The FTC just settled another violation of the FTC Act, this one for pretexting and selling call records. This is a one-person business, demonstrating that the FTC does not only go after the big fish, but the business minnows are fair game as well.
When speaking with many SMBs, many have indicated that they do not believe oversight agencies would ever be interested in their compliance, or non-compliance, activities because they would not have as large of a fines involved, and/or they are just too small for any government oversight agency to care about.
Businesses must realize that the FTC is not using noncompliance just as a revenue generating machine targeting those multi-million dollar settlements. They are going to investigate businesses of any size, in any industry, that they believe are practicing unfair and deceptive business practices, and are otherwise in non-compliance with the FTC Act.
If your organization is making promises…within posted privacy poicies, within mailings to your customers, within emails, or otherwise involved in illegal activities such as pretexting, and so on…your business is at risk of potentially huge fines (although this particular one does not sound huge, remember this is basically a one-man business, so it may have significant impact on him), but usually making much bigger impact, resource and time-wise, are the consent order requirements that can go on for years and years…many organizations having 20 year consent order requirements for independent audits, documentation filings, and so on.
In this latest case, the defendant, Integrity Security & Investigation Services, Inc. (Edmund Edmister), agreed to a consent order requiring him to:
- Discontinue obtaining, causing others to obtain, marketing, or selling customer phone records and consumer personal information derived from phone records.
- Stop making false or deceptive representations, such as impersonating any person or entity, directly or by implication, to any person or entity in order to obtain consumer personal information.
- Stop requesting any person or entity to obtain consumer personal information relating to any third person, if the person making such a request knows or should know that the person or entity to whom such a request is made will obtain or attempt to obtain such information in violation of this consent decree.
- Pay a $2,700 penalty.
- Cooperate in meeting with the FTC whenever they request, along with providing interviews, conferences, pretrial discovery, review of documents, and any thing else related to this issue whenever requested.
- For the next 3 years, deliver a copy of the consent order to all of his principals, officers, directors, and managers of this business, and of any other business the Defendant controls, directly or indirectly, and obtain signed receipts and acknowledgments from each.
- For the next 3 years deliver copies of the consent order to all of his employees, agents, and representatives, and obtain signed receipts and acknowledgments from each.
- For the next 3 years document all of the following and provide to the FTC at any time upon their request:
- A. Accounting records that reflect the cost of goods or services sold, revenues generated, and the disbursement of such revenues
- B. Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person’s job title or position; the date upon which the person commenced work; and the date and reason for the person’s termination, if applicable
- C. Customer files containing the names, addresses, phone numbers, dollar amounts paid, quantity of goods or services purchased, and description of goods or services purchased, to the extent such information is obtained in the ordinary course of business
- D. Complaints and refund requests (whether received directly, indirectly or through any third party) and any responses to those complaints or requests
- E. Copies of all sales scripts, training materials, advertisements, or other marketing materials, and records that accurately reflect the time periods during which such materials were used and the persons and business entities that used such materials
- F. To the extent consumer personal information is obtained through the use of any third party, records that accurately reflect the name, address and telephone number of such third party, including, but not limited to, copies of all contracts and correspondence (other than correspondence that contains consumer personal information) between him and the third party
- G. Copies of each acknowledgement of receipt of the consent order.
- For the next 3 years, notify the FTC of changes in address, employment, and other changes in the current business and any new business
- For the next 3 years, be closely monitored for compliance with these requirements.
Technorati Tags
information security
IT compliance
policies and procedures
corporate governance
FTC Act
awareness and training
privacy