Lawyers Run The World

Recent FTC CIDs Focusing Upon Financial Privacy

Federal Trade Commission Civil Investigative Demands

An interesting trend has been developing with Federal Trade Commission Civil Investigative Demands (CIDs). Of late, the agency has been focusing on deceptive and unfair trade practices related to consumer privacy and/or data security, including the collection, acquisition, use, disclosure, security, storage, retention and disposition of consumer information by financial institutions and/or their affiliates in violation of Section 5 of the FTC Act. Interestingly, CIDs that seek information regarding the public disclosure of consumers’ personal information and/or violations of the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act are becoming more and more commonplace.

Front and center are privacy policies and procedures, disclosures to non-affiliated third-parties and information security.

The Gramm-Leach-Bliley Act requires “financial institutions” to send consumers annual privacy notices and allow them to opt-out of sharing their information with unaffiliated third parties. It also requires financial institutions to implement reasonable security policies and procedures. While the FTC has brought dozens of cases for violations of the GLB Act since 2015, the uptick in related FTC investigations is palpable.

Financial institutions must comply with the Privacy Rule and the Safeguards Rule. The Privacy Rule requires covered companies to provide notices to consumers that explain their privacy policies and practices.  The Safeguards Rule mandates that financial institutions protect the security, confidentiality, and integrity of customer information by implementing and maintaining a comprehensive written information security program.

A cut-and-paste job will no do.

The program has to include administrative, technical, and physical safeguards appropriate to the business’ size, the nature and scope of its activities, and the sensitivity of the customer information at issue. For example, companies have to conduct an assessment of how customers’ information could be at risk and then implement safeguards to address those risks.

Are you collecting Social Security number, phone number, address, income, marital status, debts, health insurance, bank names, account numbers, etc.? Is such information reasonably vulnerable to attack?

Privacy notices must be properly delivered. Become familiar with model notices. Appropriate authentication procedures should be utilized. Evaluate and adjust data privacy their programs in light of changes to business operations.

The same can be said of FCRA investigations. The Fair Credit Reporting Act sets out rules for companies that use data to determine creditworthiness, insurance eligibility, suitability for employment and to screen tenants. The FTC has brought over 100 FCRA cases against companies for credit-reporting problems, including, but not limited to, inadequate policies and procedures.

In addition to the foregoing privacy and data security-centric investigative matters, the FTC applies is core enforcement resources to protect consumers against misconduct by providers of financial services. From abusive debt collectors to unscrupulous payday lenders, and deceptive student loan debt-relief operators to phony credit-repair services. Lead generators that directly participate in another’s fraud or provide substantial support while ignoring obvious warning signs of another’s illegal activity are increasingly the subject of civil investigations and enforcement actions.

Learn more about recent Federal Trade Commission investigations and enforcement actions by contacting the author at or by visiting his website at

Richard B. Newman is an FTC compliance and defense lawyer at Hinch Newman LLP. Follow him on LinkedIn and Facebook.

Attorney advertising.  Informational purposes only.  These materials are not legal advice, nor do they create a lawyer-client relationship. 

What do you think?
[Total: 0 Average: 0]
Show More

Richard B. Newman

Richard B. Newman is an Internet Lawyer at Hinch Newman LLP focusing on advertising law, Internet marketing compliance, regulatory defense and digital media matters. His practice involves conducting legal compliance reviews of advertising campaigns across all media channels, regularly representing clients in high-profile investigative proceedings and enforcement actions brought by the Federal Trade Commission and state attorneys general throughout the country, advertising and marketing litigation, advising on email and telemarketing best practice protocol implementation, counseling on eCommerce guidelines and promotional marketing programs, and negotiating and drafting legal agreements.

Related Articles

What's your opinion?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button