. 7 (United States v. PLS Financial Services Inc., N.D. Ill., No. 1:12-cv-08334, consent order entered 10/26/12).

PLS Financial Services Inc. provides management services to more than 300 payday loan and check cashing stores, and The Payday Loan Store of Illinois Inc. is an affiliated company that owns and operates such stores, the FTC explained in a Nov. 7 statement. The two companies are jointly and severally liable for the penalty.

The companies allegedly discarded “documents containing sensitive personal identifying information--including Social Security numbers, employment information, loan applications, bank account information, and credit reports--in unsecured dumpsters near several PLS Loan Stores or PLS Check Cashers locations,” the commission explained in its statement.

The FTC's Oct. 17 complaint also named PLS Group Inc., which owns the two companies, as a defendant. PLS Group, however, is not subject to the consent order's penalty provision.

Third Disposal Rule Violation Case.

The commission's complaint alleged that the defendants violated the FTC's Disposal Rule, the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule, and the FTC Act.

The FTC's Disposal Rule, 16 C.F.R. §§ 682.1-682.5, “requires that companies dispose of credit reports and information derived from them in a safe and secure manner,” the commission explained. PLS Financial Services and The Payday Loan Store did not take reasonable steps to protect against the unauthorized access to consumer information when disposing credit reports, the FTC alleged.

The commission said that this case is the third time it has brought charges under the Disposal Rule.

The complaint further claimed that the companies violated the Gramm-Leach-Bliley Safeguards Rule, 16 C.F.R. pt. 314, and Privacy Rule, 16 C.F.R. pt. 313. Those rules “require financial institutions to develop and use safeguards to protect consumer information, and deliver privacy notices to consumers,” the commission said.

The alleged violation under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), stems from the defendants' misrepresentations about the reasonable measures they implemented to protect sensitive consumer information.

In addition to the civil penalty imposed on PLS Financial Services and The Payday Loan Store, the consent order:

• prohibits all of the defendants from misrepresenting the privacy and security of consumers' personal information;

• prohibits the defendants from further violating the Disposal Rule, Safeguards Rule, and Privacy Rule;

• requires the defendants to establish and implement “a comprehensive information security program”;

• requires the defendants to obtain independent, third-party audits every other year for 20 years; and

• requires each defendant to submit a compliance report to the FTC one year after the order's entry, in addition to other recordkeeping and compliance monitoring requirements.


John W. Burke, of the Department of Justice, in Washington, and Maria Del Monaco and Jonathan L. Kessler of the FTC, in Cleveland, Ohio, represented the United States. Margo H.K. Tank and Kirk D. Jensen, of Buckley Sander LLP, in Washington, represented the defendants.

The consent order is available at

The FTC's complaint is available at

Request Bloomberg Law: Privacy & Data Security