{ "topic": "glba", "generated_at": "2026-03-27T00:38:02.674Z", "total_provisions": 252, "provisions": [ { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Defendants are permanently restrained from making any false or misleading representations in connection with the advertising, promotion, or sale of goods or services, including specific misrepresentations about credit card affiliation, guaranteed credit, and discounted products.", "verbatim_text": "that in connection with the advertising, promotion, offering IT IS FURTHER ORDERED , or sale of goods or services by any means whatsoever, each of the Defendants, and their for sale successors, assigns, officers, agents , servants , employees, and those persons in active concert or paricipation with them who receive actual noticc of this Order by personal serice, facsimile , or otherwise, whether acting directly or through any corporation, subsidiary, division, or other entity, are hereby permnently restrined and enjoined from making, directly or by implication, orally or in writing, any false or misleading representation, or assisting others in making any such false or misleading representation, including any misrepresentation that:\n\nThe Defendat is affliated with Masterard, any other credit card or debit card company, or a ban or other financial institution;\n\nThe Defendant is contacting the consumer in response to a credit application made by the consumer;\n\nAfter a consumer pays the Defendant a fee, the consumer is likely or is guarteed to receive a credit card, debit card, or any other payment card or device of any kind;\n\nThe purchase of a credit card, debit card, or other payment card or device from the Defendant increases the likelihood that a consumer s credit wil improve and that the consumer will get other offers for unsecured credit cards in the future; and\n\nAfter a consumer pays the Defendant a fee, the consumer wil receive, at no additional charge, any discounted products or services.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Prohibition" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "II", "title": "Prohibition Against Unauthorized Billing", "category": "prohibition", "summary": "Defendants are permanently restrained from causing a consumer's credit or debit card to be charged or bank account to be debited without express authorization, before receipt of product information, before expiration of any free trial, after a cancellation request, or after the consumer is denied the ability to cancel.", "verbatim_text": "are hereby permanently restrained and enjoined frm causing a consumer s credit or debit card to be charged or bank account to be debited: Without having previously obtained the consumer s express authorization for such charge or debit;\n\nPrior to receipt by the consumer of information about the product or servce that the Defendant represents the consumer wil Eeceive;\n\nPrior to the expiration of any fre tral perod;\n\nAfter the Defendat has received a consumer request to cancel the purchase of such product or serice, unless the Defendant can show the charge or debit occured prior to receipt of the request to cancel; and\n\nAfter the consumer is denied the ability to cancel the product or service though the customer service number provided.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "III", "title": "Compliance with the Gramm-Leach-Bliley Act", "category": "prohibition", "summary": "Defendants are restrained and enjoined from violating Section 521 of the Gramm-Leach-Bliley Act, including by inducing consumers to divulge personal financial information through misrepresentations about bank or credit card affiliation or possession of account information.", "verbatim_text": "IT IS FURTHER ORDERED that in connection with the advertising, promotion, offering for sale, or sale of goods or services by any means whatsoever, each of the Defendants, and their successors, assigns, offcers, agents, servants, employees, and those persons in active concert or paricipation with them who receive actual notice of ths Order by personal service, facsimile, or otherwise, whethcr acting directly or through any_corporation, subsidiar, division, or other entity, are hereby restrained and enjoined from violating any provision of Section 521 of the Gramm-Leach-Bliley Act, 15 U. C. g 6821, including but not limited to inducing consumers to divulge their personal fmancial information by misrepresenting, expressly or by implication, that: The Defendant is affliated with, or callng from or on bchalf of, a bank, fmanciaJ institution, or credit or debit card company; and\n\nThe Defendant already possesses, or is verifYng, a consumcr s bank accoWlt information.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "V", "title": "Redress Payment", "category": "affirmative_obligation", "summary": "Defendants are jointly and severally liable for $512,000 in redress, satisfied by a $294,000 payment already deposited with the Commission and a $218,000 receivable assigned to the Commission; individual defendants must also provide taxpayer identifying numbers and driver's license copies.", "verbatim_text": "The Defendants are jointly and severally liable for, and are ordered to pay and over to the Commssion, money and assets having a total value of $512 000. Defendants' satisfaction of this $512 000 liability is due upon the entr of this Order by the Cour, and shall be discharged as follows: Defendants deposited the sum of $294 000 with the Commission simultaneously with their execution of this Order, and hereby convey the $294 000 to the Commission upon the entr of the Order, and forever after relinquish any right to this payment, which is not a fine or penalty; and Defendants hereby transfer and assign to the Commission, upon the entr of this Order, an their rights and interest in the $218,000 receivable owed to them by Defendant Assail, Inc., and forever afer forfeit and abandon any right or interest in that amount, so that those fuds win be available for use for consumer redress.\n\nagreeing to this Order. If, upon motion by the Commission, the Cour finds that any IWP03711\\829:3 STIPULATED JUDGMENT Page 8 of 24 - (; Defendant has failed to disclose any material asset or materially misstated the value of any asset in the financial documents descrbed above , or has made any other material misstatement or omission in the financial documents described above, the Court shaU enter a moneta judgment only against that Defendant in the amount of 000 000, and shall mae an express determination that there is no just reason for delay in the entr of that judgment. Ths monetary judgment, shall become immediately due and payable by the Defendant, with interest computed at the rate prescribed under 28 U. C. g 1969, as amended, due from the date of entr of this Order, and Plaintiff shall be permtted to execute upon the judgment immediately and engage in discovery in aid of execution.\n\nIn accordance with 31 U. c. g 7701, the Defendants are hereby required, unless fush they have done so already, to to the Commssion their respective taxpayer identifying numbers (social securty numbers and employer identification numbers) which shall be used for purposes of collecting and reporting on any delinquent amount arsing out of Defendants' relationship with the governent.\n\nThe Individual Defendants are furter required, unless they have done so already, to provide the Commssion with clear, legible and full-size photocopies of aU valid drver s licenses that they possess, which wil be used for reporting and compliance puroses.\n\nDefendants agree that the facts as alleged in the Complaint fied in this action shall be taken as tre in any subsequent litigatjn fied by the Commission to enforce its rights pursuant to this Order, including,! but not limted to, a non-dischargeability banptcy proceeding.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "VI", "title": "Commission's Use of Funds", "category": "affirmative_obligation", "summary": "Funds paid to the Commission may be deposited into a fund for equitable relief including consumer redress; any remaining funds may be used for other equitable relief reasonably related to Defendants' practices or deposited to the U.S. Treasury as disgorgement.", "verbatim_text": "IT IS FURTHER ORDERED that an funds paid to the Commission or its agent pursuant to Paragraph V of this Order, may be deposited into a fund admnistered by the Commission or its , including but not limted to consumer redress and any attendant agent to be used for equitable relief expenses for the administration of any redress fud. In the event that direct redress to consumers is wholly or parially impracticable or that fuds remain after redress is completed, the Commission may apply any remaining funds for such othcr equitable relief (including consumer information remcdies) as it determines to be reasonably related to Defendants' practices alleged in the Complaint. Any fuds not used for such equitable relief shall be deposited to the United States Treasury as disgorgement. Defendants shall have no right to challenge the Commission s choice of remedies under this Pargraph.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Redress" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "VII", "title": "Lifting of the Asset Freeze", "category": "affirmative_obligation", "summary": "The freeze of Defendants' assets pursuant to the Preliminary Injunction Order entered February 4, 2003 shall be lifted to the extent necessary to turn over assets required by Paragraph V, and upon completion of that transfer shall be permanently vacated and lifted.", "verbatim_text": "IT IS FURTHER ORDERED that the freeze of the Defendants' assets pursuant to the Preliminar Injunction Order entered by this Cour on February 4, 2003, shall be lifted to the extent necessary to turn over assets as required by Paragraph V of this Order, and upon completion ofthat transfer, shall be vacated and liftd permently.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Redress" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "VIII", "title": "Acknowledgment of Receipt of Order", "category": "acknowledgment", "summary": "Each Defendant must submit a truthful sworn statement to the Commission acknowledging receipt of this Order within five business days of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that each Defendant, withi five (5) business days of receipt of this Order as entered by the Court, shall submit to the Commssion a trthful sworn statement acknowledging receipt of this Order.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Order Administration" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "IX", "title": "Distribution of Order by Defendant", "category": "acknowledgment", "summary": "For five years from entry, Defendants must deliver copies of this Order and a summary of its injunctive provisions to all principals, officers, employees, agents, and independent contractors, and secure signed acknowledgments of receipt within 30 days from current personnel and before new personnel begin duties.", "verbatim_text": "IT IS FURTHER ORDERED that year from the date of entry of , for a period of five (S) this Order: The Limited Partership Defendant shall: Deliver a copy of this Order to all principals, parters, offcers, and directors , and to all individuals servng the of the Limited Parership Defendant Limited Partnership Defendat in a maagement capacity, whether designated as employees, representatives, agents, consultants, independent contrctors or otherwse;\n\nDeliver, in the form set fort in Appendix A, a sumary of the injunctive provisions of this Order. to each employee, agent, representative and independent contractor having responsibilities subject to this Order; and\n\nSecure signed and dated statements acknowledging receipt of the Order or summ from CUITent principals, partners, offcers, directors , consultats managers, employees, agents, representatives and independent contractors having responsibilities subject to this Order, within thirt (30) days of the date of entry of this Order, and from futue principals, parners, offcers, directors, consultats, maagers, employees, agents, representatives and independent contractors having responsibilities subject to this Order before they commence their new duties or employment.\n\nThe Individual Defendants shall: Deliver a copy of this Order to all principals, parters, offcers, directors and individuals sering in a maagement capacity, whether designated as employees, representatives, agents, consultants, independent contractors or IWP037111829:3 Page II of24 STIPULA TED JUDGMENT otherwse, who are under the control of the Individual Defendant for any business that (a) employs or contracts for personal services from the Individual Defendant, and (b) has responsibilities with respect to the subject matter of this Orer;\n\nDeliver, in the form set forth in Appendix A, a summar of the injunctive provisions of this Order to each employee, agent, representative and independent contractor having responsibilities subject to this Order who is under the control of the Individual Defendant for any business that (a) employs or contracts for personal services fiom the Individual Defendant and (b) has responsibilities with respect to the subject matter of this Order; and\n\nSecure signed and dated statements acknowledging receipt of the Order or sumary from curent principals, parers, offcers, directors, consultants managers, employees, agents, representatives and independent contractors having responsibilities subject to this Order, within thirt (30) days of the date of entr of the Order, and from future principals, parters, offcers directors consultants, managers, employees, agents, representatives and independent contrctors having responsibilties subject to this Order before they commence their new duties or employment.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Order Administration" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "X", "title": "Compliance Reporting by Defendants", "category": "compliance_reporting", "summary": "For five years from entry, Individual Defendants must notify the Commission of changes in residence, employment status, and name within 10 days; all Defendants must notify of structural changes to business entities at least 30 days prior; and all Defendants must file annual written compliance reports for five years.", "verbatim_text": "For a period of five (5) years from the date of entr of this Order IWP03711\\829:3 STIPULATED JUDGMENT Page 12 of24 Each of the Individual Defendants shall notifY the Connssion in writing of any of the following: Any changes in residence, mailing addrsses and telephone numbers of the Individual Defendant, within ten (10) days ofthe date of such change;\n\nAny change in employment status (including self-employment) ofthe Individual Defendant, and any change in the ownership interest ofthe Individual Defendant in any business entity, withn ten (10) days of such change. Such notice shall include the nae and addrss of each business that the Individual Defendant is affiliated with, employed by, or performs services for, a statement ofthe nature of the business and a statement of the Individual Defendant duties and responsibilities in connection with the business or employment; aod\n\nAny changes in the Individual Defendant's name oruse of any aliases or fictitious naes; and\n\nAll Defendants shall notifY the Connssion of any changes in the strctue of the Limited Parnership Defendant, or any business entity that any Defendant directly or indirectly controls, or has an ownership interest in, that may affect compliance obligations arsing under this Order, including but not limited to a dissolution, assignent, sale, merger, or other action that would result in the emergence of a successor entity, the creation or dissolution of a subsidiary, parent, or affliate that engages in any acts or practices subject to IWP03711\\829:3 STIPULATED JUDGMENT Page 13 of 24 this Order, the tiling of a banptcy petition, or a change in the name or address of the entity, at least thirt (30) days prior to such change; provided that with respect to any proposed change in the business entity about which the Defendat learns less than thirt (30) days prior to the date such action is to take place, the Defendant shall notifY the Commission as soon as is practicable after obtaining such knowledge;\n\nOne hundred eighty (180) days after the date of entr of this Order , and each year thereafter on the same date, through and including January I, 2008, each of the Defendats shall provide a wrtten report to the Commission, sworn to under penalty of peIjury, settng fort in detail the maner and form in which the Defendant has complied and is complying with this Order. This report shall include but not be limited to: The then-cUIent residence address, mailing addresses and telephone numbers of the Individual Defendant; The then-curent employment and business addresses and telephone numbers of the Individual Defendant, a description of the business activities of each such employer or business, and the title and responsibilities of the Individual Defendant for each such employer or business; A statement of the Individual Defendat's then-curent business income and expenses, including a copy ofthe Individual Defendant s income tax returns with return for any parershifl, corporations or other business entities owned, controlled or operated by the Individual Defendant or on the Individual Defendat's behalf; \\ WP03711 \\829:3 STIPULTED JUDGMENT Page 140f24 , \" . . A statement describing the manner in which the Individual Defendant has complied and is complying with Pargraphs I-IV and XV of this Order; A copy of each acknowledgment of receipt of this Order obtained by the lndividual Defendant puruant to Paragraph IX of this Order;", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "XI", "title": "Monitoring Compliance of Sales Personnel", "category": "monitoring", "summary": "In connection with any business Defendants manage, control, or have a majority ownership interest in, Defendants are restrained from failing to take reasonable steps to monitor and ensure employee and contractor compliance with the Order, including random blind testing, complaint procedures, and corrective action.", "verbatim_text": "Failing to take reasonable steps suffcient to monitor and ensure that al1 employees and independent contractors engaged in sales or other customer service functions comply with Paragraphs I-IV and XV of this Order. Such steps shall include monitoring of sales presentations with customers, and shall also include, at a minimum, the following: (I) radom, blind testing of the oral representations made by persons engaged in sales or other customer service fuctions; (2) establishing procedure for receiving and responding to consumer complaints; and (3) ascertaining the number and natue of consumer complaints regarding tranactions in which each employee or independent contractor is involved;\n\nFailing promptly to investigate fully any consumer complaint received by any business to which this Pargraph applies; and\n\nFailing to tae any corrective action with respect to any sales person whom the Individual Defendant determnes is not complying with this Order, which may include trining, disciplining, and/or terminating such sales person.\n\nFailing to keep records of consumer complaints and the monitoring of consumer complaints.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "XII", "title": "Record-Keeping Provisions", "category": "recordkeeping", "summary": "For eight years from entry, Defendants are restrained from failing to create and retain specified business records, including accounting records, personnel records, customer files, complaints, sales scripts and marketing materials, and all documents necessary to demonstrate full compliance with the Order.", "verbatim_text": "that, for a period of eight (8) years from the date of entr of IT IS FURTHER ORDERED this Order, in cOimection with any business that the Limited Partership Defendant or any of the Individual Defendants directly or indirectly manages, controls or has a majority ownership interest , Defendants and their agents, employees, pricipalstparers, offcers, directors, corporations successors, and assigns, and those persons in active concert or participation with them who receive actual notice of this Order by personal service, facsimle or otherwise, are hereby restrained and enjoincd from failing to create and retain the following records: \\WP037H\\829:3 STIPULATED JUGMENT Page 16 of24 - - Accounting records that reflect the cost of goods or servIces sold, revenues generated, and the disbursement of such revenues;\n\nPersonnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contrctor; that persons job title or position; the date upon which the person commenced work; and the date and reason for the persons termination, if applicable;\n\nCustomer files containing the names, addresses, phone numbers, dollar amounts paid, quantity of items or services purchased, and description of items or services purchased, to the extent such informtion is obtained in the ordinar course of business;\n\nComplaints and refud requests (whetherreceived directly, indirectly or thugh any third part) and any responses to those complaints or requests;\n\nCopies of all sales scripts , trining materials , advertisements, or other marketing materials, includig e-mail and Internet websites or web pages, regarding any good service, company or web site disseminated by the Defendant to any person; and\n\nAllrecords and documents necessary to demonstrte full compliance with each provision ofthis Order.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "XIII", "title": "Access to Business Premises", "category": "monitoring", "summary": "For five years from entry, Defendants must permit Commission representatives to access any office or facility storing business documents within three business days of written notice, and must allow inspection, copying, and temporary removal of documents for up to three business days.", "verbatim_text": "IT IS FURTHER ORDERED that, for a period of five (5) year from the date of entry of this Order, for th(: purposes of determning or securing cempliance with its provisions, each ofthe Defendants, and 1heir agents, employees, principals, patiers, offcers, corporations, successors, and \\WP03711\\829:3 STIPULTED JUGMENT Page 17 of24 - -- - assigns, and those: persons or entities in active concert or partcipation with them who receive actual notice of this Order by personal service, facsimile or otherwise, shall pennit representatives of the Commission, within three (3) business days of receipt of wrtten notice from the Commssion, access during normal business hours to any offce or facility storing documents of any business tht the Defendant directly or indirectly manages, controls or has a majority interest in. In providing such access, the Defendant shall permit representatives of the Commission to inspect and copy all documents relevant to any matter contained in this Order, and shall pennit representatives of the Commission to n:move such documents for a period not to exceed thee (3) business days, so that the documents may be inspected, inventoried, and copied.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "XIV", "title": "Commission's Authority to Monitor Compliance", "category": "monitoring", "summary": "The Commission is authorized to monitor compliance through multiple means, including requiring Defendants to submit additional written reports, produce documents, appear for deposition, conduct discovery, and pose as consumers or suppliers; Defendants must permit interviews of personnel.", "verbatim_text": "Within ten (10) days of receipt of written notice from a representative of the Commssion, each of the Defendants each shall submit additional wrtten reports sworn to under penalty of perjury, produce documents for inspection and copying, and appear for deposition.\n\nIn addition, the Commission is authorized to monitor compliance with this Order by all other lawful means, including but not limited to the following: Obtaining discovery from any person, without further leave of cour, using the procedures prescribed by Fed. R. Civ. P. 30 33, , and 45; and Posing as consumers and suppli!!rs to Defendats, Defendants' employees or any other entity managed or controlled in whole or in part by any of the Defendants, without the necessity of identification or prior notice; and\n\nDefendants shall permt representatives of the Commssion to intervew any employer, consultant, independent contractor, representative, agent , parer, offcer or employee who has agreed to such an interview, relating in any way to any conduct subject to this Order. The person interviewed may have counsel present.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "XV", "title": "Prohibitions Involving Consumer Lists", "category": "prohibition", "summary": "Defendants are permanently restrained from selling, renting, leasing, transferring, or disclosing any consumer identifying information obtained prior to entry of this Order in connection with goods or services marketed by Defendant Assail, Inc., except as required by law or to law enforcement.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants, and their pricipals, parners , officers agents, servants, employees, and attorneys, and all other persons or entities in active concert or partcipation with them who receive actual notice of this Order by personal service, facsimile, or otherwise, are hereby permently restrined and enjoined from sellng, renting, leasing, transferrng, or otherise disclosing the name, address, telephone number, credit card number, ban account number, e-mail address, or other identifYing information of any person which was obtained , at any time prior to entr advertising, by any Defendant of ths Order, in connection with the promotion, marketing, offerig for sale , or sale of any good or service marketed by Defendat Assail, Inc. provided, however that Defendants may disclose such identifYng information to a law enforcement agency, or as required by any law, regulation or cour order.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "XVI", "title": "Fees and Costs", "category": "affirmative_obligation", "summary": "Each party to this Order agrees to bear its own costs and attorneys' fees incurred in connection with this action.", "verbatim_text": "IS FURTHER ORDERED that each par to this Order hereby agrees to bear its own IT costs and attorneys' fees incured in connection with this action.