• Student Loan Company Settles with FTC over Lax Data Security Charges
  • April 16, 2008
  • Law Firm: Winston & Strawn LLP - Chicago Office
  • Goal Financial, LLC, a student loan company that collects personal information when providing loans and other financial services, settled with the Federal Trade Commission in March over charges that security failures resulted in the unauthorized transfer of personal information about students to third parties. According to the FTC, Goal Financial’s practices violated the Safeguards Rule of the Gramm-Leach-Bliley Act, inasmuch as the company did not provide reasonable or appropriate methods for safeguarding consumer information, information that included individuals’ names, Social Security numbers, dates of birth, and employment information. Instead, the company did not assess risks to its electronic and paper files, did not adequately restrict employee access to files, did not have a security program in place, did not adequately train employees, and did not in many instances require contractors to protect the security and confidentiality of consumers’ information. As a result, employees improperly transferred the files of 7,000 individuals to third parties, and sold hard drives to the public that had not been adequately scrubbed of the sensitive personal data of 34,000 consumers. In addition to creating an appropriate security program, the company must obtain an independent audit of its safeguard measures every two years for the next ten years. The agreement will become final at the end of April, after a public comment period.

    TIP: Whether or not your company provides financial services such that you are subject to the GLB Safeguards Rule, you should ensure that you have appropriate measures in place to protect consumer information your company might maintain, especially if that information is sensitive in nature.