FTC Business Blog

Student loan debt and COVID: FTC sends warning letter to Frank Financial Aid lfair November 16, 2020 | 2:58PM Student loan debt and COVID: FTC sends warning letter to Frank Financial Aid By Lesley Fair For people dealing with student loan debt – your employees, a family member, or maybe you – the CARES Act gives emergency grants to qualifying borrowers. But like other financial assistance programs, consumers need to know key details up front. As part of its ongoing effort to monitor the marketplace for questionable claims arising from the COVID pandemic, FTC staff just sent a warning letter to New York-based Frank Financial Aid, raising concerns about representations regarding CARES Act grants, as well as a cash advance product the company is advertising. What has FTC staff concerned? Some potentially misleading claims on Frank’s website. One fundamental fact to keep in mind is that for assistance through the Department of Education’s Higher Education Emergency Relief Fund created by the CARES Act, the Department has made it clear that each school has its own unique application process and “decides the criteria for qualified students to receive a grant, the grant amount, and how and when the grant will be disbursed (paid out) to students” – which raises the issue of what Frank has claimed. Frank has said consumers may “apply in 2 minutes for your student emergency grant” through the company’s site and that “Frank emails you everything you need to send to your school.” But according to the FTC, the letters Frank creates aren’t tailored to the application process and documentation requirements of each school. Frank has said that to be eligible for emergency relief, students and/or their parents must have experienced one or more of four identified criteria since March 1, 2020 (for example, a firing or furlough). But again, each school determines its own grant eligibility criteria. In addition, Frank has said that consumers who get a cash advance through the company (which is separate from any CARES Act relief) can “[p]ay it back when your financial aid comes in.” However, in the fine print is the statement that consumers are required to pay back Frank’s cash advance “61 days after the date of disbursement.” Furthermore, despite claims on its website that consumers can get cash advances of up to $5,000 on their student loans with “No interest, no fees – ever,” the company actually charges a fee of $19.90 per month. The warning letter advises Frank to take a look at its advertising and marketing – including websites, social media, email, telemarketing, and texts – to ensure the company is complying with the FTC Act’s prohibition on unfair or deceptive acts or practices. The letter also suggests a careful look at disclosures required by the Truth in Lending Act. FTC staff has directed the company to get back to us promptly with the specific actions it has taken to address these concerns. The message for other marketers is that the pandemic in no way changes established consumer protection principles. That’s why FTC staff is keeping a careful watch on companies’ claims. Looking for information about dealing with student debt during the pandemic? The Department of Education has information for borrowers. Also, check out FTC consumer resources for addressing the financial impact of the coronavirus.    

Protecting small businesses seeking financing during the pandemic lfair August 3, 2020 | 11:33AM Protecting small businesses seeking financing during the pandemic By Andrew Smith, Director, FTC Bureau of Consumer Protection Small businesses are a critical part of the U.S. economy, providing opportunity and employment to consumers across the country. Unfortunately, the current health crisis has brought financial strain to small businesses and their ability to secure the financing they need to survive. So now more than ever, struggling businesses and their owners need protection from deceptive and unfair practices. And the FTC is working swiftly to provide it. Since the onset of the pandemic, we have taken enforcement actions and used other tools to stop financing providers and their marketers from targeting businesses with unlawful conduct. For example, today we announced a lawsuit against Yellowstone Capital, a merchant cash advance provider that we allege took unauthorized withdrawals from consumers’ bank accounts and made false claims about collateral, personal guarantees, and the cash amounts it provides. In recent months, we also have filed actions against two other operations targeting small businesses with alleged FTC Act violations: RCG Advances and Ponte Investments LLC (doing business as “SBA Loan Program”). Additionally, the FTC and Small Business Administration sent joint warning letters to advertisers for potentially misleading claims about their purported affiliation with the federal government or emergency loan programs created to protect businesses during the pandemic. The FTC’s enforcement efforts, as well as our 2019 Strictly Business forum on small business financing, offer some key takeaways for financing providers and the companies that work with them: Like other consumers, small businesses are protected under the FTC Act.  