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Order Administration" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "XVII", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "verbatim_text": "IT IS FURTHER ORDERED that this Cour shall retain jurisdiction of this matter for puroses of constrction, modification and enforcement of this Order.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Order Administration" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "XVIII", "title": "Complete Settlement", "category": "acknowledgment", "summary": "The parties consent to entry of this Order as a final judgment and order constituting a full, complete, and final settlement of this action.", "verbatim_text": "The paries hereby consent to entr of the foregoing Order which shall constitutc a final judgment and order in this matter. The partcs furter stipulate and agree that the entr of the foregoing order shall constitute a full, complete, and final settlement of this action.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing" ], "remedy_types": [ "Order Administration" ], "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "docket_number": "Civ. No. WA:03-CV-7" }, { "provision_number": "I", "title": "Prohibition Against Violating Safeguards and Privacy Rules", "category": "prohibition", "summary": "Respondent must not violate any provision of the GLB Act's Safeguards Rule (16 C.F.R. Part 314) or Privacy Rule (16 C.F.R. Part 313), directly or through any subsidiary, division, website, or other device.", "verbatim_text": "IT IS ORDERED that respondent shall not, directly or through any corporation, subsidiary, division, Web site, or other device, violate any provision of the Gramm-Leach-Bliley Act=s (AGLB Act@) Standards for Safeguarding Customer Information Rule (ASafeguards Rule@), 16 C.F.R. Part 314, or the Gramm-Leach-Bliley Act’s Privacy of Consumer Financial Information Rule (APrivacy Rule@), 16 C.F.R. Part 313.\n\nIn the event the Safeguards Rule or Privacy Rule is hereafter amended or modified, respondent’s compliance with these Rules as so amended or modified shall not be a violation of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "01.05_sunbelt_lending_services", "company_name": "Sunbelt Lending Services, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3153-sunbelt-lending-services-inc-matter", "docket_number": "C-4129" }, { "provision_number": "II", "title": "Third-Party Security Assessment", "category": "assessment", "summary": "Respondent must obtain biennial independent third-party assessments of its information security program, certifying that safeguards comply with the Safeguards Rule and adequately protect nonpublic personal information.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with the Safeguards Rule, respondent shall obtain an assessment and report (an AAssessment@) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, within one hundred and eighty (180) days after service of the order, and biennially thereafter for ten (10) years after service of the order, that: A. sets forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explains how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent=s activities, and the sensitivity of the nonpublic personal information collected from or about consumers; C. explains how such safeguards meet or exceed the protections required by the Safeguards Rule; and D. certifies that respondent=s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of nonpublic personal information is protected and, for biennial reports, has so operated throughout the reporting period.\n\nEach Assessment shall be prepared by a person qualified as a Certified Information System Security Professional (CISSP); a person qualified as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security Institute (SANS); or by a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nRespondent shall provide the first Assessment, as well as all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. Respondent shall retain all subsequent biennial Assessments until the order is terminated and shall retain all materials relied upon in preparing each such Assessment, as listed above, for a period of three (3) years after the date of preparation of such Assessment. Respondent shall provide such subsequent Assessments and related materials to the Associate Director of Enforcement within ten (10) days of request.\n\n20580, within ten (10) days after the Assessment has been prepared. Respondent shall retain all subsequent biennial Assessments until the order is terminated and shall retain all materials relied upon in preparing each such Assessment, as listed above, for a period of three (3) years after the date of preparation of such Assessment. Respondent shall provide such subsequent Assessments and related materials to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.05_sunbelt_lending_services", "company_name": "Sunbelt Lending Services, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3153-sunbelt-lending-services-inc-matter", "docket_number": "C-4129" }, { "provision_number": "III", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, and supervisory employees within 30 days of service (current) or assumption of responsibilities (future).", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having supervisory responsibilities with respect to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after the date of service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nthirty (30) days after the date of service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.05_sunbelt_lending_services", "company_name": "Sunbelt Lending Services, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3153-sunbelt-lending-services-inc-matter", "docket_number": "C-4129" }, { "provision_number": "IV", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations, including dissolution, merger, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nhowever, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices\n\nnotify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.05_sunbelt_lending_services", "company_name": "Sunbelt Lending Services, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3153-sunbelt-lending-services-inc-matter", "docket_number": "C-4129" }, { "provision_number": "V", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 180 days after service of the order, and at other times as required, detailing how it has complied; the initial report must include the first biennial Assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall within one hundred eighty (180) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order. This report shall include a copy of the initial biennial Assessment required by Part II of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.05_sunbelt_lending_services", "company_name": "Sunbelt Lending Services, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3153-sunbelt-lending-services-inc-matter", "docket_number": "C-4129" }, { "provision_number": "VI", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on January 3, 2025, or 20 years from the most recent date the FTC files a complaint alleging a violation of the order in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on January 3, 2025, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; 4 B. This order's application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.05_sunbelt_lending_services", "company_name": "Sunbelt Lending Services, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3153-sunbelt-lending-services-inc-matter", "docket_number": "C-4129" }, { "provision_number": "I", "title": "Prohibition Against Misrepresenting Privacy Practices", "category": "prohibition", "summary": "Defendants are permanently restrained from misrepresenting, expressly or by implication, their privacy and data security practices, including how they collect, use, transfer, and/or disclose personal information about consumers.", "verbatim_text": "IT IS ORDERED that Defendants, Defendants’ officers, agents, employees, and 5 attorneys, and all other persons in active concert or participation with any of them, who receive 6 actual notice of this Order, whether acting directly or indirectly, in connection with promoting or 7 offering for sale any good or service, are permanently restrained and enjoined from 8 9 misrepresenting, expressly or by implication, Defendants’ privacy and data security practices, 10 including whether, how, and for what purposes Defendants collect, use, transfer, and/or disclose 11 personal information about consumers.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "III", "title": "Injunction Concerning the Provision of Privacy Notices", "category": "prohibition", "summary": "Defendants are permanently restrained from failing to provide a Privacy Notice to each consumer with whom Defendants form a Customer Relationship or about whom Defendants make a non-excepted disclosure to a nonaffiliated third party.", "verbatim_text": "21 IT IS FURTHER ORDERED that Defendants and Defendants’ officers, agents, 22 employees, and attorneys, and all other persons in active concert or participation with any of 23 them, who receive actual notice of this Order, whether acting directly or indirectly, in connection 24 with Defendants’ provision of any Financial Service are hereby permanently restrained and 25 enjoined from failing to provide a Privacy Notice to each consumer with whom Defendants form 26 27 a Customer Relationship or about whom Defendants make a disclosure of Nonpublic Personal 28 Information, other than an Excepted Disclosure, to a nonaffiliated third party.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "IV", "title": "Prohibition Against Improper Disclosure of Nonpublic Personal Information", "category": "prohibition", "summary": "Defendants are permanently restrained from disclosing Nonpublic Personal Information to nonaffiliated third parties unless the disclosure is to a Service Provider, is an Excepted Disclosure, or the consumer has been clearly informed and provided affirmative express consent.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants, Defendants’ officers, agents, employees, 5 and attorneys, and all other persons in active concert or participation with any of them, who 6 receive actual notice of this Order, whether acting directly or indirectly, in connection with 7 Defendants’ provision of any Financial Service, are permanently restrained and enjoined from 8 9 disclosing to any nonaffiliated third party any Nonpublic Personal Information about a consumer 10 unless 11 A. The disclosure is to a Service Provider or is an Excepted Disclosure; or 12 B. Defendants have: 13 1. Clearly and Conspicuously disclosed to the consumer, separate and apart from any 14 15 “privacy policy,” “data use policy,” “statement of rights and responsibilities” page, or other 16 similar document, including any notice provided pursuant to Provision III of this order: (1) 17 the categories of nonpublic personal information that will be disclosed to such third parties 18 and (2) the identity or specific categories of such third parties; and 19 2. Obtained the relevant consumer’s affirmative express consent.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "V", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Each Covered Business must establish, implement, and maintain a comprehensive Information Security Program protecting the security, confidentiality, and integrity of Nonpublic Personal Information, including documentation, risk assessments, safeguards, testing, and service provider oversight.", "verbatim_text": "IT IS FURTHER ORDERED that each Covered Business shall not transfer, sell, share, 23 collect, maintain, or store Nonpublic Personal Information unless the Covered Business 24 establishes and implements, and thereafter maintains, a comprehensive Information Security 25 26 Program that protects the security, confidentiality, and integrity of such Nonpublic Personal 27 Information. To satisfy this requirement, each Covered Business must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 14 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 15 of 30 1 Security Program;\n\n3 B. Provide the written program and any evaluations thereof or updates thereto to a senior 4 officer responsible for its Information Security Program at least once every twelve (12) months 5 and promptly after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the 7 Information Security Program;\n\n9 D. Assess and document, at least once every twelve (12) months and promptly following a 10 Covered Incident, internal and external risks to the security, confidentiality, or integrity of 11 Personal Information that could result in the unauthorized disclosure, misuse, loss, theft, 12 alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control the internal and 14 15 external risks to the security, confidentiality, or integrity of Nonpublic Personal Information 16 identified in response to sub-Provision VI.D. Each safeguard shall be based on the volume and 17 sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be 18 realized and result in the unauthorized access, collection, use, alteration, destruction, or 19 disclosure of the Personal Information.\n\n21 F. Assess, at least once every twelve (12) months and promptly following a Covered 22 Incident, the sufficiency of any safeguards in place to address the risks to the security, 23 confidentiality, or integrity of Nonpublic Personal Information, and modify the Information 24 Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) 26 27 months and promptly following a Covered Incident, and modify the Information Security 28 Program based on the results;\n\nH. Select and retain service providers capable of safeguarding Nonpublic Personal 2 3 Information they access through or receive from each Covered Business, and contractually 4 require service providers to implement and maintain safeguards for Personal Information; and\n\nI. Evaluate and adjust the Information Security Program in light of any changes to its 6 operations or business arrangements, a Covered Incident, or any other circumstances that 7 Defendants know or have reason to know may have an impact on the effectiveness of the 8 9 Information Security Program. At a minimum, each Covered Business must evaluate the 10 Information Security Program at least once every twelve (12) months and modify the 11 Information Security Program based on the results.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "VI", "title": "Information Security Assessments by a Third Party", "category": "assessment", "summary": "Defendants must obtain initial and biennial third-party assessments of the Information Security Program for each Covered Business, conducted by a qualified independent assessor, covering the first 180 days and each two-year period thereafter for ten years.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party 18 professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the 19 profession; (2) conducts an independent review of the Information Security Program; and (3) 20 21 retains all documents relevant to each Assessment for five (5) years after completion of such 22 Assessment and will provide such documents to the Commission within ten (10) days of receipt 23 of a written request from a representative of the Commission. No documents may be withheld 24 on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, 25 attorney client privilege, statutory exemption, or any similar claim.\n\n27 B. For each Assessment, Defendants shall provide the Associate Director for Enforcement 28 for the Bureau of Consumer Protection at the Federal Trade Commission with the name and STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 16 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 17 of 30 1 affiliation of the person selected to conduct the Assessment, which the Associate Director shall 2 3 have the authority to approve in his sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the 5 issuance date of the Order for the initial Assessment; and (2) each 2-year period thereafter for ten 6 (10) years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must: (1) determine whether each Covered Business has implemented 8 9 and maintained the Information Security Program required by Provision VI of this Order, titled 10 Mandated Information Security Program; (2) assess the effectiveness of each Covered Business’s 11 implementation and maintenance of sub-Provisions VI.A-I; (3) identify any gaps or weaknesses 12 in the Information Security Program; and (4) identify specific evidence (including, but not 13 limited to documents reviewed, sampling and testing performed, and interviews conducted) 14 15 examined to make such determinations, assessments, and identifications, and explain why the 16 evidence that the Assessor examined is sufficient to justify the Assessor’s findings. No finding 17 of any Assessment shall rely solely on assertions or attestations by a Covered Business’s 18 management. The Assessment shall be signed by the Assessor and shall state that the Assessor 19 conducted an independent review of the Information Security Program, and did not rely solely on 20 21 assertions or attestations by a Covered Business’s management.\n\nE. Each Assessment must be completed within sixty (60) days after the end of the reporting 23 period to which the Assessment applies. Unless otherwise directed by a Commission 24 representative in writing, Defendants must submit each Assessment to the Commission within 25 ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by 26 27 overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of 28 Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 17 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 18 of 30 1 DC 20580. The subject line must begin, “FTC v. Mortgage Solutions FCS, Inc., FTC File No. 2 3 1823199.” All subsequent biennial Assessments shall be retained by Defendants until the order 4 is terminated and provided to the Associate Director for Enforcement within ten (10) days of 5 request.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "VII", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Defendants must fully cooperate with the third-party Assessor by disclosing all material facts honestly and providing all relevant information and materials in their possession or control.", "verbatim_text": "A. Disclose all material facts to the Assessor, and must not misrepresent in any manner, 13 expressly or by implication, any fact material to the Assessor’s: (1) determination of whether 14 15 Defendants have implemented and maintained the Information Security Program required by 16 Provision VI of this Order, titled Mandated Information Security Program; (2) assessment of the 17 effectiveness of the implementation and maintenance of sub-Provisions VI.A-I; or (3) 18 identification of any gaps or weaknesses in the Information Security Program; and\n\nB. Provide or otherwise make available to the Assessor all information and material in their 20 21 possession, custody, or control that is relevant to the Assessment for which there is no reasonable 22 claim of privilege.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "VIII", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Defendants must annually provide the Commission with a certification from a senior corporate manager or senior officer of each Covered Business attesting to compliance with the Order, the absence of uncorrected or undisclosed material noncompliance, and describing any Covered Incidents.", "verbatim_text": "27 A. One year after the issuance date of this Order, and each year thereafter, provide the 28 Commission with a certification from a senior corporate manager, or, if no such senior corporate STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 18 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 19 of 30 1 manager exists, a senior officer of each Covered Business responsible for each Covered 2 3 Business’s Information Security Program that: (1) each Covered Business has established, 4 implemented, and maintained the requirements of this Order; (2) each Covered Business is not 5 aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the 6 Commission; and (3) includes a brief description of any Covered Incident. The certification 7 must be based on the personal knowledge of the senior corporate manager, senior officer, or 8 9 subject matter experts upon whom the senior corporate manager or senior officer reasonably 10 relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual 12 certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by 13 overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of 14 15 Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, 16 DC 20580. The subject line must begin, “FTC v. Mortgage Solutions FCS, Inc., FTC File No. 17 1823199.”", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "IX", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Defendants must submit a report to the Commission for any Covered Business no later than ten (10) days after first notifying any government entity of a Covered Incident, including details about the incident, affected information, consumers affected, remediation steps, and copies of required notices.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants, for any Covered Business, within a 20 21 reasonable time after the date of discovery of a Covered Incident, but in any event no later than 22 ten (10) days after the date the Covered Business first notifies any U.S. federal, state, or local 23 government entity of the Covered Incident, must submit a report to the Commission. The report 24 must include, to the extent possible:\n\nA. The date, estimated date, or estimated date range when the Covered Incident occurred; 26 27 B. A description of the facts relating to the Covered Incident, including the causes of the 28 Covered Incident, if known; STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 19 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 20 of 30 1 C. A description of each type of information that triggered the notification obligation to the 2 3 U.S. federal, state, or local government entity; 4 D. The number of consumers whose information triggered the notification obligation to the 5 U.S. federal, state, or local government entity; 6 E. The acts that the Covered Business has taken to date to remediate the Covered Incident 7 and protect Personal Information from further exposure or access, and protect affected 8 9 individuals from identity theft or other harm that may result from the Covered Incident; and 10 F. A representative copy of each materially different notice required by U.S. federal, state, 11 or local law or regulation and sent by the Covered Business or any of its clients to consumers or 12 to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident 14 15 reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by 16 overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of 17 Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, 18 DC 20580. The subject line must begin, “FTC v. Mortgage Solutions FCS, Inc., FTC File No. 19 1823199.”", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "X", "title": "Monetary Judgment for Civil Penalty", "category": "affirmative_obligation", "summary": "A civil penalty judgment of $120,000 is entered jointly and severally against Defendants, to be paid to the U.S. Treasury within 7 days of entry of this Order by electronic fund transfer.", "verbatim_text": "A. Judgment in the amount of one hundred and twenty thousand dollars ($120,000) is 24 entered in favor of Plaintiff against Individual Defendant and Corporate Defendant, jointly and 25 severally, as a civil penalty.\n\n27 B. Defendants are ordered to pay to Plaintiff, by making payment to the Treasurer of the 28 United States, one hundred and twenty thousand dollars ($120,000), which, as Defendants STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 20 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 21 of 30 1 stipulate, their undersigned counsel holds in escrow for no purpose other than payment to 2 3 Plaintiff. Such payment must be made within 7 days of entry of this Order by electronic fund 4 transfer in accordance with instructions previously provided by a representative of Plaintiff.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "XI", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Defendants relinquish all rights to assets transferred under this Order; the Complaint's facts may be used as true in future proceedings; the penalty is not dischargeable in bankruptcy; and Defendants must submit their Taxpayer Identification Numbers to the Commission.", "verbatim_text": "A. Defendants relinquish dominion and all legal and equitable right, title, and interest in all 8 9 assets transferred pursuant to this Order and may not seek the return of any assets.\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any 11 subsequent civil litigation by or on behalf of the Commission, including in a proceeding to 12 enforce its rights to any payment or monetary judgment pursuant to this Order.\n\nC. Defendants agree that the judgment represents a civil penalty owed to the government of 14 15 the United States, is not compensation for actual pecuniary loss, and, therefore, as to the 16 Individual Defendants, it is not subject to discharge under the Bankruptcy Code pursuant to 11 17 U.S.C. § 523(a)(7).\n\nD. Defendants acknowledge that their Taxpayer Identification Numbers (Social Security 19 Numbers or Employer Identification Numbers), which Defendants must submit to the 20 21 Commission, may be used for collecting and reporting on any delinquent amount arising out of 22 this Order, in accordance with 31 U.S.C. §7701.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Redress" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "XII", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Defendants must submit a sworn acknowledgment of receipt of this Order within 7 days, deliver copies to all relevant personnel and business entities within specified timeframes, and obtain signed acknowledgments within 30 days from each recipient.", "verbatim_text": "27 A. Each Defendant, within 7 days of entry of this Order, must submit to the Commission an 28 acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 5 years after entry of this Order, each Individual Defendant for any business that 2 3 such Defendant, individually or collectively with any other Defendants, is the majority owner or 4 controls directly or indirectly, and each Corporate Defendant, must deliver a copy of this Order 5 to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees 6 having managerial responsibilities for conduct related to the subject matter of the Order and all 7 agents and representatives who participate in conduct related to the subject matter of the Order; 8 9 and (3) any business entity resulting from any change in structure as set forth in the Section titled 10 Compliance Reporting. Delivery must occur within 7 days of entry of this Order for current 11 personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which a Defendant delivered a copy of this Order, that 13 Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this 14 15 Order.