Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Privacy Incident Example: PII Dumped At Recycling Center | Main | Laptop Incident: Personal Information on 2400 Marines On "Missing" Laptop »

FTC Act Noncompliance: Being an SMB Will Not Save You From Noncompliance Penalties

The FTC just settled another violation of the FTC Act, this one for pretexting and selling call records.  This is a one-person business, demonstrating that the FTC does not only go after the big fish, but the business minnows are fair game as well.

When speaking with many SMBs, many have indicated that they do not believe oversight agencies would ever be interested in their compliance, or non-compliance, activities because they would not have as large of a fines involved, and/or they are just too small for any government oversight agency to care about.

Businesses must realize that the FTC is not using noncompliance just as a revenue generating machine targeting those multi-million dollar settlements.  They are going to investigate businesses of any size, in any industry, that they believe are practicing unfair and deceptive business practices, and are otherwise in non-compliance with the FTC Act. 

If your organization is making promises...within posted privacy poicies, within mailings to your customers, within emails, or otherwise involved in illegal activities such as pretexting, and so on...your business is at risk of potentially huge fines (although this particular one does not sound huge, remember this is basically a one-man business, so it may have significant impact on him), but usually making much bigger impact, resource and time-wise, are the consent order requirements that can go on for years and years...many organizations having 20 year consent order requirements for independent audits, documentation filings, and so on.

In this latest case, the defendant, Integrity Security & Investigation Services, Inc. (Edmund Edmister), agreed to a consent order requiring him to:

  • Discontinue obtaining, causing others to obtain, marketing, or selling customer phone records and consumer personal information derived from phone records.
  • Stop making false or deceptive representations, such as impersonating any person or entity, directly or by implication, to any person or entity in order to obtain consumer personal information.
  • Stop requesting any person or entity to obtain consumer personal information relating to any third person, if the person making such a request knows or should know that the person or entity to whom such a request is made will obtain or attempt to obtain such information in violation of this consent decree.
  • Pay a $2,700 penalty.
  • Cooperate in meeting with the FTC whenever they request, along with providing interviews, conferences, pretrial discovery, review of documents, and any thing else related to this issue whenever requested.
  • For the next 3 years, deliver a copy of the consent order to all of his principals, officers, directors, and managers of this business, and of any other business the Defendant controls, directly or indirectly, and obtain signed receipts and acknowledgments from each.
  • For the next 3 years deliver copies of the consent order to all of his employees, agents, and representatives, and obtain signed receipts and acknowledgments from each.
  • For the next 3 years document all of the following and provide to the FTC at any time upon their request:
    • A. Accounting records that reflect the cost of goods or services sold, revenues generated, and the disbursement of such revenues
    • B. Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person's job title or position; the date upon which the person commenced work; and the date and reason for the person's termination, if applicable
    • C. Customer files containing the names, addresses, phone numbers, dollar amounts paid, quantity of goods or services purchased, and description of goods or services purchased, to the extent such information is obtained in the ordinary course of business
    • D. Complaints and refund requests (whether received directly, indirectly or through any third party) and any responses to those complaints or requests
    • E. Copies of all sales scripts, training materials, advertisements, or other marketing materials, and records that accurately reflect the time periods during which such materials were used and the persons and business entities that used such materials
    • F. To the extent consumer personal information is obtained through the use of any third party, records that accurately reflect the name, address and telephone number of such third party, including, but not limited to, copies of all contracts and correspondence (other than correspondence that contains consumer personal information) between him and the third party
    • G. Copies of each acknowledgement of receipt of the consent order.
  • For the next 3 years, notify the FTC of changes in address, employment, and other changes in the current business and any new business
  • For the next 3 years, be closely monitored for compliance with these requirements.

Technorati Tags






 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 6, 2006 8:49 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/199

Comments

Small businesses ESPECIALLY should be paying close attention to complying to all guidelines and regulations. In order to establish a dedicated clientele, it's CRUCIAL for SMBs to follow in the foot steps of the corporate "big fish" to prove to potential consumers that they are a legitimate entity that can be trusted with personal information, account numbers and ultimately their business.

Posted by: Mila | October 9, 2006 7:12 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.