The FTC Act gives the agency broad authority to stop deceptive and unfair practices by companies involved in every step of the financing process, including lenders and finance providers, as well as marketers, independent sales organizations (ISOs), brokers, lead generators, servicers, and debt collectors. Don’t deceive consumers about the features or obligations of your financing products.  Our recent actions against Yellowstone and RCG allege that these merchant cash advance providers misrepresented key aspect of their products, including the funding amounts consumers would receive and requirements that small businesses provide collateral and personal guarantees. Similarly, you can’t make misleading claims about other important terms – like cost and payment amounts. Don’t mislead consumers about who you are or your association with government relief programs.  As is often the case when new government programs are rolled out, during the current crisis some marketers have deceptively touted their connection to these programs. Our pending action against the company doing business as SBA Loan Program alleges the defendants deceived small business consumers about their affiliation with the Small Business Administration and their authority to make Paycheck Protection Program (PPP) loans. Recent FTC-SBA warning letters raise similar concerns. Police your marketers and other agents.  Simply relying on intermediaries like ISOs, lead generators, brokers, servicers or debt collectors to market or service your products won’t shield you from liability. Instead, take steps to ensure your agents don’t engage in deception or other unlawful conduct. Vet them carefully, build compliance standards into your contracts, monitor their actions for warning signs of trouble (for example, consumer complaints), audit them, and enforce those contractual standards. The FTC’s action against CEC is a case in point. In an action against the operator of postsecondary schools, we pursued not only the schools for their direct role in marketing, but also for their alleged violations of the FTC Act resulting from the illegal conduct of lead generators who – for example – falsely claimed to be affiliated with the U.S. military. Ensure that you and your servicers avoid unlawful servicing practices.  The FTC Act’s protections aren’t limited to marketing. They extend across the full life cycle of a financing product – including repayment and collections. So, for example, the law would prohibit a company from failing to honor its promises that customers can lower or cease payments as a result of reduced revenue or a health-related shutdown. Additionally, the FTC Act prohibits unfair practices, like taking unauthorized payments from consumers’ bank accounts – something we’ve alleged happened in both Yellowstone and RCG. Don’t initiate collection actions or seek harsh remedies – for example, confessions of judgment (COJs) – against small business owners who are honoring their obligations.  For example, in RCG, we allege that a finance provider filed COJs against consumers who didn’t breach their agreements or default. Given the severe consequences of COJs, the FTC is watching closely to ensure they are not used deceptively or unfairly. When collecting outstanding payments or debts, never make false or egregious threats.  You and your collectors should avoid the types of conduct the FTC has alleged to be unlawful in our many debt collection cases, like collecting amounts consumers don’t owe, making false threats of arrest or other severe consequences, harassing consumers with continuous calls, or using abusive language or threats of violence (as we allege occurred in RCG). Report potentially unlawful conduct to the FTC.  If you see finance providers, marketers, or others in the industry cross the lines we’ve outlined, report it to the FTC. Similarly, if you have customers who say other providers have targeted them with deceptive or unfair conduct, encourage them to report their experience to us online or call us at 1-877-FTC-HELP.  

FTC says Bronx Honda discriminated against African-American and Hispanic consumers lfair May 27, 2020 | 12:55PM FTC says Bronx Honda discriminated against African-American and Hispanic consumers By Lesley Fair The FTC’s complaint against Bronx Honda alleges the company jacked up what consumers had to pay by fabricating fees, inflating charges, and sneaking in stealth add-ons. The lawsuit also alleges the defendants discriminated against African-American and Hispanic consumers by charging them higher financing markups and fees, in violation of the Equal Credit Opportunity Act and Reg B. The $1.5 million proposed settlement, which requires the company to implement a fair lending program that safeguards against discrimination, should serve as a reminder to other businesses that may be overdue for an ECOA compliance check. The FTC says the company’s deceptive advertising claims were just the start. According to the complaint, Bronx