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "XIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendants must submit an initial compliance report one year after entry of the Order and ongoing compliance notices within 14 days of any change in contact information or business structure for 15 years, and must notify the Commission of any bankruptcy filing within 14 days.", "verbatim_text": "A. One year after entry of this Order, each Defendant must submit a compliance report, 20 21 sworn under penalty of perjury: 22 Each Defendant must: (a) identify the primary physical, postal, and email address and 23 telephone number, as designated points of contact, which representatives of the Commission 24 and Plaintiff may use to communicate with Defendant; (b) identify all of that Defendant’s 25 businesses by all of their names, telephone numbers, and physical, postal, email, and 26 27 Internet addresses; (c) describe the activities of each business, including the goods and 28 services offered, and the involvement of any other Defendant (which Individual Defendants STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 22 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 23 of 30 1 must describe if they know or should know due to their own involvement); (d) describe in 2 3 detail whether and how that Defendant is in compliance with each Section of this Order; and 4 (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless 5 previously submitted to the Commission. 6 Additionally,each Individual Defendant must: (a) identify all telephone numbers and all 7 physical, postal, email and Internet addresses, including all residences; (b) identify all 8 9 business activities, including any business for which such Defendant performs services 10 whether as an employee or otherwise and any entity in which such Defendant has any 11 ownership interest; and (c) describe in detail such Defendant’s involvement in each such 12 business, including title, role, responsibilities, participation, authority, control, and any 13 ownership.\n\n15 B. For 15 years after entry of this Order, each Defendant must submit a compliance 16 notice, sworn under penalty of perjury, within 14 days of any change in the following: 17 Each Defendant must report any change in: (a) any designated point of contact; or (b) the 18 structure of any Corporate Defendant or any entity that Defendant has any ownership interest 19 in or controls directly or indirectly that may affect compliance obligations arising under this 20 21 Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, 22 or affiliate that engages in any acts or practices subject to this Order. 23 Additionally,each Individual Defendant must report any change in: (a) name, including 24 aliases or fictitious name, or residence address; or (b) title or role in any business activity, 25 including any business for which such Defendant performs services whether as an employee 26 27 or otherwise and any entity in which such Defendant has any ownership interest, and identify 28 the name, physical address, and any Internet address of the business or entity.\n\nC. Each Defendant must submit to the Commission notice of the filing of any bankruptcy 2 3 petition, insolvency proceeding, or similar proceeding by or against such Defendant within 14 4 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of 6 perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I 7 declare under penalty of perjury under the laws of the United States of America that the 8 9 foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full 10 name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to 12 the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight 13 courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of 14 15 Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, 16 DC 20580. The subject line must begin: FTC v. Mortgage Solutions FCS, Inc., FTC File No. 17 1823199.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "XIV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendants must create certain records for fifteen (15) years after entry of the Order and retain each such record for five (5) years, including accounting records, personnel records, consumer complaints, Assessment materials, law enforcement communications, and all records showing compliance.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants must create certain records for fifteen (15) 20 21 years after entry of the Order, and retain each such record for five (5) years. Specifically, 22 Corporate Defendant and each Individual Defendant for any business that such Defendant, 23 individually or collectively with any other Defendants, is a majority owner or controls directly or 24 indirectly, must create and retain the following records: 25 A. Accounting records showing the revenues from all goods or services sold; 26 27 B. Personnel records showing, for each person providing services, whether as an employee 28 or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 24 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 25 of 30 1 service; and (if applicable) the reason for termination; 2 3 C. Copies or records of all consumer complaints and refund requests related to the subject 4 matter of this Order, whether received directly or indirectly, such as through a third party, and 5 any response; 6 D. For five (5) years after the date of preparation of each Assessment required by this Order, 7 all materials and evidence that the Assessor considered, reviewed, relied upon or examined to 8 9 prepare the Assessment, whether prepared by or on behalf of Respondents, including all plans, 10 reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and 11 any other materials concerning Respondents’ compliance with related Provisions of this Order, 12 for the compliance period covered by such Assessment; 13 E. For five (5) years from the date received, copies of all subpoenas and other 14 15 communications with law enforcement, if such communications relate to Respondents’ 16 compliance with this Order; 17 F. For five (5) years from the date created or received, all records, whether prepared by or 18 on behalf of Respondents, that tend to show any lack of compliance by Respondents with this 19 Order; and 20 21 G. All records necessary to demonstrate full compliance with each provision of this Order, 22 including all submissions to the Commission.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "XV", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission and Plaintiff are authorized to monitor Defendants' compliance through written requests for information, depositions, document production, direct communications with Defendants, employee interviews, undercover methods, compulsory process, and consumer reporting agency reports.", "verbatim_text": "27 A. Within 14 days of receipt of a written request from a representative of the Commission or 28 Plaintiff, each Defendant must: submit additional compliance reports or other requested STIPULATED ORDED FOR CIVIL PENALTIES, Case No. 4:20-cv-00110; 25 Case 4:20-cv-00110-DMR Document 12 Filed 01/10/20 Page 26 of 30 1 information, which must be sworn under penalty of perjury; appear for depositions; and produce 2 3 documents for inspection and copying. The Commission and Plaintiff are also authorized to 4 obtain discovery, without further leave of court, using any of the procedures prescribed by 5 Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, 6 and 69.\n\nB. For matters concerning this Order, the Commission and Plaintiff are authorized to 8 9 communicate directly with each Defendant. Defendant must permit representatives of the 10 Commission and Plaintiff to interview any employee or other person affiliated with any 11 Defendant who has agreed to such an interview. The person interviewed may have counsel 12 present.\n\nC. The Commission and Plaintiff may use all other lawful means, including posing, through 14 15 its representatives as consumers, suppliers, or other individuals or entities, to Defendants or any 16 individual or entity affiliated with Defendants, without the necessity of identification or prior 17 notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, 18 pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.\n\nD. Upon written request from a representative of the Commission or Plaintiff, any consumer 20 21 reporting agency must furnish consumer reports concerning Individual Defendants, pursuant to 22 Section 604(1) of the Fair Credit Reporting Act, 15 U.S.C. §1681b(a)(1).", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "XVI", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of the Order.", "verbatim_text": "3 IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for 4 purposes of construction, modification, and enforcement of this Order.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "docket_number": "4:20-cv-00110" }, { "provision_number": "I", "title": "Ban on Sale of Customer Phone Records", "category": "prohibition", "summary": "Defendants are permanently enjoined from obtaining, marketing, or selling customer phone records and consumer personal information derived from customer phone records, except as authorized by law, regulation, or lawful court order.", "verbatim_text": "I. IT IS THEREFORE ORDERED that Defendants, their assigns, officers, agents, servants, employees, and those persons in active concert or participation with them who receive actual notice of this Order by personal service or otherwise, are hereby restrained and enjoined from obtaining, causing others to obtain, marketing, or selling customer phone records and consumer personal information that is derived from customer phone records; provided, however, Page 3 of 14 Case 1:06-cv-01099-AMD Document 24 Filed 02/22/07 Page 4 of 14 that Defendants shall not be prohibited from obtaining customer phone records or consumer personal information that is derived from customer phone records pursuant to any law, regulation, or lawful court order. Nothing in this Order shall be read as an exception to this Section 1.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "II", "title": "Prohibited Business Activities", "category": "prohibition", "summary": "Defendants are permanently enjoined from making false or deceptive statements to obtain consumer personal information, and from requesting others to obtain such information unlawfully.", "verbatim_text": "A. Making false or deceptive statements or representations, including but not limited to impersonating any person or entity, directly or by implication, to any person or entity in order to obtain consumer personal information;\n\nB. Requesting any person or entity to obtain consumer personal information relating to any third person, if the person making such a request knows or should know that the person or entity to whom such a request is made will obtain or attempt to obtain such information in violation of Subsection A ofthis Section II.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "III", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Judgment of $40,075.00 is entered against Defendants jointly and severally, suspended upon payment of $3,000.00 within 5 days; funds are to be used for equitable relief, and Defendants must furnish tax identification numbers to the FTC.", "verbatim_text": "A. Judgment is hereby entered against Defendants, jointly and severally, in the amount of FORTY THOUSAND AND SEVENTY FNE DOLLARS ($40,075.00); provided, however, that this judgment shall be suspended (1) upon payment to the FTC, within five (5) days after Defendants receive notice of entry of this Order, of THREE THOUSAND DOLLARS Page 4 of 14 Case 1:06-cv-01099-AMD Document 24 Filed 02/22/07 Page 5 of 14 ($3,000.00) in the form of a certified cashier's check made payable to the FTC or its designated agent; and (2) as long as the Court makes no finding, as provided in Section IV ofthis Order, that either Defendant materially misrepresented or omitted the nature, existence, or value of any asset.\n\nB. Any funds received by the FTC pursuant to this Section III shall be deposited into a fund administered by the FTC or its agent to be used for such equitable relief, including but not limited to consumer information remedies and disgorgement to the U.S. Treasury of ill-gotten monies, as the FTC determines to be reasonably related to Defendants' practices alleged in the Complaint. Defendants shall have no right to challenge the FTC's choice of remedies under this Section III.\n\nC Defendants further agree that the facts as alleged in the Complaint shall be taken as true in the event of any subsequent litigation to collect amounts due pursuant to this Order, including but not limited to a nondischargeability complaint in any bankruptcy proceeding.\n\nD. The judgment entered pursuant to this Section III is equitable monetary relief, solely remedial in nature, and not a fme, penalty, punitive assessment, or forfeiture.\n\nE. Defendants acknowledge and agree that any money paid pursuant to this Order is irrevocably paid to the FTC for purposes of settlement between the FTC and Defendants, and Defendants relinquish all rights, title, and interest to such money.\n\nF. Defendants are hereby required, in accordance with 31 U.S.C. § 7701, to furnish to the FTC their tax identification numbers, which shall be used for purposes of collecting and reporting on any delinquent amount arising out of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "IV", "title": "Right to Reopen", "category": "affirmative_obligation", "summary": "If the Court finds that either Defendant materially misrepresented or omitted assets in their financial statements, the suspended judgment becomes immediately due and payable; Defendants waive the right to contest complaint allegations for purposes of this section.", "verbatim_text": "IV. IT IS FURTHER ORDERED that the FTC's agreement to this Order is expressly premised on the truthfulness, accuracy and completeness of financial statements previously submitted by Defendants to the FTC. If, upon motion by the FTC, the Court fmds that the fmancial statement of either Defendant contains any material misrepresentation or omission, the m suspended judgment entered in Section of this Order shall become immediately due and payable as to that Defendant (less any amounts turned over to the FTC pursuant to Section lILA. of this Order); provided, however, that in all other respects this Order shall remain in full force and effect unless otherwise ordered by the Court; and provided further, that proceedings instituted under this provision would be in addition to, and not in lieu of, any other civil or criminal remedies as may be provided by law, including any other proceedings that the FTC may initiate to enforce this Order. For purposes of this Section IV, Defendants waive any right to contest any of the allegations in the Complaint.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Redress" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "V", "title": "Cooperation with FTC", "category": "affirmative_obligation", "summary": "Defendant David J. Kacala must cooperate in good faith with the FTC, appear at requested places and times for interviews, discovery, and document review, and provide truthful testimony in any trial or proceeding related to the complaint without a subpoena if requested in writing.", "verbatim_text": "V. IT IS FURTHER ORDERED that Defendant David J. Kacala shall, in connection with this action or any subsequent investigations related to or associated with the transactions or the occurrences that are the subject of the FTC's Complaint, cooperate in good faith with the FTC and appear at such places and times as the FTC shall reasonably request, after written notice, for interviews, conferences, pretrial discovery, review of documents, and for such other matters as may be reasonably requested by the FTC. If requested in writing by the FTC, Defendant David J. Kacala shall appear and provide truthful testimony in any trial, deposition, or other proceeding related to or associated with the transactions or the occurrences that are the subject of the Complaint, without the service of a subpoena.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "VI", "title": "Distribution of Order", "category": "acknowledgment", "summary": "For five years, Defendants must deliver copies of the Order to principals, officers, managers, employees, and agents, within 5 days for current personnel and prior to assuming responsibilities for new personnel, and must obtain signed acknowledgments of receipt within 30 days of delivery.", "verbatim_text": "A. Defendant Information Search, Inc., must deliver a copy of this Order to all of its principals, officers, directors, and managers. Defendant Information Search, Inc., also must deliver copies of this Order to all of its employees, agents, and representatives who engage in conduct related to the subject matter of the Order. For current personnel, delivery shall be within (5) days of service of this Order upon Defendant. For new personnel, delivery shall occur prior to them assuming their responsibilities.\n\nB. For any business that Defendant David J. Kacala controls, directly or indirectly, or in which he has a majority ownership interest, Defendant David 1. Kacala must deliver a copy of this Order to all principals, officers, directors, and managers of that business. Defendant David J. Kacala must also deliver copies of this Order to all employees, agents, and representatives of that business who engage in conduct related to the subject matter of the Order. For current personnel, delivery shall be within (5) days of service of this Order upon Defendant. For new personnel, delivery shall occur prior to them assuming their responsibilities.\n\nC. For any business where Defendant David J. Kacala is not a controlling person of a business but otherwise engages in conduct related to the subject matter of this Order, Defendant David J. Kacala must deliver a copy of this Order to all principals and managers of such business before engaging in such conduct.\n\nD. Defendants must secure a signed and dated statement acknowledging receipt of the Order, within thirty (30) days of delivery, from all persons receiving a copy of the Order pursuant to this Section VI.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "VII", "title": "Record-Keeping Provisions", "category": "recordkeeping", "summary": "For eight years, Defendants must create and retain specific records for any business they majority-own or control that is engaged in obtaining, marketing, or selling consumer personal information, including accounting, personnel, customer, complaint, marketing, third-party, and order acknowledgment records.", "verbatim_text": "A. Accounting records that reflect the cost of goods or services sold, revenues generated, and the disbursement of such revenues;\n\nB. Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person's job title or position; the date upon which the person commenced work; and the date and reason for the person's termination, if applicable;\n\nC. Customer files containing the names, addresses, phone numbers, dollar amounts paid, quantity of goods or services purchased, and description of goods or services purchased, including information regarding the individual consumer whose personal information is being purchased, to the extent such information is obtained in the ordinary course of business;\n\nD. Complaints and refund requests (whether received directly, indirectly or through any third party) and any responses to those complaints or requests;\n\nE. Copies of all sales scripts, training materials, advertisements (including web sites ), or other marketing materials, and records that accurately reflect the time periods during which such materials were used and the persons and business entities that used such materials;\n\nF. To the extent consumer personal information is obtained through the use of third parties: 1. Records that accurately reflect the name, address, and telephone number of the third party; 2. Copies of all contracts and correspondence between either Defendant and such third party; and\n\nG. Copies of each acknowledgement of receipt of Order required to be obtained pursuant to Section VI of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "For five years, Defendants must notify the FTC of changes in residence, employment, ownership, corporate structure, and other reportable events; Defendants must also submit a sworn written compliance report 180 days after entry of the Order.", "verbatim_text": "a. Any changes in his residence, mailing addresses, and telephone numbers, within ten (10) days of the date of such change;\n\nb. Any changes in his employment status (including self-employment), and any change in his ownership in any business entity, within ten (10) days of the date of such change. Such notice shall include the name and address of each business that he is affiliated with, employed by, creates or forms, or performs services for; a statement of the Page 9 of 14 Case 1:06-cv-01099-AMD Document 24 Filed 02/22/07 Page 10 of 14 nature of the business; and a statement of his duties and responsibilities in connection with the business or employment; and\n\nc. Any changes in his name or use of any aliases or fictitious names; and\n\n2. Defendants shall notify the FTC of any changes in corporate structure of Information Search, Inc., or any business entity that David 1. Kacala directly or indirectly control( s), or has an ownership interest in, that may affect compliance obligations arising under this Order, including but not limited to a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor entity; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order; the filing of a bankruptcy petition; or a change in the corporate name or address, at least thirty (30) days prior to such change, provided that, with respect to any proposed change in the corporation about which a Defendant learns less than thirty (30) days prior to the date such action is to take place, such Defendant shall notify the FTC as soon as is practicable after obtaining such knowledge.\n\nB. One hundred eighty (180) days after the date of entry of this Order, Defendants each shall provide a written report to the FTC, sworn to under penalty of perjury, setting forth in detail the manner and form in which they have complied and are complying with this Order. This report shall include, but not be limited to: 1. For Defendant David 1. Kacala: a. The then-current residence address, mailing addresses, and telephone numbers of Defendant David 1. Kacala; Page 10 of 14 Case 1:06-cv-01099-AMD Document 24 Filed 02/22/07 Page 11 of 14 b. The then-current employment and business addresses and telephone numbers of Defendant David J. Kacala, a description of the business activities of each such employer or business, and the title and responsibilities of Defendant David J. Kacala, for each such employer or business; and c. Any other changes required to be reported under subparagraph A of this Section VIII. 2. For all Defendants: a. A copy of each acknowledgment of receipt of this Order, obtained pursuant to Section VI; b. Any other changes required to be reported under subparagraph A of this Section VIII.\n\nC. For the purposes of this Order, Defendants shall, unless otherwise directed by the FTC's authorized representatives, mail all written notifications to the FTC to: Associate Director of Enforcement Federal Trade Commission 600 Pennsylvania Avenue NW, RoomNJ2I22 Washington, DC 20580 Re: FTC v. Information Search, Inc., et al.\n\nD. For purposes of the compliance reporting and monitoring required by this Order, the FTC is authorized to communicate directly with Defendants.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC may monitor compliance through written reports, document production, depositions, business inspections, independent discovery, undercover posing as consumers or suppliers, and direct interviews of Defendants' personnel.", "verbatim_text": "A. Within ten (10) days of receipt of written notice from a representative of the FTC, Defendants each shall submit additional written reports, sworn to under penalty ofpeIjury; produce documents for inspection and copying; appear for deposition; and/or provide entry during normal business hours to any business location in such Defendant's possession or direct or indirect control to inspect the business operation;\n\nB. In addition, the FTC is authorized to monitor compliance with this Order by all other lawful means, including but not limited to the following: 1. Obtaining discovery from any person, without further leave of court, using the procedures prescribed by Fed. R. Civ. P. 30, 31, 33, 34, 36, and 45;\n\n2. Posing as consumers and suppliers to: Defendants, Defendants' employees, or any other entity managed or controlled in whole or in part by either Defendant, without the necessity of identification or prior notice; and\n\nC. Defendants shall permit representatives of the FTC to interview any employer, consultant, independent contractor, representative, agent, or employee who has agreed to such an interview, relating in any way to any conduct subject to this Order. The person interviewed may have counsel present.