A company that provides management services to more than 300 payday loan and check cashing stores, and an affiliated company that owns and operates several stores, will pay $101,500 to settle Federal Trade Commission charges that they violated federal law by allowing sensitive consumer information to be tossed into trash dumpsters.
The Commission vote to approve the proposed consent decree was 5-0. The Department of Justice filed the proposed consent decree on behalf of the Commission, which was signed by the Judge Joan Gottschall of the U.S. District Court for the Northern District of Illinois on November 1, 2012.
It has always seemed to me that that the practices of payday loan and check cashing stories are nearly predatory to begin with. That those who need money so badly that they are willing to pay what I consider exorbitant rates have to also worry about their identities is truly a sad statement. $101,500 just doesn’t seem an adequate penalty given the careless and reckless disregard involved here.
The FTC charged that PLS Financial Services, Inc., and The Payday Loan Store of Illinois, Inc., failed to take reasonable measures to protect consumer information, resulting in the disposal of documents containing sensitive personal identifying information – including Social Security numbers, employment information, loan applications, bank account information, and credit reports – in unsecured dumpsters near several PLS Loan Stores or PLS Check Cashers locations. PLS Group, Inc., which owns PLS Financial Services and The Payday Loan Store of Illinois, was also named in the complaint.
The defendants are jointly and severally liable for paying the $101,500 settlement, which means that the total fine for all three companies was $101,500 and any one may pay that amount to satisfy the settlement. Such a paltry sum seems extremely out of line given the reckless and careless disregard for the privacy of their customers. Exactly who would think that it is a good idea to simply throw away sensitive, personally identifiable information that would give identity thieves everything they need to steal someone’s identity?
Identity theft is growing at alarming rates, and this story is one example as to why. It seems no one, including the FTC, takes identify theft seriously. These criminals are rarely caught it seems and the penalties for the criminals and the companies that are recklessly complicit and enable the crime are miniscule.
Typically identity theft is a criminal concern and not an intellectual property concern, but stealing someone’s identity is really akin to many intellectual property violations, which is why from time to time I do write about the topic.
The nature of identity theft is similar to infringement of the right of publicity, and also similar to other intellectual property wrongs in that what is being taken is not a tangible piece of property, but information that is then used to deceive and fraud. Your number 1 asset is your good name, as is a trademark or trade name to a business. History teaches us that once a trademark has been sullied for one reason or another, whether by scandal, malfeasance or negligence, it is not easy to right the ship.
For example, so many years ago Tylenol was the subject of tampering, which caused the drug to be taken off the shelves and ultimately lead to all the safety precautions on over the counter medicine. But people died and despite the fact that Tylenol wrote the book on how to properly manage such an incident people of a certain age will still associate Tylenol to some extent with that tragic series of events. What this means is that prevention is the key to keeping a good name, both for businesses but also for individuals.
The fact that there is so much at stake and that it can take so long to rectify losses when an identity is stolen makes it all the more difficult to understand how and why the FTC simply slapped these payday loan companies on the wrist.
According to the complaint filed by the FTC, PLS Financial Services and The Payday Loan Store of Illinois violated the FTC’s Disposal Rule by failing to take reasonable steps to protect against unauthorized access to consumer information in the disposal of credit reports. They also allegedly violated the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule, which require financial institutions to develop and use safeguards to protect consumer information, and deliver privacy notices to consumers. Further, the FTC charged that all three defendants violated the FTC Act by misrepresenting that they had implemented reasonable measures to protect sensitive consumer information.
According to the FTC complaint, PLS Group owns approximately two dozen operating companies, such as The Payday Loan Store of Illinois, that in turn own and operate more than 300 retail stores in nine states under the names PLS Loan Stores and PLS Check Cashers. These stores offer a variety of products and services, including payday loans, check cashing, automobile title loans, debit cards, phone cards, and notary services. PLS Financial Services provides management services to the PLS Loan Stores and PLS Check Cashers locations, including establishing their policies and procedures for the handling and disposal of consumer financial information.
In addition to the $101,500 civil penalty imposed on PLS Financial Services and the Payday Loan Store of Illinois for violation of the Disposal Rule, the settlement bars all of the companies from violating the Disposal, Safeguards and Privacy Rules and from misrepresenting the extent to which they maintain and protect the privacy and integrity of personal information.
The Settlement also orders the defendants to “establish and implement, and thereafter maintain, a comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected form or about consumers.” The fact that this has to be “ordered” is truly sad. Yet something tells me that these companies that offer these payday loans will continue to see business.
The order also requires that the companies implement and maintain a data security program with independent third-party audits every other year for the next 20 years. It also contains certain bookkeeping and record keeping provisions to allow the Commission to monitor compliance with its order.
While I think this case represents a woefully inadequate penalty, the FTC does have very good Identity Theft Resources on their website. If the issue of identity theft worries you take a look at these resources.