Honda advertised some vehicles with a “Was” price and a lower “Now” price. But in many instances, sales reps told consumers the “Now” price was in error and they’d have to pay more. In addition, the FTC says in numerous instances, the defendants falsely told consumers they had to pay bogus extra fees to buy or finance “Certified Pre-Owned Hondas.” In fact, Certified Pre-Owned Hondas are covered by the manufacturer’s seven-year, 100,000-mile warranty and American Honda Motor Corporation doesn’t allow dealerships to charge a separate fee for the warranty. The FTC says Bronx Honda also charged some consumers thousands more for “dealer prep,” “shop,” or “reconditioning” fees for Certified Pre-Owned Hondas, even though according to American Honda, that designation means the dealership has already “recondition[ed] any component that does not meet [the manufacturer’s] standards.” According to the complaint, Bronx Honda also overcharged consumers by dinging them for as much as $695 in documentation fees, an amount limited by New York law to no more than $75. In addition, the lawsuit alleges the defendants often gave consumers one figure for the agreed-upon total, but then inflated the price without the buyer’s knowledge in other documents – a practice Bronx Honda employees called “air money.” To cite just one example from the complaint, the FTC said Bronx Honda advertised a 2014 Certified Pre-Owned Honda CR-V Touring AWD for $28,354, but then piled on – among other things – a $1,995 “certification fee,” a $350 document processing fee, a $493 prep fee, and a $795 shop fee, purportedly for “brakes” and “repairs,” even though repairs to brakes and other components are performed as part of the manufacturer’s certification. You’ll also want to read the complaint to see how the FTC alleges the defendants violated the Truth in Lending Act and Reg Z by failing to clearly disclose required credit information and the annual percentage rate. Moving to the ECOA allegations, the FTC says Bronx Honda singled out African-American and Hispanic consumers for particularly pernicious practices by directing its employees to charge them higher interest rates and inflated fees. For example, the defendants arranged financing through third-party financing companies that provided Bronx Honda with a specific “buy rate,” a risk-based finance charge that reflected the interest rate at which the entity would finance a retail installment contract from the dealer. But according to the FTC, Bronx Honda had a discretionary pricing policy that allowed sales people to mark up interest rates and fees for consumers who financed their vehicles. Unlike the buy rate, that markup wasn’t based on the underwriting risk or credit characteristics of the applicant. Combine that practice with Bronx Honda’s alleged instructions to sales personnel to charge African-American and Hispanic consumers higher markups and additional fees – conduct the FTC says the defendants told their employees not to try with non-Hispanic white customers – and you’ll see why the complaint charges the defendants with violating the ECOA.  What did that mean in dollars and cents for African-American and Hispanic consumers? According to the complaint, among thousands of consumers who received financing through Bronx Honda, the defendants charged the average African-American borrower approximately $163 more in interest and the average Hispanic borrower approximately $211 more in interest than similarly situated non-Hispanic white borrowers. What’s more, African-American and Hispanic borrowers received the maximum markup 50% more often than non-Hispanic white borrowers. Non-Hispanic white borrowers did not receive a markup – or received a contract rate below the buy rate – about twice as often as African-American or Hispanic borrowers. What was in it for Bronx Honda? The financing company compensated Bronx Honda from the increased interest revenue derived from the markup, a percentage of which the dealership passed on to its employees. In addition to the $1.5 million financial judgment and injunctive provisions designed to remedy the violations alleged in the complaint, the Fair Lending Program required by the proposed settlement is worth a read. Under the terms of the order – which applies to defendants Bronx Honda and General Manager Carlo Fittanto – they must designate a qualified senior manager to be responsible for the program and mandate employee training at least once a year. In addition, the defendants must put written guidelines in place to establish objective, non-discriminatory criteria for assessing (or not assessing) fees and charges. What’s more, the settlement mandates specific provisions in retail installment sales contracts, including that the interest rate may be no higher than 185 basis points above the “buy rate,” and that any deviation below this markup be for only a few specific, documented reasons. And the defendants must promptly terminate any employee who engages in discriminatory conduct, violates the terms of the fair lending program, or violates other injunctive provisions of the order.  