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "X", "title": "Acknowledgment of Receipt of Order", "category": "acknowledgment", "summary": "Each Defendant must submit a truthful sworn statement to the FTC acknowledging receipt of this Order within five (5) business days after receipt.", "verbatim_text": "x. IT IS FURTHER ORDERED that within five (5) business days after receipt of this Order, as entered by the Court, each Defendant shall submit to the FTC a truthful sworn statement acknowledging receipt of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "XI", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "verbatim_text": "XI. IT IS FURTHER ORDERED that this Court shall retain jurisdiction of this matter, for purposes of construction, modification, and enforcement of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "docket_number": "AMD-01-1121" }, { "provision_number": "I", "title": "Prohibited Business Activities", "category": "prohibition", "summary": "Defendant is permanently restrained and enjoined from making false or misleading statements about her identity or purpose, requesting others to obtain financial customer information unlawfully, disclosing or selling such customer information (with narrow exceptions), and making any materially false or misleading statements.", "verbatim_text": "A. Making, or assisting in the making, directly or by implication, any false or misleading statement about Defendant’s identity, purpose or right to receive customer information;\n\nB. Requesting a person to obtain customer information of a financial institution knowing or consciously avoiding knowing that the person will obtain, or attempt to obtain, the information from the institution in any manner described in Section A of this Paragraph, or in any manner that violates Section 521 of the GLB Act, 15 U.S.C. § 6821;\n\nC. Disclosing, disseminating, distributing, or selling customer information of a financial institution. Provided, however, that Defendant may disclose, disseminate, distribute or sell such customer information (1) with the prior written consent of the consumer to whom such information 4 relates, (2) to a law enforcement agency, or (3) as required by any law, regulation or court order; and\n\nD. Making or assisting in making, directly or by implication, any statement of material fact that is false or misleading.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "II", "title": "Gramm-Leach-Bliley Act Prohibitions", "category": "prohibition", "summary": "Defendant is permanently restrained and enjoined from violating or assisting others in violating any provision of Section 521 of the GLB Act (Fraudulent Access to Financial Information), as it now exists or may hereafter be amended.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with the advertising, promotion, obtaining, offering for sale, or sale of customer information of a financial institution, Defendant is hereby permanently restrained and enjoined from violating or assisting others in violating any provision of Section 521 of the GLB Act, 15 U.S.C. § 6821, as it now exists or may hereafter be amended. A copy of the “Fraudulent Access to Financial Information” provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. § § 6821-6827, is attached to this Order and is hereby incorporated as if recited herein.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "III", "title": "Monetary Relief", "category": "affirmative_obligation", "summary": "Defendant must pay $2,000.00 to the FTC by certified check or wire transfer within 15 business days of entry of the Order, to be deposited as disgorgement; default triggers statutory interest accrual.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant shall pay $2,000.00 to the Commission by certified check or wire transfer within 15 business days of entry of the Order.\n\nA. No portion of the payment as herein provided shall be deemed a payment of any fine, penalty, forfeiture, or punitive assessment.\n\nB. In the event of any default on any obligation of Defendant to make payment under 5 this Paragraph, interest computed pursuant to 28 U.S.C. § 1961(a), shall accrue from the date of default to the date of payment.\n\nC. All funds paid pursuant to this Paragraph shall be deposited by the Commission to the Treasury as disgorgement.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "IV", "title": "Right to Reopen", "category": "monitoring", "summary": "The Order is premised on the truthfulness of Defendant's business records and sworn testimony; if the Commission finds material misrepresentation or omission of revenue, it may move the Court to reopen the Order solely to modify Defendant's monetary liability.", "verbatim_text": "IT IS FURTHER ORDERED that the Commission’s agreement to and the Court’s approval of this Order is expressly premised upon the truthfulness, accuracy, and completeness of Defendant Paula L. Garrett’s business records and sworn testimony regarding Defendant’s revenues attributable to financial asset searches that violate Section 521 of the GLB Act, 15 U.S.C. § 6821, and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), and related information submitted to the Commission, which contain material information relied upon by the Commission in negotiating and agreeing to the terms of this Order.\n\nIT IS FURTHER ORDERED that if the Commission should have evidence that the above-referenced information failed to disclose any significant revenue attributable to violative financial asset searches, or that Defendant materially misrepresented the revenues so attributable, or made any other material misrepresentation or omission, the Commission may move that the Court reopen this Order for the sole purpose of allowing the Commission to modify Defendant's monetary liability. Should this judgment be modified as to the monetary liability of the Defendant, this Order, in all other respects, shall remain in full force. Any proceedings instituted under this Paragraph shall be in addition to and not in lieu of any other proceedings the Commission may initiate to enforce this Order. Solely for the purposes of reopening or enforcing this Paragraph, Defendant waives any right to contest any of the allegations set forth in the Complaint filed in this matter.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "V", "title": "Lifting of Asset Freeze", "category": "affirmative_obligation", "summary": "The preliminary asset freeze against Defendant shall be lifted upon the Commission's receipt of the monetary relief payment ordered in Part III.", "verbatim_text": "IT IS FURTHER ORDERED that the freeze against the assets of Defendant Paula L. Garrett pursuant to Paragraph II of the Stipulated Preliminary Injunction entered by this Court on April 19, 2001, shall be lifted upon receipt of funds in payment of the monetary relief ordered in Part III of this Order.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Redress" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "VI", "title": "Prohibition on Disclosing Information from Asset Searches", "category": "prohibition", "summary": "Defendant is permanently restrained and enjoined from selling, renting, leasing, transferring, or otherwise disclosing any identifying or financial information of any person who was the subject of an asset search by Defendant or her agents, except with written consumer consent, to law enforcement, or as required by law.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant is permanently restrained and enjoined from selling, renting, leasing, transferring, or otherwise disclosing (i) the name, address, social security number, telephone number, e-mail address, credit card number, or other identifying information, or (ii) any bank or brokerage account number or balance, or financial asset information of any kind, of any person who was, at any time, the subject of an asset search by Defendant or by any agents, servants, employees, or contractors of Defendant. Provided, however, that Defendant may disclose such information (1) with the written consent of the consumer to whom such information relates, (2) to a law enforcement agency, or (3) as required by any law, regulation, or court order.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "VII", "title": "Distribution of Order by Defendant", "category": "acknowledgment", "summary": "For five years from entry of the Order, in connection with any information-brokering business she owns or controls, Defendant must provide a copy of the Order to all officers, directors, managers, asset-search personnel, and sales personnel and obtain signed acknowledgments, then retain those acknowledgments for three years.", "verbatim_text": "A. Provide a copy of this Order to, and obtain a signed and dated acknowledgment of receipt of same from, each officer or director, each individual serving in a management capacity, all personnel involved in financial asset searches of consumers, including but not limited to agents and independent contractors, and all sales personnel, whether designated as employees, agents, consultants, independent contractors, or otherwise, immediately upon employing or retaining any such persons: and\n\nB. Maintain for a period of three (3) years after creation and, upon reasonable notice, make available to representatives of the Commission, the original signed and dated acknowledgments of the receipt of copies of this Order, as required in Section A of this Paragraph.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "VIII", "title": "Monitoring Compliance of Employees, Agents and Independent Contractors", "category": "affirmative_obligation", "summary": "Defendant is permanently restrained and enjoined from failing to take reasonable steps to monitor and ensure that all employees, agents, and independent contractors comply with Paragraphs I and II of the Order, in connection with any information-brokering business she owns or controls.", "verbatim_text": "IT IS FURTHER ORDERED that in connection with any business engaged in whole or in part in advertising, promotion, obtaining, offering for sale, or sale of customer information of a financial institution, where she is the majority owner, or directly or indirectly manages or controls the business, Defendant Paula L. Garrett is hereby permanently restrained and enjoined from failing to take reasonable steps sufficient to monitor and ensure that all employees, agents and independent contractors comply with Paragraphs I and II of this Order.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "IX", "title": "Document Retention", "category": "recordkeeping", "summary": "Defendant must maintain for at least five years all records necessary to demonstrate compliance with this Order and the GLB Act, including financial records, training materials, scripts, and consumer complaints, and make them available to the FTC upon written request.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant Paula L. Garrett, and her successors and assigns, shall maintain for at least five (5) years from the date of service of this Order and, upon written request by FTC employees, make available to the FTC for inspection and copying: 9 A. All records and documents necessary to demonstrate fully her compliance with each provision of this Order, including, but not limited to, financial and other business records, order forms, invoices, employee training materials, and scripts;\n\nB. All records and documents necessary to demonstrate her compliance with the requirements of the Sections 521-527 of the GLB Act, 15 U.S.C. § 6821-6827 inclusive, specifically including, but not limited to, Section 521(g) of the GLB Act, 15 U.S.C. § 6821(g), in the event that Defendant intends to rely upon this exception to the prohibited business practices described in Paragraph I; and\n\nC . Copies of any complaints received by Defendant regarding Defendant’s sale of customer information of a financial institution.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Recordkeeping" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "X", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendant must submit a sworn written compliance report to the FTC within 60 days of entry; for five years thereafter, must report within 30 days any re-entry into the information brokering business; all notifications must be mailed to the FTC's Division of Financial Practices.", "verbatim_text": "A. Sixty (60) days after the date of entry of this Order, Defendant Paula L. Garrett shall provide a written report to the FTC, sworn to under penalty of perjury, setting forth the manner and form in which the Defendant has complied and is complying with this Order;\n\nB. For a period of five (5) years from the date of entry of this Order, if Defendant re- enters business as an information broker, is employed by an information broker, or acts as the agent of an information broker, Defendant shall provide, within thirty (30) days after such change of employment, a report to the Commission including her current employment, business address, business 10 telephone number, a description of business activities, and a statement of Defendant's duties and responsibilities in connection with the business or employment;\n\nC. For the purposes of this Order, Defendant Paula L. Garrett shall, unless otherwise directed by the Commission’s authorized representatives, mail all written notifications to the Commission to: Associate Director, Division of Financial Practices Federal Trade Commission 600 Pennsylvania Ave., N.W. Washington, D.C. 20580 Re: FTC v. Paula L. Garrett (dba Discreet Data Systems); and\n\nD. For purposes of the compliance reporting required by this Paragraph, the Commission is authorized to communicate directly with Defendant.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "XI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Defendant's compliance by all lawful means, including obtaining discovery from any person, using undercover representatives posing as clients or other persons, and using compulsory process under the FTC Act.", "verbatim_text": "A. The Commission is authorized, without further leave of court, to obtain discovery from any person in the manner provided by Chapter V of the Federal Rules of Civil Procedure, Fed. R. Civ. P. 26-37, including the use of compulsory process pursuant to Fed. R. Civ. P. 45, for the purpose of monitoring and investigating Defendant’s compliance with any provision of this Order;\n\nB. The Commission is authorized to use representatives posing as clients, consumers, bank employees, private investigators, suppliers and other persons to Defendant, Defendant’s employees, or any other entity managed or controlled in whole or in part by Defendant, without the necessity of identification or prior notice; and\n\nC. Nothing in this Order shall limit the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49 and 57b-1, to investigate whether Defendant has violated any provision of this Order, Section 5 of the FTC Act, 15 U.S.C. § 45, or Section 521 of the GLB Act, 15 U.S.C. § 6821.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "XII", "title": "Access to Premises, Records, and Persons", "category": "monitoring", "summary": "For five years from entry of the Order, Defendant must permit Commission representatives, within three business days of written notice, to access business offices, inspect and copy all relevant documents, and interview officers, directors, and employees of any information-brokering business Defendant owns or controls.", "verbatim_text": "IT IS FURTHER ORDERED that, for a period of 5 years from the date of entry of this Order, for the purpose of further determining compliance with this Order, Defendant shall permit representatives of the Commission, within three (3) business days of receipt of written notice from the Commission: A. Access during normal business hours to any office, or facility storing documents, of any business where Defendant is the majority owner of the business or directly or indirectly manages or controls the business, and where the business is engaged in information brokering. In providing such access, such Defendant shall permit representatives of the Commission to inspect and copy all documents relevant to any matter contained in this Order; and shall permit Commission representatives to remove documents relevant to any matter contained in this Order for a period not to exceed five (5) business days so that the documents may be inspected, inventoried, and copied; and\n\nB. To interview the officers, directors and employees, including all personnel involved in responding to consumer complaints or inquiries, and all sales personnel, whether designated as employees, consultants, independent contractors or otherwise, of any business to which Section A of this Paragraph applies, concerning matters relating to compliance with the terms of this Order. The persons interviewed may have counsel present.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "XIII", "title": "Acknowledgment", "category": "acknowledgment", "summary": "Within five business days of receipt of the Order as entered by the Court, Defendant must submit to the Commission a truthful sworn statement in the form of Appendix A acknowledging receipt of the Order.", "verbatim_text": "IT IS FURTHER ORDERED that, within five (5) business days after receipt by Defendant of this Order as entered by the Court, Defendant Paula L. Garrett shall submit to the Commission a truthful sworn statement, in the form shown on Appendix A hereto, that shall acknowledge receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "XIV", "title": "Costs and Attorneys Fees", "category": "affirmative_obligation", "summary": "Each party to this Order shall bear its own costs and attorneys fees incurred in connection with this action.", "verbatim_text": "IT IS FURTHER ORDERED that each party to this Order bear its own costs and attorneys fees incurred in connection with this action.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "XV", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction of this matter for all purposes, including construction, modification, and enforcement of this Order.", "verbatim_text": "IT IS FURTHER ORDERED that the Court retains jurisdiction of this matter for all purposes, including the construction, modification, and enforcement of this Order.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "docket_number": "H-01-1255" }, { "provision_number": "I", "title": "Prohibition Against Violating GLB Safeguards and Privacy Rules", "category": "prohibition", "summary": "Respondents must not violate any provision of the GLB Act's Safeguards Rule (16 C.F.R. Part 314) or Privacy Rule (16 C.F.R. Part 313), directly or through any corporate entity or device.", "verbatim_text": "IT IS ORDERED that respondents shall not, directly or through any corporation, subsidiary, division, Web site, or other device, violate any provision of the Gramm-Leach-Bliley Act’s (“GLB Act”) Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, or the Gramm-Leach-Bliley Privacy of Consumer Financial Information Rule (“Privacy Rule”), 16 C.F.R. Part 313.\n\nIn the event the Safeguards Rule or Privacy Rule is hereafter amended or modified, respondents’ compliance with these Rules as so amended or modified shall not be a violation of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "docket_number": "Docket No. 9319" }, { "provision_number": "II", "title": "Third-Party Security Assessment", "category": "assessment", "summary": "Respondents must obtain biennial independent third-party security assessments certifying their information security program, and provide the first assessment and related materials to the FTC within 10 days of preparation.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with the Safeguards Rule, respondents shall obtain an assessment and report (an “Assessment”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, within one hundred and eighty (180) days after service of the order, and biennially thereafter for ten (10) years after service of the order, that: A. sets forth the specific administrative, technical, and physical safeguards that respondents have implemented and maintained during the reporting period; B. explains how such safeguards are appropriate to Nationwide’s size and complexity, the nature and scope of Nationwide’s activities, and the sensitivity of the personal information collected from or about consumers; C. explains how the safeguards that have been implemented meet or exceed the protections required by the Safeguards Rule; and D. certifies that respondents’ security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and, for biennial reports, has so operated throughout the reporting period.\n\nEach assessment shall be prepared by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security Institute (SANS); or by a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nRespondents shall provide the first Assessment, as well as all plans, reports, studies, reviews, policies, training materials, and assessments, whether prepared by or on behalf of respondents, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days\n\nafter the Assessment has been prepared. Respondents shall retain all subsequent biennial Assessments until the order is terminated and shall retain all materials relied upon in preparing each such Assessment, as listed above, for a period of three (3) years after the date of the preparation of such Assessment. Respondents shall provide such subsequent Assessments and related materials to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "docket_number": "Docket No. 9319" }, { "provision_number": "III", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondents must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities — current personnel within 30 days of service, future personnel within 30 days of assuming their role.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after the date of service of this order, and to such future personnel within thirty (30) days\n\ndays after the date of service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "docket_number": "Docket No. 9319" }, { "provision_number": "IV", "title": "Employment Change Notification — John D. Eubank", "category": "compliance_reporting", "summary": "Respondent John D. Eubank must notify the FTC for 10 years of any discontinuance of current business or employment, or any affiliation with new business or employment, including new address, phone number, and description of duties.", "verbatim_text": "IT IS FURTHER ORDERED that respondent John D. Eubank, for a period of ten (10) years, after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment. The notice shall include respondent John D. Eubank’s new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "docket_number": "Docket No. 9319" }, { "provision_number": "V", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondents must notify the FTC at least 30 days before any corporate change (dissolution, merger, sale, name change, bankruptcy filing, etc.) that may affect compliance obligations under this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondents learn less than thirty (30) days prior to the date such action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nhowever, that, with respect to any proposed change in the corporation about which respondents learn less than thirty (30) days prior to the date such action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "docket_number": "Docket No. 9319" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file a written compliance report with the FTC within 180 days of service of the order, and at such other times as the FTC may require, including a copy of the initial Assessment from Part II.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall within one hundred eighty (180) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which they have complied with this order. This report shall include a copy of the initial Assessment required by Part II of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "docket_number": "Docket No. 9319" }, { "provision_number": "VII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on April 12, 2025, or 20 years from the most recent date the FTC or United States files a federal court complaint alleging a violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on April 12, 2025, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order's application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that the respondents did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "docket_number": "Docket No. 9319" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent must not misrepresent in any manner the extent to which it maintains and protects the privacy, confidentiality, or integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the collection of personal information from or about consumers, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent maintains and protects the privacy, confidentiality, or integrity of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information, including specific administrative, technical, and physical safeguards.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the development and use of reasonable steps to retain service providers capable of appropriately safeguarding personal information they receive from respondent, requiring service providers by contract to implement and maintain appropriate safeguards, and monitoring their safeguarding of personal information.\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "III", "title": "Compliance with Gramm-Leach-Bliley Rules", "category": "prohibition", "summary": "Respondent must not violate the FTC's Safeguards Rule (16 C.F.R. Part 314) or the Privacy of Customer Financial Information Rule (16 C.F.R. Part 313), with a safe harbor if either rule is later amended.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall not, directly or through any corporation, subsidiary, division, website, or other device, violate any provision of: A. the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, as attached or as may be amended; or\n\nB. the Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313, as attached or as may be amended.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "IV", "title": "Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments from a qualified independent professional covering compliance with Parts II and III.A, with the initial assessment covering the first 180 days and biennial assessments for each two-year period thereafter for ten years.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Parts II, and III.A. of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by the Parts II and III A. of this order; and D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Page 4 of 6 Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC documents relating to compliance, including documents contradicting compliance for five years and assessment-related materials for three years after each assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance, including but not limited to: A. for a period of five (5) years: any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each Assessment required under Part IV of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III.A. of this order, for the compliance period covered by such Assessment. Respondent shall provide such documents to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "VI", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities, within specified timeframes.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes\n\nservice of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "VII", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least thirty days prior to any change in the company that may affect compliance obligations, including dissolution, merger, sale, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent and its successors and assigns shall notify the Commission at least thirty (30) days prior to any change in the limited liability company that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change Page 5 of 6 in the company name or address. Provided, however, that, with respect to any proposed change in the company about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nin the company name or address. Provided, however, that, with respect to any proposed change in the company about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within sixty days after service of this order, and at such other times as the FTC may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent and its successors and assigns shall, within sixty (60) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "IX", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on April 9, 2028, or twenty years from the most recent date the FTC files a complaint alleging a violation of the order in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on April 9, 2028, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "docket_number": "C-4216" }, { "provision_number": "I", "title": "Prohibited Misrepresentations", "category": "prohibition", "summary": "Respondent must not misrepresent any material restriction or condition to use any Payment and Social Networking Service, or the extent to which it protects the privacy, confidentiality, security, or integrity of covered information.", "verbatim_text": "I. IT IS ORDERED that Respondent, and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, promotion, offering for sale, sale, or use of any Payment and Social Networking Service must not misrepresent or assist others in misrepresenting, expressly or by implication: A. Any material restriction, limitation, or condition to use any Payment and Social Networking Service; and\n\nB. The extent to which Respondent, in connection with any Payment and Social Networking Service, protects the privacy, confidentiality, security, or integrity of any covered information, including: 1. The extent to which a consumer may exercise control over the disclosure of any covered information from or about a User and the steps a User must take to implement any such controls; and 2. The extent to which Respondent implements or adheres to a particular level of security.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "II", "title": "Required Disclosures", "category": "affirmative_obligation", "summary": "Within 150 days, Respondent must clearly and conspicuously disclose, near any representation about fund transfers, that transactions are subject to review and funds may be frozen; and must issue a notice to all Users about transaction review practices.", "verbatim_text": "A. Within one hundred and fifty (150) days of the effective date of this Order, Respondent, and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, when making any representation through any Payment and Social Networking Service, expressly or by implication, about the availability of funds to be transferred or withdrawn to a bank account (1) must disclose, clearly and conspicuously, and in close proximity to such representation (a) that the transaction is subject to review and (b) the fact, if true, that funds could be frozen or removed as a result of transaction reviews performed during the bank transfer or withdrawal process, and (2) the representation must not be otherwise misleading.\n\nB. Respondent must issue a notice to Users, within one hundred and fifty (150) days of the effective date of this Order as follows: (i) for Users who have installed a Payment and Social Networking Service as an app, through the app such that the notice appears when the User next opens the app or (ii) for Users who have not installed a Payment and Social Networking Service as an app, through a text message, email, or other communication sufficient to provide clear and conspicuous notice prior to the User’s next transaction. The notice shall disclose, clearly and conspicuously, and separate and apart from any “privacy policy,” “terms of use,” “end user license agreement,” or similar document, the fact, if true, that when a User attempts to transfer or withdraw funds to a bank account, Respondent (1) will perform transaction reviews, and (2) based on such review, may (i) block or delay the transfer or withdrawal, and/or (ii) reverse a payment transaction.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "III", "title": "Additional Privacy Disclosures", "category": "affirmative_obligation", "summary": "Within 150 days and continuing thereafter, Respondent must clearly and conspicuously disclose to each User how their transaction information will be shared and how they can use privacy settings to limit such sharing, at the time of their next transaction or account opening.", "verbatim_text": "III. IT IS FURTHER ORDERED that, within one hundred and fifty (150) days of the effective date of this Order, and continuing thereafter, Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any Payment or Social Networking Service, must clearly and conspicuously disclose to each User, through the Payment and Social Networking Service, and separate and apart from any “privacy policy,” “terms of use,” “blog,” “helpful information” page, or similar document: (1) how the User’s transaction information will be shared with other Users; and (2) how the User can use privacy settings to limit or restrict the visibility or sharing of the User’s transaction information on the Payment and Social Networking Service. For Users that have already created an account when this disclosure is first issued, this disclosure must occur at or immediately prior to the time that the User next engages in a transaction through the Payment and Social Networking Service. For Users that have not created an account when this disclosure is first issued, this disclosure must occur at the time the User opens an account. This disclosure must not contain any other information.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Consumer Notification" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "IV", "title": "GLB Rule Provisions", "category": "prohibition", "summary": "Respondent is permanently restrained and enjoined from violating the Privacy of Consumer Financial Information Rule (Regulation P) and the Standards for Safeguarding Consumer Information Rule.", "verbatim_text": "IV. IT IS FURTHER ORDERED that Respondent, and Respondent’s officers, agents, employees and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any Payment and Social Networking Service, are hereby permanently restrained and enjoined from violating any provision of: A. The Privacy of Consumer Financial Information Rule (Regulation P), 12 C.F.R. Part 1016; or\n\nIV. IT IS FURTHER ORDERED that Respondent, and Respondent’s officers, agents, employees and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any Payment and Social Networking Service, are hereby permanently restrained and enjoined from violating any provision of: A. The Privacy of Consumer Financial Information Rule (Regulation P), 12 C.F.R. Part 1016; or B. The Standards for Safeguarding Consumer Information Rule, 16 C.F.R. Part 314.\n\nIn the event that any of the statutory sections or rules identified in this Part are hereafter amended or modified, compliance with that statutory section or rule as so amended or modified shall not be a violation of this Order.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "V", "title": "Biennial Assessment Requirements", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party assessments of the Venmo Payment and Social Networking Service covering administrative, technical, and physical safeguards, with the initial assessment covering the first 180 days and biennial assessments covering each two-year period for 10 years.", "verbatim_text": "V. IT IS FURTHER ORDERED that Respondent, and its successors and assigns, in connection with their compliance with Section IV(A) and (B) of this Order, shall obtain initial and biennial assessments and reports (“Assessments”) of the Venmo Payment and Social Networking Service from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the Order for the initial Assessment, and (2) each two-year period thereafter for ten (10) years after service of this Order for the biennial Assessments. Each Assessment shall: A. Set forth the specific administrative, technical, and physical safeguards that Respondent has implemented and maintained during the reporting period; B. Explain how such safeguards are appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the covered information collected from or about consumers; C. Explain how the safeguards that have been implemented meet or exceed the protections required by Section IV(B) of this Order; and D. Certify that Respondent’s security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the confidentiality, security, and integrity of covered information is protected and has so operated throughout the reporting period.\n\nEach Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. The Assessment must be obtained from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. A professional qualified to prepare such Assessments must be: an individual qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); an individual holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nRespondent must submit the initial Assessment to the Commission within 10 days after the Assessment has been completed. Respondent must retain all subsequent biennial Assessments, at least until the Order terminates. Respondent must submit any biennial Assessments to the Commission within 10 days of a request from a representative of the Commission.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "VI", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit a sworn acknowledgment of receipt of this Order within 10 days, deliver copies to all principals, officers, employees, and new personnel, and obtain signed acknowledgments from each recipient within 60 days.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 60 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "VII", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report one year after the issuance date, and must submit sworn notices within 14 days of any changes in points of contact, organizational structure, or bankruptcy filings.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that provides a Payment and Social Networking Service.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re PayPal.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "VIII", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain specified records for 20 years after the issuance date, including accounting records, personnel records, consumer complaints, compliance records, advertising materials, and assessment materials.", "verbatim_text": "VIII. IT IS FURTHER ORDERED that Respondent must create certain records for 20 years after the issuance date of the Order, and retain each such record for 5 years, unless otherwise specified below. Specifically, Respondent must create and retain the following records: A. accounting records showing the revenues from all Payment and Social Networking Services sold;\n\nB. personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. copies or records of all consumer complaints regarding any Payment and Social Networking Service, whether received directly or indirectly, such as through a third party, and any response;\n\nD. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission;\n\nE. a copy of each unique Payment and Social Networking Service advertisement or other marketing material making a representation subject to this Order; and\n\nF. for 3 years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Recordkeeping" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "IX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting additional reports and records, communicating directly with and interviewing Respondent's personnel, and using all other lawful investigative means including undercover contacts.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondent must submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "X", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "This Order is effective upon publication on the FTC website and terminates on May 23, 2038, or 20 years from the most recent date a complaint is filed in federal court alleging a violation of this Order, whichever is later.", "verbatim_text": "X. IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on May 23, 2038, or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than 20 years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "deceptive", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Order Administration" ], "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "docket_number": "C-4651" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondents must not misrepresent in any manner the extent to which they maintain and protect the privacy, confidentiality, or integrity of any personal information collected from consumers.", "verbatim_text": "IT IS ORDERED that respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the collection of personally identifiable information from or about consumers, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondents maintain and protect the privacy, confidentiality, or integrity of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to their size, complexity, and the sensitivity of personal information collected.", "verbatim_text": "IT IS FURTHER ORDERED that respondents, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ size and complexity, the nature and scope of respondents’ activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program.\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and Page 3 of 7 software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.\n\nD. the evaluation and adjustment of respondents’ information security program in light of the results of the testing and monitoring required by Part II.C., any material changes to respondents’ operations or business arrangements, or any other circumstances that respondents know or have reason to know may have a material impact on the effectiveness of their information security program.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "III", "title": "Prohibition Against Violating Gramm-Leach-Bliley and FACTA Rules", "category": "prohibition", "summary": "Respondents must not violate the GLB Safeguards Rule (16 C.F.R. Part 314), the GLB Privacy Rule (16 C.F.R. Part 313), or the FACTA Disposal Rule (16 C.F.R. Part 682); compliance with any future amendments to those rules will not constitute a violation of this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall not, directly or through any corporation, subsidiary, division, website, or other device, violate any provision of: A. the Gramm-Leach-Bliley Act’s Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314;\n\nB. the Gramm-Leach-Bliley Act’s Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; or\n\nC. the Fair and Accurate Credit Transactions Act’s Disposal of Consumer Report Information and Records Rule, 16 C.F.R. Part 682.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "IV", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondents must obtain initial and biennial third-party security assessments from a qualified, independent professional covering the first 180 days and each subsequent two-year period for 20 years; each assessment must be completed within 60 days after the reporting period and submitted to the FTC.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with their compliance with Parts II, III.A., and III.C. of this order, respondents shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nAssessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondents have implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondents’ size and complexity, the nature and scope of respondents’ activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by the Parts II, III.A., and III.C. of this order; and D. certify that respondents’ security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondents shall provide the initial Assessment, as well as all: plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of either respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial\n\nAssessments shall be retained by respondents until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC copies of compliance-related documents: documents contradicting compliance for five years, and all plans, reports, and assessments related to biennial assessment periods for three years after each assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall maintain, and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of each document relating to compliance, including but not limited to: A. for a period of five (5) years: any documents, whether prepared by or on behalf of either respondent, that contradict, qualify, or call into question respondents’ compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each biennial Assessment required under Part IV of this order: all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or Page 5 of 7 on behalf of either respondent, relating to respondents’ compliance with Parts II, III.A., and III.C. of this order for the compliance period covered by such biennial Assessment.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "VI", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "Respondents must deliver a copy of this order to all current and future principals, officers, directors, managers, and employees with supervisory responsibilities relating to the subject matter of the order, within 30 days of service or assumption of responsibilities.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having supervisory responsibilities relating to the subject matter of this order. Respondents shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the\n\n(30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "VII", "title": "Notice of Business Changes — Christopher M. Likens", "category": "compliance_reporting", "summary": "For ten years after issuance, Christopher M. Likens must notify the FTC by certified mail of any discontinuance of his current business or employment, or affiliation with any new business or employment providing financial products or services, including address, phone, and description of duties.", "verbatim_text": "IT IS FURTHER ORDERED that respondent Christopher M. Likens, for a period of ten (10) years, after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment that provides financial products or services. The notice shall include respondent Christopher M. Likens’s new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "VIII", "title": "Notice of Corporate Changes", "category": "compliance_reporting", "summary": "Respondents must notify the FTC at least 30 days prior to any corporate change (dissolution, merger, sale, bankruptcy filing, name or address change, etc.) that may affect compliance obligations; if less than 30 days' notice is possible, notification must be as soon as practicable.", "verbatim_text": "IT IS FURTHER ORDERED that respondents and their successors and assigns shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondents learn less than thirty (30) days prior to the date such action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "IX", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file a written compliance report with the FTC within 180 days after service of this order, and at such other times as the FTC may require, detailing the manner and form of compliance.", "verbatim_text": "IT IS FURTHER ORDERED that respondents and their successors and assigns shall, within one hundred and eighty (180) days after service of this order, and at such other times as Page 6 of 7 the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "X", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on June 19, 2026, or twenty years from the most recent date the FTC files a federal court complaint alleging a violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on June 19, 2026, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that one or both of the respondents did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to that respondent(s) will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "docket_number": "C-4161" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent, and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to the size and complexity of respondent’s operations, the nature 2 and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of respondent’s information security program.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "docket_number": "C-4258" }, { "provision_number": "II", "title": "Prohibition Against Violating Gramm-Leach-Bliley Rules", "category": "prohibition", "summary": "Respondent must not violate the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314) or the Privacy of Customer Financial Information Rule (16 C.F.R. Part 313).", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its officers, agents, representatives, and employees, shall not, directly or through any corporation, subsidiary, division, or other device, violate any provision of: A. the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; or\n\nB. the Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313. 3 In the event that either of these Rules is hereafter amended or modified, compliance with that Rule as so amended or modified shall not be a violation of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "docket_number": "C-4258" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party security assessments covering its compliance with Parts I and IIA, prepared by a qualified independent professional (CISSP, CISA, or GIAC-certified), and submit or retain them as required.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with Parts I and IIA of this order, respondent, and its officers, agents, representatives, and employees, shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order for the biennial Assessments.\n\nEach Assessment shall: A. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to the size and complexity of respondent’s operations, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by Parts I and IIA of this order; and D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.\n\nRespondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "docket_number": "C-4258" }, { "provision_number": "IV", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain compliance-related documents for five years and materials supporting each assessment for three years after preparation, making them available to the FTC upon request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain, and upon request, make available to the Federal Trade Commission for inspection and copying: A. for a period of five (5) years, a print or electronic copy of each document relating to compliance, including but not limited to documents, prepared by or on behalf of respondent that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts I and IIA of this order, for the compliance period covered by such Assessment.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "docket_number": "C-4258" }, { "provision_number": "V", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, and employees with relevant responsibilities within 30 days of service or assumption of duties.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "docket_number": "C-4258" }, { "provision_number": "VI", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, sale, bankruptcy, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the company that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the company name or address. Provided, however, that, with respect to any proposed change in the company about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "docket_number": "C-4258" }, { "provision_number": "VII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 60 days of service of this order, and at such other times as the FTC may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "docket_number": "C-4258" }, { "provision_number": "VIII", "title": "Order Duration and Termination", "category": "duration", "summary": "This order terminates on June 12, 2029, or twenty years from the most recent date the FTC files a complaint alleging any violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on June 12, 2029, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "docket_number": "C-4258" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations", "category": "prohibition", "summary": "Defendant is permanently restrained from misrepresenting, expressly or by implication, the extent to which it maintains and protects the privacy, security, confidentiality, or integrity of any Personal Information.", "verbatim_text": "IT IS ORDERED that Defendant, Defendant’s officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any good or service, are hereby permanently restrained and enjoined from misrepresenting, expressly or by implication, the extent to which Defendant maintains and protects the privacy, security, confidentiality, or integrity of any Personal Information.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "II", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Defendant must establish, implement, and maintain for twenty years a comprehensive information security program designed to protect the security, confidentiality, and integrity of Personal Information, meeting detailed minimum requirements.