Joint letters take new steps to stop illegal Coronavirus robocalls lfair April 3, 2020 | 1:57PM Joint letters take new steps to stop illegal Coronavirus robocalls By Lesley Fair Consumers hate illegal robocalls. And as the thousands of reports pouring into the FTC indicate, they also hate robocalls that exploit concerns about Coronavirus. In recent months, the FTC has taken innovative steps to take on not only illegal robocallers, but also companies that “assist and facilitate” their conduct. Just last week, FTC staff sent warning letters to nine businesses that provide Voice over Internet Protocol (VoIP) services or other assistance to some of the entities that may be behind the onslaught of bogus COVID-19 calls. Additional letters just went out that reflect unprecedented actions in the fight against fraud. Warning letters were sent to three VoIP providers: SIPJoin, Connexum, and VoIP Terminator d/b/a BLMarketing. According to the letters, investigations have revealed that these companies transmitted calls offering fraudulent COVID-19 home testing kits or claiming that HVAC cleaning services will help fight the virus. But two things are different from last week’s warning letters. First, these letters were signed by the FTC and the FCC. The other interesting development comes in the form of a new strategy aimed at muting the dissonant ring of illegal robocalls. As the letters make clear, the three companies that received the warnings have 48 hours to stop routing or transmitting harmful robocall traffic from their clients making those claims or they will face an unprecedented “or else.” If the three companies don’t comply, the FCC will authorize all other U.S. voice providers to block all calls from them and take all steps that may be needed to prevent further transmission of unlawful calls from those companies. The agencies added that they will evaluate whether further action is warranted against the recipients of the letters. An interesting aspect of that “or else” message relates to another letter sent by the two agencies – this one to telecommunications trade association USTelecom. The letter opens with a note of thanks to USTelecom’s Industry Traceback Group for promptly identifying fraudulent COVID-19 robocalls and lists companies and providers that appear to be responsible for illegal calls – businesses the Industry Traceback Group helped to name. The letter also lets USTelecom know that if the three companies don’t comply, the FCC will authorize U.S. providers to block all calls from those companies and to take steps to prevent further transmission of unlawful calls from them. The letter added, “[W]e encourage and expect providers to take an active role in managing their networks and client relationships to protect consumers from harmful, illegal robocalls and spoofed calls,” and again acknowledged the work of Industry Traceback Group, describing it as “essential to combating the deluge of unlawful robocalls and protecting consumers.” Joint action by the FTC and FCC demonstrates just how seriously the agencies take the scourge of Coronavirus robocalls, but the letters also show that other companies have a critical role to play in the ongoing fight. No self-respecting member of the voice service industry – or any other business – should want anything to do with scammers out to exploit Americans during a time of national crisis.  

Background checks on prospective employees: Keep required disclosures simple lfair April 28, 2017 | 12:26PM Background checks on prospective employees: Keep required disclosures simple By David Lincicum If your company gets background information on prospective employees, it’s likely you’re covered by the Fair Credit Reporting Act. Before you get a background screening report, the law requires that you make certain disclosures and get a prospective employee’s authorization. Is it time for a FCRA compliance check? Background screening reports are “consumer reports” under the FCRA when they serve as a factor in determining a person’s eligibility for employment, housing, credit, insurance, or other purposes and they include information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” If your company uses background screening reports to make hiring decisions, here are some steps the FCRA requires you to take: Before you get a background screening report about a prospective employee, disclose to the person that you intend to get the report and then get their written authorization allowing you to do that. If the background screening report reveals something that may cause you to decide not to hire the person, you must notify them of the results of the report and provide them with a copy. Next, you have to give them sufficient time to review the report so they can challenge any elements that might be incorrect. If you ultimately decide not to hire someone based in whole or in part on the contents of a background screening report, you must provide a notice to that person that states they weren’t hired due at least in part to the result of the background screening report. Companies often ask how to make the required initial disclosure before they obtain the background screening report and get the prospective employee’s authorization. It’s easier than you might imagine. Under the FCRA, you must provide the prospective employee with a clear and conspicuous written disclosure that you plan to get a background screening report about them and you must get the person’s written authorization that gives you their permission to compile the report. It’s OK to put the required disclosure and your request for their authorization in one document. Just be sure to use clear wording that the prospective employee will understand. Some companies trip themselves up by using complicated legal jargon or adding extra acknowledgements or waivers. Here are some examples of the kind of things that shouldn’t be in this simple document: Don’t include language that claims to release you from liability for conducting, obtaining, or using the background screening report. Don’t include a certification by the prospective employee that all information in his or her job application is accurate. Delete any wording that purports to require the prospective employee to acknowledge that your hiring decisions are based on legitimate non-discriminatory reasons. Get rid of overly broad authorizations that permit the release of information that the FCRA doesn’t allow to be included in a background screening report – for example, bankruptcies that are more than 10 years old. That extra stuff not only makes it harder for the prospective employee to understand the main purpose of the document, but it also may violate the FCRA. Adding other acknowledgements or releases of liability is beyond the scope of what the FCRA permits in this document. If you have additional waivers, authorizations, or disclosures you want to give to prospective employees, do it in a separate document. Don’t include them in the FCRA disclosure and authorization document. It boils down to this: Complying with the FCRA’s disclosure requirement for the use of background screening reports is easy. You can do it in a few sentences. Just include a simple, easy-to-understand notification that you will obtain a background screening report, perhaps with a simple explanation of what information will be included in the report. The request for the prospective employee’s authorization should be in plain language, too. That’s it. Nothing else is required – and nothing else is permitted by the FCRA. Keep it simple. It’s not just a good idea. It’s the law. (This post was updated on May 3, 2017, to clarify that it concerns required initial disclosures before companies obtain background screening reports.)  

Pulleys pushed with deceptive Made in USA claims lfair March 8, 2017 | 12:03PM Pulleys pushed with deceptive Made in USA claims By Lesley Fair According to a settlement announced by the FTC, a Texas-based company used misleading Made in USA claims to push its pulleys. Read on for an ironic object lesson related to a specific pulley component engraved with the phrase “Made in USA.” Among other things, Block Division, Inc., sells metal pulleys for industrial use – for example, to lift boats, operate overhead doors, or move theatrical scenery. The company advertises its products online, in stores, at trade shows, in print, and through social media. Its promotions often used text and graphics to convey a “Made in USA” message. The FTC says those claims conveyed to buyers that the items were all or virtually all made in the United States. But according to the complaint, many of Block Division’s products incorporated significant parts essential to their function that were actually imported from another country. And here’s the ironic part. For several years, some of the company’s pulleys included steel plates that entered the United States from overseas already stamped with the phrase “Made in USA.” Under the terms of the proposed order, Block Division is prohibited from representing that a product is made in the United States unless “the final assembly or processing of the product occurs in the United States, all significant processing that goes into the product occurs in the United States, and all or virtually all ingredients or components of the product are made and sourced in the United States.” (That language tracks the FTC’s long-standing Enforcement Policy Statement on U.S. Origin Claims.) The order allows Block Division to make what the FTC calls “qualified” U.S. origin claims – claims that are limited in their applicability. But in that case, “a clear and conspicuous qualification” must appear “immediately adjacent to the representation that accurately conveys the extent to which the product contains foreign parts, ingredients, and/or processing.”  (The order also includes a detailed definition of what “clear and conspicuous” means in this context.) The FTC is accepting online comments about the proposed settlement until April 7, 2017. What’s the lowdown for businesses? Like any other objective product representation, your “Made in USA” claims must be truthful and you must have a “reasonable basis” – evidence in hand – before you make them. Read Complying with the Made in USA Standard for more information.  

Judge orders $13.4 million in contempt action challenging BlueHippo hype lfair May 2, 2016 | 10:52AM Judge orders $13.4 million in contempt action challenging BlueHippo hype By Lesley Fair Animation fans remember the ballet-dancing pink hippos in Fantasia. In Egyptian mythology, the god of disorder was depicted as a red hippo. And many consumers – especially those already in financial distress – were drawn in by national TV and radio ads for BlueHippo, a company that claimed to finance the purchase of computers and other electronics for people with “less than perfect credit, bad credit, no credit.” A $13.4 million ruling by a United States District Judge in an FTC contempt action sends a message to hippos of all hues (and businesses) about the FTC’s commitment to effective order enforcement. In 2008, the FTC sued BlueHippo Funding and BlueHippo Capital for, among other things, not delivering ordered merchandise, failing to make disclosures required by the Truth in Lending Act and Regulation Z, and illegally conditioning the extension of credit on consumers’ “agreement” to repay by preauthorized electronic debit. One common tactic was that BlueHippo said it would deliver the product once the consumer made 13 weekly payments, but then didn’t make good on that promise. The FTC also alleged that in many instances, BlueHippo debited consumers’ accounts without first disclosing that consumers couldn’t get a refund even if they cancelled before delivery. The defendants settled that case, agreeing to pay up to $5 million in redress and to change how they did business in the future. The FTC went back to court in 2009, alleging that BlueHippo was flouting the terms of the settlement and continuing to engage in illegal practices. The Court granted the FTC’s contempt motion against the corporate defendants and CEO Joseph Rensin, but entered a remedy of only $609,000. The FTC appealed the financial ruling. Arguing that there should be a presumption that consumers relied on the defendants’ misrepresentations and omissions, the FTC sought a contempt order of $14 million – the gross sales the defendants generated through their illegal conduct. The United States Court of Appeals for the Second Circuit ruled, “We agree with the FTC and join our sister circuits in adopting a presumption of consumer reliance in FTC civil contempt actions.” The appellate court remanded the matter to the trial court to determine “whether the FTC has demonstrated that it is entitled to a presumption of consumer reliance. If so, the court should use defendants’ gross receipts as a baseline for calculating the consumers’ actual loss, and defendants should then be afforded an opportunity to proffer evidence showing that an offset of the baseline is warranted.” What’s the latest development? On remand, the trial court entered a judgment against CEO Rensin for $13.4 million, the financial harm the court determined that consumers suffered as a result of the scheme. The case is another illustration of the FTC’s interest in effective order enforcement. To settle cases and then not follow through to see that defendants live up to their promises would be, well, hippo-critical.  