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant shall establish and implement, and thereafter maintain, for twenty years after entry of this Order, a comprehensive information security program (“Information Security Program”) designed to protect the security, confidentiality, and integrity of Personal Information. To satisfy this requirement, Defendant must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program, including the following: 1. Documented risk assessments required under Section II.D; 2. Documented safeguards required under Section II.E; and 12 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 13 of 74 3. A description of the procedures adopted to implement and monitor the Information Security Program, including procedures for evaluating and adjusting the Information Security Program as required under Section II.I;\n\nB. Provide the written Information Security Program and any material evaluations thereof or updates thereto to Defendant’s board of directors or a relevant subcommittee thereof, or equivalent governing body or, if no such board or equivalent governing body exists, to a senior officer of Defendant responsible for Defendant’s Information Security Program at least once every twelve months;\n\nC. Designate a qualified employee or employees to coordinate, oversee, and be responsible for the Information Security Program;\n\nD. Assess, at least once every twelve months, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information and document those risks that are material. Defendant shall further assess and document internal and external risks as described above as they relate to a Covered Incident promptly (not to exceed forty-five days) following verification of such a Covered Incident;\n\nE. Design, implement, maintain, and document safeguards that control for the material internal and external risks Defendant identifies to the security, confidentiality, or integrity of Personal Information identified in response to Section II.D. Each safeguard shall be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood, given the existence of other safeguards, that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information. Such safeguards shall also include: 1. Establishing patch management policies and procedures that require confirmation that any directives to apply patches or remediate vulnerabilities are received and completed and that include timelines for addressing vulnerabilities that account for the severity and exploitability of the risk implicated; 2. Establishing and enforcing policies and procedures to ensure the timely remediation of critical and/or high-risk security vulnerabilities; 3. Identifying and documenting a comprehensive information technology (“IT”) asset inventory that includes hardware, software, and location of the assets; 4. Designing and implementing protections such as network intrusion protection, host intrusion protection, and file integrity monitoring, 14 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 15 of 74 across Defendant’s network and IT assets, including Defendant’s legacy technologies; 5. Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls; 6. Implementing access controls across Defendant’s network, such as multi-factor authentication and strong password requirements; 7. Limiting user access privileges to systems that provide access to Personal Information to employees, contractors, or other authorized third parties with a business need to access such information and establishing regular documented review of such access privileges; 8. Implementing protections, such as encryption, tokenization, or other at least equivalent protections, for Personal Information collected, maintained, processed, or stored by Defendant, including in transit and at rest. To the extent that any of the identified protections are infeasible, equivalent protections shall include effective alternative compensating controls designed to protect unencrypted data at rest or in transit, which shall be reviewed and approved by the qualified 15 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 16 of 74 employee or employees designated to coordinate, oversee, and be responsible for the Information Security Program; 9. Establishing and enforcing written policies, procedures, guidelines, and standards designed to: a. Ensure the use of secure development practices for applications developed in-house; and b. Evaluate, assess, or test the security of externally developed applications used within Defendant’s technology environment; 10.Establishing regular information security training programs, updated, as applicable, to address internal or external risks identified by Defendant, including, at a minimum: a. At least annual information security awareness training for all employees, including notifying employees of the process for submitting complaints and concerns pursuant to Section II.E.12; and b. Training for software developers relating to secure software development principles and intended to address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks 16 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 17 of 74 identified by Defendant through risk assessments and/or penetration testing; 11.Establishing a clear and easily accessible process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics; and 12.By August 30, 2019, establishing a clear and easily accessible process overseen by a senior corporate manager for employees to submit complaints or concerns about Defendant’s information security practices, including establishing a clear process for reviewing, addressing, and escalating employee complaints or concerns.\n\nF. Assess, at least once every twelve months, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and evaluate and implement any needed modifications to the Information Security Program based on the results. Defendant shall further assess the sufficiency of safeguards as described above, as they relate to a Covered Incident, promptly (not to exceed forty-five days) following verification of such an incident. Each such assessment must evaluate safeguards in each area of relevant operation, including: 1. Employee training and management; 17 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 18 of 74 2. Information systems, such as network and software design, or information processing, storage, transmission, and disposal; and 3. Prevention, detection, and response to attacks, intrusions, or other system failures;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve months and, as they relate to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of Defendant’s network at least once every four months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident, and penetration testing of Defendant’s network at least once every twelve months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident;\n\nH. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Defendant, and contractually require service providers to implement and maintain safeguards tailored to the amount and the type of Personal Information at issue; and\n\nI. Evaluate and adjust the Information Security Program in light of any changes to Defendant’s operations or business arrangements, including, without limitation, acquisition or licensing of any new information systems, technologies, or assets through merger or acquisition, a Covered Incident, or any other circumstances that Defendant knows or has reason to know may have a material impact on the effectiveness of the Information Security Program. At a minimum, Defendant must evaluate the Information Security Program at least once every twelve months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident and modify the Information Security Program based on the results.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "III", "title": "Information Security Assessments by a Third Party", "category": "assessment", "summary": "Defendant must obtain initial and biennial third-party information security assessments from a qualified, independent assessor covering the first 180 days and each two-year period thereafter for twenty years, with assessments submitted to the FTC within ten days of completion.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) is a Certified Information Systems Security Professional (“CISSP”) or a Certified Information Systems Auditor (“CISA”), or other similarly qualified person or organization; 19 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 20 of 74 (3) has at least five years of experience evaluating the effectiveness of computer system security or information system security; (4) conducts an independent review of the Information Security Program; and (5) is contractually required to retain all documents relevant to each Assessment for five years after completion of such Assessment, and to provide such documents to the Commission within fourteen days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessor on the basis of (1) a claim of confidentiality, proprietary or trade secrets, or any similar claim, or (2) any privilege asserted between Defendant and the Assessor, although such documents can be designated for confidential treatment in accordance with applicable law.\n\nB. For each Assessment, Defendant shall provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name and affiliation of the person selected to conduct the Assessment, which the Associate Director shall have the authority to approve in his or her sole discretion. If the Associate Director for Enforcement does not approve of the person Defendant has selected, Defendant must choose a person or entity to conduct the Assessment from a list of at least three Assessors provided by a representative of the Commission.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the entry date of the Order for the initial Assessment; and (2) each two- year period thereafter for twenty years after entry of the Order for the biennial Assessments.\n\nD. Each Assessment must: 1. Evaluate whether Defendant has implemented and maintained the Information Security Program required by Section II of this Order, titled Mandated Information Security Program; 2. Assess the effectiveness of Defendant’s implementation and maintenance of subsections A-I of Section II; 3. Identify gaps or weaknesses in the Information Security Program and make recommendations to remediate or cure any such gaps and weaknesses; and 4. Identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by Defendant’s management. The Assessment shall be signed by the 21 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 22 of 74 Assessor and shall state that the Assessor conducted an independent review of the Information Security Program, and did not rely solely on assertions or attestations by Defendant’s management.\n\nE. Each Assessment must be completed within sixty days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Defendant must submit each Assessment to the Commission within ten days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “Federal Trade Commission v. Equifax Inc., FTC File No. 1723203.” Defendant must notify the Commission of any portions of the Assessment containing trade secrets, commercial or financial information, or information about a consumer or other third party, for which confidential treatment is requested pursuant to the Commission’s procedures concerning public disclosure set forth in 15 U.S.C. 46(f) and 16 CFR 4.10.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "IV", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Defendant must not withhold material facts from or misrepresent any material fact to the Assessor, and must provide the Assessor full access to its network, IT assets, and all relevant information and materials.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any Assessment required by Section III of this Order titled Information Security Assessments by a Third Party, must not withhold any material facts from the Assessor, and must not misrepresent, expressly or by implication, any fact material to the Assessor’s: (1) evaluation of whether Defendant has implemented and maintained the Information Security Program required by Section II of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of subsections A-I of Section II; or (3) identification of any gaps or weaknesses in the Information Security Program. Defendant shall provide the Assessor with information about Defendant’s entire network and all of Defendant’s IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network and IT assets deemed in scope.\n\nweaknesses in the Information Security Program. Defendant shall provide the Assessor with information about Defendant’s entire network and all of Defendant’s IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network and IT assets deemed in scope. Defendant shall also provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "V", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Defendant must provide annual certifications to the Commission for twenty years from a board-level or senior officer attesting to compliance with the Order, absence of material noncompliance, cooperation with the Assessor, and describing any Covered Incidents.", "verbatim_text": "A. For a total of twenty years and commencing one year after the entry date of this Order, and each year thereafter, provide the Commission with a certification from the board of directors, or a relevant subcommittee thereof, or other equivalent governing body or, if no such board or equivalent governing body exists, a senior officer of Defendant responsible for Defendant’s Information Security Program, that: (1) Defendant has established, implemented, and maintained the requirements of this Order; (2) Defendant is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; (3) Defendant has cooperated with the Assessor as required by Section IV of this Order; and (4) includes a brief description of any Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the board of directors, or relevant subcommittee thereof, or other equivalent governing body, reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue N.W., Washington, D.C. 20580. The subject line must begin, “Federal Trade Commission v. Equifax Inc., FTC File No. 1723203.”", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "VI", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "For twenty years, Defendant must report Covered Incidents to the Commission no later than ten days after first notifying any government entity, with detailed information about the incident, and provide quarterly summaries to its board.", "verbatim_text": "IT IS FURTHER ORDERED that for twenty years from the entry of the Order, Defendant, within a reasonable time after the date of Defendant’s discovery of a Covered Incident, but in any event no later than ten days after the date Defendant first notifies any U.S. federal, state, or local government entity of the Covered Incident, must submit a report to the Commission. A. The report must include, to the extent possible: 1. The date, estimated date, or estimated date range when the Covered Incident occurred; 2. A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known; 25 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 26 of 74 3. A description of each type of information that triggered the notification obligation to the U.S. federal, state, or local government entity; 4. The number of consumers whose information triggered the notification obligation to the U.S. federal, state, or local government entity; 5. The acts that Defendant has taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access, and, if applicable, to protect affected individuals from identity theft or other harm that may result from the Covered Incident; and 6. A representative copy of each materially different notice required by U.S. federal, state, or local law or regulation and sent by Defendant to consumers or to any U.S. federal, state, or local government entity.\n\nB. No more than thirty days after every calendar quarter, Defendant must provide Defendant’s board of directors or a relevant subcommittee thereof, or equivalent governing body or, if no such board or equivalent governing body exists, to a senior officer of Defendant responsible for Defendant’s Information Security Program, a report summarizing all Covered Incidents that occurred in that calendar quarter.\n\nC. Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue N.W., Washington, D.C. 20580. The subject line must begin, “Federal Trade Commission v. Equifax Inc., File No. 172 3203.” Defendant must notify the Commission of any portions of the Covered Incident Report containing trade secrets, commercial or financial information, or information about a consumer or other third party, for which confidential treatment is requested pursuant to the Commission’s procedures concerning public disclosure set forth in 15 U.S.C. § 46(f) and 16 CFR Part 4.10.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "VII", "title": "Monetary Judgment and Additional Monetary Obligations", "category": "affirmative_obligation", "summary": "A monetary judgment of $425,000,000 is entered against Defendant, with additional financial obligations triggered if more than seven million Affected Consumers enroll in the Product, calculated using specified formulas during both the Initial and Extended Claims Periods.", "verbatim_text": "A. Judgment in the amount of Four Hundred Twenty-Five Million Dollars ($425,000,000) is entered in favor of the Commission against Defendant.\n\nB. This order imposes additional financial obligations (“Additional Financial Obligations”) on Defendant for the purpose of monetary relief for Affected Consumers. If more than seven million Affected Consumers enroll in the 27 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 28 of 74 Product, then Defendant’s Additional Financial Obligations will be calculated using the following formulas: 1. If, at the end of the Initial Claims Period, more than seven million Affected Consumers enroll in the Product, then: a. If the total payments for Alternative Reimbursement Compensation, Out-of-Pocket Losses, Assisted Identity Restoration Services, Notice and Settlement Administration Costs and Expenses, Service Awards, and the cost of providing the Product to seven million Affected Consumers (the “Costs”) are greater than or equal to Three Hundred Million Dollars ($300,000,000), Equifax Inc., its successors and assigns, shall pay the Commission an amount equal to the cost of providing the Product to enrollees above seven million (the “Additional Credit Monitoring Cost”); b. If the Costs are less than Two Hundred Fifty-Six Million Five Hundred Thousand Dollars ($256,500,000) and the Additional Credit Monitoring Cost is greater than Forty-Three Million Five Hundred Thousand Dollars ($43,500,000), Equifax Inc., its successors and assigns, shall pay the Commission an amount 28 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 29 of 74 equal to the Additional Credit Monitoring Cost less Forty-Three Million Five Hundred Thousand Dollars ($43,500,000); or\n\n2. If, during the Extended Claims Period, more than seven million Affected Consumers have enrolled in the Product and either (i) the Costs are greater than or equal to Two Hundred Fifty-Six Million Five Hundred Thousand Dollars ($256,500,000)or (ii) the Additional Credit Monitoring Costs are greater than or equal to Forty-Three Million Five Hundred Thousand Dollars ($43,500,000) then, on a monthly basis, Equifax Inc., its successors and assigns, shall deposit any additional money to the Commission that would be required 29 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 30 of 74 pursuant to the calculations in Section VII.B.1.a-c, less any amounts previously deposited as the Additional Financial Obligations.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "VIII", "title": "Consumer Restitution and Redress Through Multi-District Litigation", "category": "affirmative_obligation", "summary": "Consumer relief may be conducted through the Multi-District Litigation Settlement rather than directly by the Commission, with Defendant required to deposit $300,000,000 into the Consumer Fund in specified tranches and up to an additional $125,000,000 if needed.", "verbatim_text": "A. Equifax Inc., its successors and assigns, shall deposit Three Hundred Million Dollars ($300,000,000) (the “Payment”) into the Consumer Fund as follows: (i) One Hundred Fifty Thousand Dollars ($150,000) no later than fifteen days after the filing of this Order, to cover reasonable set-up costs of the Notice Provider; (ii) Twenty-Five Million Dollars ($25,000,000) no later than fifteen days after the MDL Court enters an order permitting issuance of notice of the Settlement, to cover reasonable costs and expenses of the Settlement Administrator and Notice Provider and set-up costs for the independent third-party provider of the Product and Assisted Identity Restoration Services; and (iii) Three Hundred Million Dollars 30 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 31 of 74 ($300,000,000) into the Consumer Fund, less any amounts paid pursuant to (i) and (ii), no later than fifteen days after the Class Action Effective Date.\n\nB. If the Consumer Fund lacks sufficient funds to pay claims for Out-of-Pocket Losses made during the Initial and Extended Claims Periods, Equifax Inc., its successors and assigns, deposits into the Consumer Fund, as needed to pay such claims on a monthly basis, up to an additional aggregate amount of One Hundred Twenty-Five Million Dollars ($125,000,000) within fourteen days after receipt of written notification from the Settlement Administrator that there are insufficient funds remaining in the Consumer Fund.\n\nC. Equifax Inc., its successors and assigns, pays any Additional Financial Obligations required under Section VII into the Consumer Fund.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "IX", "title": "Consumer Fund for Multi-District Litigation", "category": "affirmative_obligation", "summary": "At least $300,000,000 (plus any additional deposits) in the Consumer Fund must be used exclusively to provide restitution and redress to Affected Consumers through specified categories of relief including credit monitoring, out-of-pocket loss reimbursement, identity restoration services, and administrative costs.", "verbatim_text": "A. An amount no less than Three Hundred Million Dollars ($300,000,000), plus any amount deposited in the Consumer Fund pursuant to Sections VIII.B and VIII.C, including all accumulated interest, must be used and administered as described in Section IX for the exclusive purpose of providing restitution and redress to Affected Consumers.\n\n1. After either the Class Action Effective Date or the conclusion of the Initial Claims Period, whichever is later, for claims submitted during the Initial Claims Period: a. Four years of enrollment in the Product to Affected Consumers, which shall include One Million Dollars ($1,000,000) in identity theft insurance and Full Service Identity Restoration Services. i. The Product shall be offered, provided and maintained by an independent third party and shall not be provided to any Affected Consumer by Defendant. Defendant shall not receive any monetary benefit from the Product; ii. Defendant shall, through the independent third party provider of the Product, provide activation codes for enrollment in the Product to Affected Consumers who file a valid claim for the Product. Activation codes shall be sent no later than forty-five days after either the Class Action Effective Date or the conclusion of the Initial Claims Period, whichever is later. Affected Consumers shall be eligible to 32 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 33 of 74 enroll in the Product for a period of at least ninety days following receipt of the activation code. b. Alternative Reimbursement Compensation of up to One Hundred Twenty-Five Dollars ($125); c. Claims for Out-of-Pocket Losses, including, without limitation, the following: i. Up to twenty-five percent (25%) reimbursement for costs incurred by an Affected Consumer enrolled in an Equifax credit or identity monitoring subscription product on or after September 7, 2016, through September 7, 2017; ii. Credit monitoring costs that were incurred by an Affected Consumer on or after September 7, 2017, through the date of the Affected Consumer’s claim submission; iii. Costs incurred on or after September 7, 2017, associated with placing or removing a security freeze on a Consumer Report with any Consumer Reporting Agency; iv. Unreimbursed costs, expenses, losses, or charges incurred by an Affected Consumer as a result of identity theft or identity fraud, falsified tax returns, or other alleged misuse of Affected Consumers’ personal information; 33 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 34 of 74 v. Other miscellaneous expenses incurred related to any Out- Of-Pocket Loss such as notary, fax, postage, copying, mileage, and long-distance telephone charges; and vi. Time Compensation for up to twenty hours.\n\n2. For claims submitted during the Extended Claims Period, reimbursement of claims for the following Out-of-Pocket Losses incurred during the Extended Claims Period: a. Unreimbursed costs, expenses, losses, or charges incurred by an Affected Consumer as a result of identity theft or identity fraud, falsified tax returns, or other alleged misuse of Affected Consumers’ Personal Information; b. Other miscellaneous expenses, incurred by an Affected Consumer related to remedying fraud, identity theft, or other misuse of an Affected Consumer’s Personal Information, such as notary, fax, postage, copying, mileage, and long-distance telephone charges; and c. Time Compensation limited to time spent remedying fraud, identity theft, or other misuse of an Affected Consumer’s Personal Information that is fairly traceable to the Breach.\n\n3. For a period of seven years from the Class Action Effective Date, Assisted Identity Restoration Services to an Affected Consumer. Affected Consumers shall not be required to enroll in the Product to obtain Assisted Identity Restoration Services. a. The Assisted Identity Restoration Services shall be offered, provided and maintained by the independent third party that has been approved by a representative of the Commission and that will be presented to the MDL Court for its approval. Assisted Identity Restoration Services shall not be provided to any Affected Consumer by Defendant. Defendant shall not receive any monetary benefit from the Assisted Identity Restoration Services.\n\n4. Notice and Settlement Administration Costs and Expenses; 5. Applicable taxes, duties, and similar charges due from the Consumer Fund to the extent that the principal is not reduced; and 6. Service Awards in an aggregate amount not to exceed Two Hundred Fifty Thousand Dollars ($250,000). To the extent the MDL Court approves Service Awards in excess of Two Hundred Fifty Thousand Dollars ($250,000), such amount shall not be paid from the funds 35 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 36 of 74 deposited into the Consumer Fund pursuant to this Order and shall be paid solely by the Defendant.