Third Circuit rules in FTC v. Wyndham case lfair August 25, 2015 | 3:25PM Third Circuit rules in FTC v. Wyndham case By Lesley Fair FTC watchers and data security mavens, it’s the decision you’ve been waiting for. The United States Court of Appeals for the Third Circuit has issued a ruling in the Commission’s favor in FTC v. Wyndham Worldwide Corporation. The FTC sued the hospitality company and three subsidiaries, alleging that data security failures led to three data breaches at Wyndham hotels in less than two years. According to the complaint, those failures resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards – and the transfer of hundreds of thousands of consumers’ account information to a website registered in Russia. In 2014, a federal District Court in New Jersey denied Wyndham’s motion to dismiss the FTC action. The Third Circuit agreed to hear an immediate appeal on two issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.” If your clients are concerned about data security – and they should be – you’ll want to read the entire opinion. But the long and the short of it is that the Third Circuit upheld the District Court’s ruling that the FTC could use the prohibition on unfair practices in section 5 of the FTC Act to challenge the alleged data security lapses outlined in the complaint. The Court also rejected Wyndham’s fair notice argument. Of course, the case is still pending before the District Court, but the Third Circuit ruling affirms important principles for how the FTC Act applies in the data security arena. The decision is a must-read for business executives and attorneys.  

Clearing out our IN box wfg-adm109 January 19, 2012 | 10:29AM Clearing out our IN box By Lesley Fair We’re glad you’re visiting the BCP Business Center and thanks for your questions. Here are answers to some of your AQs. (Calling them FAQs on a site devoted to truth in advertising doesn’t seem quite right.) I’ve looked everywhere and can’t find the disclosure I’m supposed to add when companies send me products to write about on my blog. Can you tell me the magic words?  No — and that’s because there are no magic words. Here’s how it works. Under the FTC’s Endorsement Guides, if there’s a connection between the marketer of the product and a person endorsing the product that would affect how people evaluate the endorsement, it should be disclosed. But no one is suggesting a mandatory “Danger Will Robinson!” neon warning box. What matters is effective communication, not legalese. A disclosure like “Company X sent me [name of product] to try, and here’s what I think about it” gives readers the information they need. Consider this rule of thumb: If you approach it as you would any other important fact you want to get across to people who follow your blog, it’s likely you’ll come up with a natural, informative way to convey it. But a “Where can I bury this so no one will see it?” attitude? Not so effective. Find out more by reading FTC’s Revised Endorsement Guides: What People are Asking. I can’t find an old FTC case in the BCP Business Center.  Right now our topical case categories go back about five years. Some go back further and we’re adding more cases when we can, but the lists aren’t exhaustive. A great resource is the FTC Office of the Secretary’s index of FTC administrative decisions, organized by name and by volume. They go back to 1949. You list cases alphabetically, but I’m more interested in the newest stuff.  Voila! Now you have a choice. When you go to CASE HIGHLIGHTS, you can sort them by Most Recent or A-Z. Where can I find the FTC’s technical specs for data security?  There’s no one-size-fits-all approach. Under the FTC Act, what’s reasonable for your company depends on the nature of your business and the kind of information you have. (Of course, there could be other laws — the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, etc. — that apply, too.) The FTC has free resources you can use in developing your data security practices. Protecting Personal Information: A Guide for Business is one place for small businesses to start. Also, it makes sense to follow recent FTC law enforcement actions in the data security area. The complaints and orders apply just to those companies, but they offer insights into conduct that has raised concerns — and the practices more likely to keep your customers happy and your company out of legal hot water. I tried to respond to something in the blog, but my comment didn’t show up. What happened?  We want to hear from you, but ask that people abide by the published Commenting Policy. The most common reason for a comment not to be posted is because it includes a sales pitch. As a general rule, if a comment is relevant to the thread but has a link to a commercial website, we’ll delete the link and post the comment. You have a case listed in the wrong category. Can you fix that?  Sure. When you spot a mistake — or if you have suggestions on things we can do to make the BCP Business Center easier to use — email us at outreach@ftc.gov. How can we get clearance to reprint something from your site in our newsletter?  You don’t need clearance. Stuff on our site is in the public domain. You’re free to reprint it in your newsletter or on your website — and we’d be delighted if you did. You’re also welcome to link to the BCP Business Center. Here are buttons to make that easier. Is Lesley Fair a real person or is that a pun on “laissez faire economics”?  Lesley Fair is a real person, but thanks for thinking we’d know how to pun in a foreign language. Most Esteemed Loved One: I write to you with much urgency in my heart. My late husband, the former Director of the Mining Secretariat of our small country, passed last year, leaving a sum of $USD 27,000,000 . . . .  You do know what that .gov in our URL stands for, don’t you?  