\n\nC. Subject to Section IX.D, payments from the Consumer Fund shall be subject to the following limitations: 1. Each Affected Consumer will be eligible to receive a maximum aggregate reimbursement of Twenty Thousand Dollars ($20,000) for Out-of-Pocket Losses. 2. No more than Thirty-One Million Dollars ($31,000,000) shall be used to pay Alternative Reimbursement Compensation (the “Alternative Reimbursement Compensation Cap”). To the extent valid claims for Alternative Reimbursement Compensation exceed the Alternative Reimbursement Compensation Cap, then payments for valid Alternative Reimbursement Compensation claims shall be reduced on a pro rata basis. 3. No more than Thirty-One Million Dollars ($31,000,000) shall be paid as Time Compensation for valid Time Compensation claims made during the Initial Claims Period (the “Initial Time Compensation Cap”). To the extent valid claims for Time Compensation made during the Initial Claims Period exceed the Initial Time Compensation Cap, payments for such valid claims will be reduced on a pro rata 36 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 37 of 74 basis. Valid claims for Time Compensation made during the Extended Claims Period will be paid in the order they are received and approved at the same pro rata rate (if applicable) as valid Time Compensation claims made during the Initial Claims Period. No more than Thirty-Eight Million Dollars ($38,000,000) in the aggregate shall be paid as Time Compensation for valid claims made during both the Initial Claims Period and Extended Claims Period (the “Aggregate Time Compensation Cap”). At the conclusion of the Extended Claims Period, and following payment of valid claims made during the Extended Claims Period, Time Compensation claims may be subject to Section IX.D, if applicable, in which case all valid Time Compensation claims will be paid at the same pro rata rate.\n\nD. If amounts remain in the Consumer Fund at the conclusion of the Extended Claims Period, the remaining funds shall be distributed to provide restitution and redress as follows: 1. First, the Aggregate Time Compensation Cap and Alternative Reimbursement Compensation Cap shall both be lifted (if applicable) and payments increased pro rata to Affected Consumers with valid claims up to the full amount of those claims; then, 37 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 38 of 74 2. Second, to provide Assisted Identity Restoration Services to all Affected Consumers for up to an additional thirty-six months; then, 3. Third, to extend the duration of the Product to Affected Consumers enrolled in the Product until the funds in the Consumer Fund are exhausted.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "X", "title": "Notice and Claims in Multi-District Litigation", "category": "affirmative_obligation", "summary": "If Defendant deposits money into the Consumer Fund, it must supply information to the Notice Provider and Settlement Administrator, notify the Commission of any modifications, provide weekly and annual reports to the Commission, and cooperate fully in claims administration.", "verbatim_text": "A. Defendant shall supply the Notice Provider with information in its possession, custody, or control, to the extent reasonably available, regarding Affected Consumers sufficient to enable the Notice Provider to implement the Notice Plan.\n\nB. Defendant shall supply the Settlement Administrator with information in its possession, custody, or control, to the extent reasonably available, regarding Affected Consumers sufficient to enable the Settlement Administrator to implement the Claims Administration Protocol. This shall include providing the Settlement Administrator with sufficient information to identify consumers who are eligible for reimbursement pursuant to IX.B.1.c.i, as those consumers are not required to submit supporting documentation for this type of Out-of-Pocket Loss.\n\nC. Defendant must notify a designated representative of the Commission of any requested modifications to the Notice Plan or Claims Administration Protocol, including any change of the Notice Provider or Settlement Administrator, and any such modification requested by the Defendant must be approved by a designated representative of the Commission, with such approval not unreasonably withheld, and shall also require approval from the MDL Court.\n\n2. Defendant shall provide to the Commission the weekly reports prepared by the Settlement Administrator pursuant to the Multi- District Litigation that summarize information related to the claims administration; and 39 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 40 of 74 3. Defendant shall provide to the Commission copies of any information requested by and submitted to the Bureau.\n\nE. From the beginning of the Initial Claims Period until the Consumer Fund is exhausted, Defendant shall provide a representative of the Commission, on an annual basis, with the following information for the prior year: 1. A summary by month of the total number of claims submitted to the Settlement Administrator, the total dollar amount of claims submitted to the Settlement Administrator, the total number of claims paid by the Settlement Administrator, the total amount of claims paid by the Settlement Administrator, and the total amount of claim payments negotiated. 2. Regarding the Product and Assisted Identity Restoration Services outlined in Exhibit A, the following information: a. The number of Affected Consumers who enrolled in the Product; b. The number and total dollar amount of claims filed by Affected Consumers under the identity theft insurance provided pursuant to the Product and what percentage of those claims were paid; 40 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 41 of 74 c. The number of Affected Consumers who availed themselves of Full Service Identity Restoration Services in the year preceding the publication of the annual report; and d. The number of Affected Consumers who availed themselves of Assisted Identity Restoration Services in the year preceding the publication of the annual report. 3. Information regarding notice, including the number of viewers who opened emails sent pursuant to the Notice Plan, the number of unique visitors to the Settlement Website, and the number of unique visitors who arrived from a hyperlink to the Settlement Website posted on or in each of the following: a. www.equifax.com; b. www.equifaxsecurity2017.com; c. Defendant’s Twitter notifications referenced in Section XV.A.4; d. Defendant’s Facebook notifications referenced in Section XV.A.5; and e. The emails sent pursuant to the Notice Plan. 4. Regarding consumer complaints: 41 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 42 of 74 a. The number of unique consumer complaints received by the Settlement Administrator or the third party providing the Product regarding: i. Access to the Settlement Website; ii. Enrollment in the Product; iii. Any of the Product components, including identity theft insurance; iv. Any other consumer rights to obtain relief under this Order; or v. Identity theft; and b. Defendant shall develop and implement a process to direct consumers that contact Defendant with issues related to the Settlement or the Consumer Fund to the Settlement Administrator and/or the Settlement Website. 5. The reporting period must cover: (1) the first year after the entry date of the order permitting issuance of notice of the Settlement; and (2) each year thereafter until the Consumer Fund has been exhausted.\n\n7. Defendant shall transmit the information required pursuant to Section X.D without alteration and shall disclose any fact material to the information submitted. No information may be withheld on the basis of (1) a claim of confidentiality, proprietary or trade secrets, or any similar claim, or (2) any privilege asserted between Defendant and the Settlement Administrator, although such documents can be designated for confidential treatment in accordance with applicable law.\n\nb. Defendant shall develop and implement a process to direct consumers that contact Defendant with issues related to the Settlement or the Consumer Fund to the Settlement Administrator and/or the Settlement Website.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XI", "title": "Reversion of Consumer Relief to Administration by Commission", "category": "monitoring", "summary": "The Commission may end its forbearance and collect the monetary judgment directly upon written notice of specified Termination Events, at which point Defendant must make direct payments to the Commission within twenty-one days and continue to cooperate in consumer relief administration.", "verbatim_text": "A. The forbearance will terminate upon written notice to Defendant upon the occurrence of one or more Termination Events. If any of the following Termination Events should occur, a representative of the Commission and the Bureau may, in their sole discretion, jointly send Defendant a written notice of a Termination Event: 1. An executed Settlement agreement, and a motion for an order permitting issuance of notice of the Settlement, containing terms materially similar to those outlined in Sections VIII, IX, X, and XIII and Exhibit A of this Order, are not submitted to the MDL Court within fourteen days after the filing of this proposed Order, provided however that the Defendant, Commission, or the Bureau are not the cause of such failure; 2. The MDL Court declines to enter an order permitting issuance of notice of the Settlement and either (i) a modified Settlement agreement is not submitted to the MDL Court within sixty days or (ii) a modified Settlement agreement is submitted to the MDL Court without Defendant first obtaining written approval from a representative of the Commission; 44 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 45 of 74 3. The MDL Court enters a final approval of a Settlement agreement in the Multi-District Litigation with terms that are materially different from the terms in Sections VIII-X and Exhibit A of this Order and Defendant has not obtained written approval from a representative of the Commission; 4. The MDL Court declines to enter a final approval of a Settlement agreement in the Multi-District Litigation with terms materially similar to those outlined in Sections VIII, IX, X, and XIII and Exhibit B of this Order and (i) a modified Settlement agreement is not submitted to the MDL Court within sixty days, or (ii) a modified Settlement agreement is submitted to the MDL Court without Defendant first obtaining written approval from a representative of the Commission; 5. The MDL Court’s Final Approval Order is overturned on appeal and either (i) a modified Settlement agreement in the Multi-District Litigation is not submitted to the MDL Court within sixty days or (ii) a modified Settlement agreement in the Multi-District Litigation is submitted to the MDL Court without Defendant first obtaining approval from a representative of the Commission; 45 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 46 of 74 6. The MDL Court approves a Settlement agreement or modified Settlement agreement, other than one approved by the Commission, resolving the Multi-District Litigation that interferes in any way with the Commission’s ability to enforce this Order; or 7. If at any time the Settlement is terminated by any party to the Multi- District Litigation.\n\nD. If the forbearance ends, within twenty-one days of receipt of written notice of a Termination Event, Equifax Inc., its successors and assigns, is ordered to pay the following amounts, plus any interest accumulated, less any payments that have already been disbursed by the Settlement Administrator from the Consumer Fund; Defendant is not entitled to any offset or other deduction unless a representative of the Commission agrees in writing in advance: 1. Three Hundred Million Dollars ($300,000,000), plus any interest accumulated, less any payments that have already been disbursed by the Settlement Administrator from the Consumer Fund; 2. If the funds paid pursuant to Section XI.D.1 are insufficient to pay claims for Out-of-Pocket Losses made during the Initial and Extended Claims Periods, and subject to the monetary limits, if applicable, set forth in Sections IX.B, IX.C and IX.D, Equifax Inc., its successors and assigns, shall make additional payments of up to One Hundred Twenty-Five Million Dollars ($125,000,000) in the aggregate as needed on a monthly basis within fourteen days after receipt of written notification from a representative of the Commission that there are insufficient funds remaining; and 47 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 48 of 74 3. Additional Financial Obligations, subject to the monetary limits, if applicable, set forth in Section IX.B, IX.C and IX.D, pursuant to Section VII.B.\n\nE. All payments to the Commission must be made by electronic fund transfer in accordance with instructions provided by a representative of the Commission.\n\nG. In addition to payment, Defendant remains obligated to cooperate in the administration of consumer relief. If a representative of the Commission requests in writing any information related to consumer relief, Defendant must provide it, in the form prescribed by the Commission, within fourteen days. Defendant shall provide the Commission with: 1. Sufficient information to enable the Commission to efficiently administer consumer relief. 2. Sufficient information regarding any steps toward consumer notice, claims, and relief that has been provided pursuant to the Consumer Fund by the Notice Provider or the Settlement Administrator to enable the Commission to efficiently administer consumer relief.\n\n2. If a representative of the Commission requests in writing any information related to consumer relief, Defendant shall require the Notice Provider and the Settlement Administrator to provide it, to the extent reasonably available, in the form prescribed by the Commission, within fourteen days.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XII", "title": "Additional Monetary Provisions", "category": "affirmative_obligation", "summary": "Defendant relinquishes all rights to assets transferred under this Order, facts in the Complaint are deemed true for enforcement proceedings, and all money paid to the Commission will be used for consumer relief consistent with Section IX.", "verbatim_text": "A. Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.\n\nB. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.\n\nD. Defendant acknowledges that its Taxpayer Identification Number, which Defendant must submit to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.\n\nE. All money paid to the Commission shall be deposited into a fund administered by the Commission or its designee to be used for consumer relief, on behalf of the Commission, the Bureau, and States’ Attorneys General, including the types of consumer relief enumerated in Section IX (such as enrollment in a credit monitoring product, out-of-pocket losses, time compensation, miscellaneous expenses, and identity theft restoration services), and any attendant expenses for the administration of any fund. If a 50 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 51 of 74 representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after consumer relief is completed under this subsection, the Commission may apply any remaining money for such other consumer relief (including consumer information remedies) as it determines to be reasonably related to Defendant’s practices alleged in the Complaint. Any money not used for such consumer relief is to be deposited to the U.S. Treasury as disgorgement. All processes and protocols for the effective and efficient administration of the consumer relief are within the sole discretion of the Commission or its representatives and Defendant has no right to challenge any actions the Commission or its representatives may take pursuant to Section XII.E.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XIII", "title": "Single-Bureau Monitoring and Identity Theft Protection", "category": "affirmative_obligation", "summary": "Defendant must offer single-bureau credit monitoring to Affected Consumers upon expiration of the Product (up to ten years aggregate), additional years for minors (up to eighteen years aggregate), free security freezes for ten years, and six free Personal Consumer Reports per year for seven years.", "verbatim_text": "A. Offer a single-bureau monitoring service with the features described in Exhibit A (“Single-Bureau Monitoring) that has been approved by a representative of the Commission, to Affected Consumers who file a valid claim for Single-Bureau Monitoring and who enroll in the Product. Such Affected Consumers may enroll in the Single-Bureau Monitoring upon expiration of the Product, including any extensions thereof pursuant to Section IX, such that the aggregate number of years of credit monitoring 51 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 52 of 74 provided under Section IX and the Single-Bureau Monitoring equals ten years, except as described in Subsection XIII.B, below.\n\nB. Offer Affected Consumers who were under the age of eighteen on May 13, 2017, additional years of Single-Bureau Monitoring such that the aggregate number of years of credit monitoring provided under Section IX and the Single-Bureau Monitoring equals eighteen years. If an Affected Consumer who enrolled in the Product is under the age of eighteen when the Product expires, the Single-Bureau Monitoring offered will be child monitoring services until such Affected Consumer reaches eighteen years of age.\n\nC. Provide all Affected Consumers with an easily accessible process to place or remove security freezes or locks on their Personal Consumer Report for free for a period of ten years following the date of entry of this Order. Defendant shall not dissuade Affected Consumers from placing or choosing to place a security freeze. Should Defendant offer any standalone product or service as an alternative with substantially similar features as a security freeze (e.g., Lock & Alert), Defendant shall not seek to persuade Affected Consumers to choose the alternative product or service instead of a security freeze.\n\nD. Separate and apart from any statutory or other legal requirements, for a period of seven years starting December 31, 2019, provide to all U.S. 52 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 53 of 74 consumers a clearly accessible process to obtain six free copies during any twelve-month period of their Personal Consumer Report.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Redress" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XIV", "title": "Prohibition on Advertising or Marketing to Consumers Who Use Identity Theft Protection Services", "category": "prohibition", "summary": "Defendant must not use information provided by Affected Consumers through the Order's identity theft protection services to sell, upsell, cross-sell, or market its products or services unless it makes a Clear and Conspicuous disclosure and obtains affirmative express consent.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, shall not use any information provided by an Affected Consumer to enroll in or to use the products and services set forth in Sections IX, XIII.D, and Exhibit A, including the Product, Full Service Identity Restoration Services, Assisted Identity Restoration Services, and the Single-Bureau Credit Monitoring, or the free credit monitoring products (Equifax TrustedID Premier, Equifax Credit Watch Gold with 3 in 1 Monitoring, or Experian IDNotify) offered or paid by Defendant in connection with the Breach (or the fact that the consumer provided such information), to sell, upsell, cross-sell, or directly market or advertise its products or services unless Defendant: A. Makes a Clear and Conspicuous disclosure, separate and apart from any “End User License Agreement,” “Privacy Policy,” “Terms of Use” page, describing how Defendant will use the Affected Consumer’s information; and 53 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 54 of 74 B. Obtains and documents the Affected Consumer’s affirmative express consent.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XV", "title": "Additional Notice", "category": "affirmative_obligation", "summary": "Defendant must provide specific notices to Affected Consumers and the general public, including website hyperlinks, press releases, and social media posts directing consumers to the Settlement Website, within specified timeframes.", "verbatim_text": "A. To Affected Consumers within seven days of entry of an order permitting issuance of notice of the Settlement, or the Commission notifying Defendant that it is exercising its rights under a Termination Event, whichever is earlier: 1. Posting a Clear and Conspicuous hyperlink to the Settlement Website on the top portion of the landing page for Defendant’s primary, consumer-facing website, www.equifax.com, which shall state “Visit [hyperlink to the Settlement Website] for information on the Equifax Data Breach Settlement” or “Equifax Data Breach Settlement,” which shall remain posted until the expiration of the Initial Claims Period; 2. Posting a Clear and Conspicuous hyperlink to the Settlement Website on the top portion for the landing page for Defendant’s www.equifaxsecurity2017.com website, which shall state “Visit [hyperlink to the Settlement Website] for information on the Equifax Data Breach Settlement” or “Equifax Data Breach Settlement,” which 54 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 55 of 74 shall remain posted until the expiration of the Extended Claims Period;\n\n3. Issuing a press release, using terms consistent with the approved Notice Plan, including a hyperlink to the Settlement Website, with information about the Product, the Consumer Fund, and the Settlement Website;\n\n4. Sending a Twitter notification via Defendant’s primary Twitter account monthly during the Initial Claims Period and then biannually during the Extended Claims Period, the text of which shall read “Visit [hyperlink to the Settlement Website] for information on the Equifax Data Breach Settlement”; and\n\n5. Posting a Facebook notification via Defendant’s primary account monthly during the Initial Claims Period and then biannually during the Extended Claims Period, the text of which shall read “Visit [hyperlink to the Settlement website] for information on the Equifax Data Breach Settlement.”\n\nB. To U.S. consumers, issuing a press release seven days after the relief described in Section XIII.D becomes available, with information about the availability of six free copies of a U.S. consumer’s Personal Consumer Report during any twelve-month period for seven years, including a 55 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 56 of 74 hyperlink to the webpage where consumers can request free Personal Consumer Reports.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Consumer Notification" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XVI", "title": "Rule Violations", "category": "prohibition", "summary": "Defendant is permanently restrained and enjoined from violating any provision of the Standards for Safeguarding Consumer Information Rule, 16 C.F.R. Part 314.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, are hereby permanently restrained and enjoined from violating any provision of the Standards for Safeguarding Consumer Information Rule, 16 C.F.R. Part 314, a copy of which is attached hereto as Exhibit B.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XVII", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Defendant must submit a sworn acknowledgment of receipt of this Order within seven days, deliver copies of the Order to all principals, officers, directors, managerial employees, and affected business entities for ten years, and obtain signed acknowledgments within 30 days of delivery.", "verbatim_text": "A. Defendant, within seven days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For ten years after entry of this Order, Defendant must deliver a copy of this Order to: (a) all principals, officers, directors, and LLC managers and members; (b) all employees, agents, and representatives having managerial or supervisory responsibilities for conduct related to the subject matter of the 56 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 57 of 74 Order; and (c) any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting; and\n\nD. From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order, which can be obtained electronically.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XVIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Defendant must submit an annual compliance report one year after entry of the Order, notify the Commission within 14 days of any changes to designated contacts or entity structure for 20 years, and notify the Commission within 14 days of any bankruptcy filing.", "verbatim_text": "A. One year after entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury in which Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Defendant; (b) identify all of Defendant’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the types of goods or services offered, the means of advertising, 57 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 58 of 74 marketing, and sales, and the categories or types of Personal Information collected, transferred, maintained, processed or stored by each business; (d) describe in detail whether and how Defendant is in compliance with each Section of this Order; and (e) provide a copy of or record proving each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. For 20 years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of any entity that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against the Defendant within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the 58 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 59 of 74 laws of the United States of America that the foregoing is true and correct. Executed on: ______” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin “Federal Trade Commission v. Equifax Inc., FTC File No. 1723203.”", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XIX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Defendant must create certain records for 20 years after entry of the Order and retain each such record for 5 years, including accounting records, personnel records, consumer complaints, information security assessments, representations about data security, and all materials related to Assessments.", "verbatim_text": "20 years after entry of the Order, and retain each such record for 5 years. Specifically, Defendant must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reasons for termination;\n\nC. Copies or records of all U.S. consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each information security assessment required by this Order and any material evaluations of Defendant’s physical, technical, or administrative controls to protect the confidentiality, integrity, or availability of Personal Information;\n\nE. A copy of each widely disseminated and unique representation by Defendant that describes the extent to which Defendant maintains or protects the privacy, confidentiality, security, or integrity of any Personal Information;\n\nF. For five years after the date of preparation of each Assessment required by this Order, all materials and evidence that are in the Defendant’s possession and control that the Assessor considered, reviewed, relied upon or examined to prepare the Assessment, whether prepared by or on behalf of Defendant, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Defendant’s compliance with related Sections of this Order, for the compliance period covered by such Assessment; and\n\nG. All records necessary to demonstrate full compliance with each provision of this Order; including all submissions to the Commission.