Nitro in the trunk? wfg-adm109 May 5, 2011 | 10:49AM Nitro in the trunk? By Lesley Fair The French movie classic “The Wages of Fear” — remade in 1977 as “The Sorcerer” by American director William Friedkin — was a taut thriller about a team of toughs transporting a payload of volatile nitroglycerine to a remote location in South America.  They meet with hazards along the way:  a rope bridge hanging by a thread over a flood-swollen river, a boulder blocking a twisted mountain path, and a stretch of road so pot-holed it’s called “The Washboard.” The connection to your business’ approach to data security might not seem readily apparent, but if you have sensitive personal information on your network or in your files, there’s an analogy to draw.  Just as your driving habits would change if you were behind the wheel with a trunk full of nitro, so must you adjust your company’s practices, given the sensitivity of the information in your possession. That’s one of the principles illustrated in the FTC’s settlement with Ceridian Corporation.  Ceridian provides payroll processing and other HR services to business customers.  One product, Powerpay, is a web-based system small businesses can use to collect and store employee data — for example, names, addresses, email addresses, phone numbers, Social Security numbers, dates of birth, and direct deposit bank account numbers — to automate their payroll processing. Certainly, Ceridian was aware of the sensitivity of the data involved.  According to its own contracts, “When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” But as the FTC’s lawsuit alleges, Ceridian engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal data it collected and maintained.  Specifically, the FTC charged that the company: stored personal information in easy-to-read text; created unnecessary risks by storing it indefinitely on its network without a business need; didn’t adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable risks, like SQL injection attacks; didn’t implement readily available free or low-cost defenses; and failed to employ reasonable measures to detect and prevent unauthorized access. As a result, says the FTC, hackers exploited those failures by mounting an SQL injection attack on the Powerpay site and web app, making off with the personal data of close to 28,000 employees of Ceridian’s small business customers, including in some cases their Social Security numbers, bank account info, and dates of birth.  To settle the case, Ceridian has agreed to put in place a comprehensive information security program, including independent third-party security audits every other year for the next 20 years. What do savvy marketers take from the FTC’s law enforcement action? Staying socially secure.  Of course, businesses want to take care with all data in their possession, but some information — Social Security numbers, for example — up the ante when it comes to protection.  Unscrambling the egg when ID thieves get a hold of, say, credit card numbers can be tough enough: reams of paperwork disputing unauthorized charges and hours on the phone straightening out accounts.  But when what’s at stake are Social Security numbers, the consequences can follow victims for the rest of their lives.  OK, maybe SSNs aren’t unstable nitroglycerine on a desolate mountain road, but don’t tell that to people whose lives have been turned upside down by identity theft involving their Social Security number. Prune the low-hanging fruit.  Hackers will be with us always.  So our job is to make their job as hard as possible.  Many of the precautions that can boost the security of your network are readily available at low or even no cost.  One simple step: Contact your software vendors for patches to address new threats.  Make it a recurring appointment on your calendar to check with them for updates.  In addition, many programs will go ahead and install urgent security patches and other fixes if your IT staff enables the “automatic updates” feature. CERT-ainly safer.  Part of the Department of Homeland Security, US-CERT (the United States Computer Emergency Readiness Team) provides response support and defense against cyber attacks and shares information with government and industry.  US-CERT’s Reading Room offers a wealth of free resources for businesses of all sizes.  Not the tech type?  US-CERT’s got you covered, conveniently dividing materials into non-technical categories for busy executives and technical data for IT professionals.  For example, their site offers step-by-step advice on protecting your network from an SQL injection attack and other common threats. Next:  More FTC law enforcement dealing with data security