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XX", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission has broad authority to monitor Defendant's compliance, including obtaining additional compliance reports, conducting depositions and discovery, communicating directly with Defendant, interviewing employees, and using undercover means.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the Commission, Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.\n\nB. For matters concerning this Order, the Commission is authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission to interview any employee or other person affiliated with Defendant who has agreed to such an interview. The person interviewed may have counsel present.\n\nC. The Commission may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the 61 Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 62 of 74 Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XXI", "title": "Severability", "category": "affirmative_obligation", "summary": "If any clause, provision, or section of the Order is held illegal, invalid, or unenforceable, the remaining provisions remain in full force and effect.", "verbatim_text": "IT IS FURTHER ORDERED that if any clause, provision, or section of this Order shall, for any reason, be held illegal, invalid, or unenforceable, such illegality, invalidity or unenforceability shall not affect any other clause, provision or section of this Order and this Order shall be construed and enforced as if such illegal, invalid or unenforceable clause, section or provision had not been contained herein.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "XXII", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "verbatim_text": "IT IS FUTHER ORDERED that this Court retain jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "docket_number": "1:19-cv-03297-TWT" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to its size and the sensitivity of personal information it handles.", "verbatim_text": "IT IS ORDERED that respondent shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program 2 that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers, including the security, confidentiality, and integrity of personal information accessible to end users. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers. The information security program must include:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, access, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from the respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "unfair", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "docket_number": "C-4331" }, { "provision_number": "II", "title": "Prohibition Against Violating the Safeguards Rule", "category": "prohibition", "summary": "Respondent and its officers, agents, representatives, and employees must not violate any provision of the FTC Safeguards Rule (16 C.F.R. Part 314).", "verbatim_text": "IT IS FURTHER ORDERED that respondent and its officers, agents, representatives, and employees, shall not, directly or through any corporation, subsidiary, division, website, or other device, violate any provision of the Safeguards Rule, 16 C.F.R. Part 314. In the event that 3 this Rule is hereafter amended or modified, respondent’s compliance with that Rule as so amended or modified shall not be a violation of this order.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "docket_number": "C-4331" }, { "provision_number": "IV", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial independent third-party security assessments by a qualified professional (CISSP, CISA, or GIAC-certified), covering the first 180 days and each subsequent two-year period for twenty years.", "verbatim_text": "with Part I of this order, obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Each Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, 600 Pennsylvania Avenue NW, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by the Safeguards Rule; and\n\nD. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nRespondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days after respondent receives such request.", "violation_type": "unfair", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "docket_number": "C-4331" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the FTC upon request various records for specified periods, including compliance documents, law enforcement communications, and assessment materials.", "verbatim_text": "A. for a period of five (5) years, a print or electronic copy of each document relating to compliance, including but not limited to documents, prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order;\n\nB. for a period of five (5) years, copies of all subpoenas and other communications with law enforcement entities or personnel, whether in written or electronic form, if such documents bear in any respect on respondent’s collection, maintenance, or furnishing of consumer reports or other personal information of consumers; and\n\nC. for a period of three (3) years after the date of preparation of each Assessment required under Part IV of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to the respondent’s compliance with Parts I and II of this order, for the compliance period covered by such Assessment.", "violation_type": "unfair", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "docket_number": "C-4331" }, { "provision_number": "VI", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "For five years from entry of the order, respondent must deliver copies of the order to principals, officers, directors, managers, relevant employees, and successor entities, and obtain signed acknowledgments of receipt within 30 days.", "verbatim_text": "A. Respondent must deliver a copy of this Order to (1) all current and future principals, officers, directors, and managers, (2) all employees, agents and representatives who engage in conduct related to the subject matter of the Order, and (3) any business entity resulting from any change in structure set forth in Part VII. For current personnel, delivery shall be within five (5) days of service of this 5 Order. For new personnel, delivery shall occur prior to them assuming their responsibilities. For any business entity resulting from any change in structure set forth in Part VII, delivery shall be at least ten (10) days prior to the change in structure.\n\nB. Respondent must secure a signed and dated statement acknowledging receipt of this Order, within thirty (30) days of delivery, from all persons receiving a copy of the Order pursuant to this section.", "violation_type": "unfair", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "docket_number": "C-4331" }, { "provision_number": "VII", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations, such as dissolution, merger, sale, bankruptcy filing, or name/address change.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line FTC v. ACRAnet, Inc. Provided, however, that, in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of such notices is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "unfair", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "docket_number": "C-4331" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file an initial written compliance report with the FTC within 60 days of service of the order, and submit additional written reports within 10 days of FTC request.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of their own compliance with this order. Within ten (10) days of receipt of written notice from a representative of the\n\nwith this order. Within ten (10) days of receipt of written notice from a representative of the Commission, they shall submit additional true and accurate written reports.", "violation_type": "unfair", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "docket_number": "C-4331" }, { "provision_number": "IX", "title": "Order Duration", "category": "duration", "summary": "The order terminates on August 17, 2031, or twenty years from the most recent date the FTC files a complaint alleging a violation of the order, whichever is later, with specific exceptions.", "verbatim_text": "This order will terminate on August 17, 2031, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an 6 accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "docket_number": "C-4331" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Corporate respondent and any business entity controlled by Individual respondent that collects, maintains, or stores personal information must establish, implement, and maintain a comprehensive information security program, documented in writing, with administrative, technical, and physical safeguards.", "verbatim_text": "IT IS ORDERED that Corporate respondent and any business entity that Individual respondent, Robert Fajilan, controls, directly or indirectly, which collects, maintains, or stores personal information from or about consumers, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers, including the security, confidentiality, and integrity of personal information accessible to end users. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to Corporate respondent’s or the entity’s size and complexity, the nature and scope of Corporate respondent’s or the entity’s activities, and the sensitivity of the personal information collected from or about consumers. The information security program must include:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, access, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring 3 of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from the Corporate respondent or the entity, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of respondent’s or the entity’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to Corporate respondent’s or the entity’s operations or business arrangements, or any other circumstances that Corporate respondent or the entity know or have reason to know may have a material impact on the effectiveness of their information security program.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "II", "title": "Prohibition Against Safeguards Rule Violations", "category": "prohibition", "summary": "Corporate respondent and any business entity controlled by Individual respondent must not violate any provision of the FTC Safeguards Rule, 16 C.F.R. Part 314.", "verbatim_text": "IT IS FURTHER ORDERED that Corporate respondent and any business entity that Individual respondent, Robert Fajilan controls, directly or indirectly, and their officers, agents, representatives, and employees, shall not, directly or through any corporation, subsidiary, division, website, or other device, violate any provision of the Safeguards Rule, 16 C.F.R. Part 314. In the event that this Rule is hereafter amended or modified, respondents’ compliance with that Rule as so amended or modified shall not be a violation of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "IV", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondents must obtain initial and biennial third-party security assessments from a qualified, independent professional (CISSP, CISA, or GIAC-certified), covering the first 180 days after service and then every two years for 20 years.", "verbatim_text": "compliance with Part I of this order, obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Each Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that Corporate respondent or the entity have implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to Corporate respondent’s or the entity’s size and complexity, the nature and scope of Corporate respondent’s or the entity’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by the Safeguards Rule; and\n\nD. certify that Corporate respondent’s or the entity’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nRespondents shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondents until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days after respondents receive such request.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC specified records for defined periods: compliance documents for 5 years, law enforcement communications for 5 years, and assessment-related materials for 3 years after each Assessment.", "verbatim_text": "A. for a period of five (5) years, a print or electronic copy of each document relating to compliance, including but not limited to documents, prepared by or on behalf of Corporate respondent or the entity, that contradict, qualify, or call into question Corporate respondent’s or the entity’s compliance with this order;\n\nB. for a period of five (5) years, copies of all subpoenas and other communications with law enforcement entities or personnel, whether in written or electronic form, if such documents bear in any respect on Corporate respondent’s or the entity’s collection, maintenance, or furnishing of consumer reports or other personal information of consumers; and\n\nC. for a period of three (3) years after the date of preparation of each Assessment required under Part IV of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the Corporate respondent or the entity, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to the Corporate respondent’s or the entity’s compliance with Parts I and II of this order, for the compliance period covered by such Assessment.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "VI", "title": "Order Delivery and Acknowledgment", "category": "acknowledgment", "summary": "For 5 years from entry of the order, respondents must deliver copies of the order to current and future principals, officers, managers, employees, and agents, and must obtain signed, dated acknowledgments of receipt within 30 days of delivery.", "verbatim_text": "A. Corporate respondent must deliver a copy of this Order to (1) all current and future principals, officers, directors, and managers, (2) all employees, agents and representatives who engage in conduct related to the subject matter of the Order, and (3) any business entity resulting from any change in structure set forth in Part VIII. For current personnel, delivery shall be within five (5) days of service of this Order. For new personnel, delivery shall occur prior to them assuming their responsibilities. For any business entity resulting from any change in structure set forth in Part VIII, delivery shall be at least ten (10) days prior to the change in structure.\n\nB. For any business that Individual respondent, Robert Fajilan, controls, directly or indirectly, which collects, maintains, or stores personal information from or about consumers, Individual respondent must deliver a copy of this Order to (1) all principals, officers, directors, and managers of that business, (2) all employees, agents, and representatives of that business who engage in conduct related to the subject matter of the Order, and (3) any business entity resulting from any change in structure set forth in Part VII. For current personnel, delivery shall be within five (5) days of service of this Order. For new personnel, delivery shall occur prior to them assuming their responsibilities. For any business entity resulting from any change in structure set forth in Part VII, delivery shall be at least ten (10) days prior to the change in structure.\n\nC. For any business that collects, maintains, or stores personal information from or about consumers, where Individual respondent, Robert Fajilan, is not a controlling person of the business, but he otherwise has responsibility, in whole or in part, for developing or overseeing the implementation of policies and procedures to protect the privacy, security, confidentiality, or integrity of personal information collected from or about consumers by the business, Individual respondent must deliver a copy of this Order to all principals and managers of such business before engaging in such conduct.\n\nD. Respondents must secure a signed and dated statement acknowledging receipt of this Order, within thirty (30) days of delivery, from all persons receiving a copy of the Order pursuant to this section.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "VII", "title": "Individual Respondent Notification Requirements", "category": "compliance_reporting", "summary": "For 10 years from entry of the order, Individual respondent Robert Fajilan must notify the Commission of changes to his residence/contact information, business or employment status and ownership interests, and name or aliases.", "verbatim_text": "A. Any changes in Individual respondent’s residence, mailing address, and or telephone numbers, within ten (10) days of such a change;\n\nB. Any changes in Individual respondent’s business or employment status (including self-employment), and any changes in his ownership in any business entity, within ten (10) days of such a change. Such notice shall include the name and address of each business that respondent is affiliated with, employed by, created or forms, or performs services for; a detailed description of the nature of the business or employment; and a detailed description of the respondent’s duties and responsibilities in connection with such business or employment; and\n\nC. Any changes in Individual respondent’s name or use of any aliases or fictitious names, including “doing business as” names.\n\nUnless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line FTC v. Fajilan and Associates, Inc. also d/b/a Statewide Credit Services, and Robert Fajilan. Provided, however, that, in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of such notices is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "VIII", "title": "Corporate Respondent Change Notification", "category": "compliance_reporting", "summary": "Corporate respondent must notify the Commission at least 30 days prior to any corporate change that may affect compliance obligations, such as dissolution, sale, merger, bankruptcy filing, or change of name or address.", "verbatim_text": "IT IS FURTHER ORDERED that Corporate respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, 7 merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that with respect to any proposed change in the corporation about which Corporate respondent learns less than thirty (30) days prior to the date such action is to take place, Corporate respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line FTC v. Fajilan and Associates Inc., d/b/a Statewide Credit Services, and Robert Fajilan. Provided, however, that, in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of such notices is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "IX", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file an initial written compliance report with the FTC within 60 days of service of the order, and submit additional written reports within 10 days of written notice from the Commission.", "verbatim_text": "and Individual respondent Robert Fajilan, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of their own compliance with this order. Within ten (10) days of receipt of\n\nthe manner and form of their own compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, they shall submit additional true and accurate written reports.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "X", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on August 17, 2031, or 20 years from the most recent date the FTC files a federal court complaint alleging a violation of the order, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on August 17, 2031, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondents did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "docket_number": "C-4332" }, { "provision_number": "I", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish, implement, and maintain a comprehensive written information security program with specific safeguards appropriate to their size, complexity, and the sensitivity of personal information they collect.", "verbatim_text": "IT IS ORDERED that respondents shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers, including the security, confidentiality, and integrity of personal information accessible to end users. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to the respondents’ size and complexity, the nature and scope of the respondents’ activities, and the sensitivity of the personal information collected from or about consumers. The information security program must include:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, access, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they 3 receive from the respondents, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of the respondents’ information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondents’ operations or business arrangements, or any other circumstances that respondents know or have reason to know may have a material impact on the effectiveness of their information security program.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "docket_number": "C-4330" }, { "provision_number": "II", "title": "Compliance with the Safeguards Rule", "category": "prohibition", "summary": "Respondents and their agents must not violate any provision of the FTC Safeguards Rule (16 C.F.R. Part 314), including as it may be amended or modified.", "verbatim_text": "IT IS FURTHER ORDERED that respondents and their officers, agents, representatives, and employees, shall not, directly or through any corporation, subsidiary, division, website, or other device, violate any provision of the Safeguards Rule, 16 C.F.R. Part 314. In the event that this Rule is hereafter amended or modified, respondents’ compliance with that Rule as so amended or modified shall not be a violation of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "docket_number": "C-4330" }, { "provision_number": "IV", "title": "Initial and Biennial Third-Party Security Assessments", "category": "assessment", "summary": "Respondents must obtain initial and biennial independent third-party assessments of their information security program from a qualified professional (CISSP, CISA, or GIAC), with the initial assessment covering the first 180 days and biennial assessments covering each subsequent 2-year period for 20 years.", "verbatim_text": "compliance with Part I of this order, obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession, provided however, that except for SettlementOne Credit Corporation for which such Assessments are always required, Sackett National Holdings, Inc. shall not be required to obtain such Assessments for any subsidiary, division, affiliate, successor or assign if the personal information such entities collect, maintain, or store from or about consumers is limited to a first and last name; a home or other physical address, including street name and name of city or town; an email address; a telephone number; or publicly available information regarding property ownership and appraised home value. Each\n\nAssessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. set forth the specific administrative, technical, and physical safeguards that respondents have implemented and maintained during the reporting period;\n\nB. explain how such safeguards are appropriate to respondents’ size and complexity, the nature and scope of respondents’ activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. explain how the safeguards that have been implemented meet or exceed the protections required by the Safeguards Rule; and\n\nD. certify that respondents’ security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nRespondents shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondents until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days after respondents receive such request.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "docket_number": "C-4330" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC compliance-related documents for five years, law enforcement communications for five years, and all materials used to prepare each Assessment for three years after preparation.", "verbatim_text": "A. for a period of five (5) years, a print or electronic copy of each document relating to compliance, including but not limited to documents, prepared by or on behalf of respondents, that contradict, qualify, or call into question respondents’ compliance with this order;\n\nB. for a period of five (5) years, copies of all subpoenas and other communications with law enforcement entities or personnel, whether in written or electronic form, 5 if such documents bear in any respect on respondents’ collection, maintenance, or furnishing of consumer reports or other personal information of consumers; and\n\nC. for a period of three (3) years after the date of preparation of each Assessment required under Part IV of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondents, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondents’ compliance with Parts I and II of this order, for the compliance period covered by such Assessment.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "docket_number": "C-4330" }, { "provision_number": "VI", "title": "Order Distribution and Acknowledgment", "category": "acknowledgment", "summary": "For five years, respondents must deliver copies of the order to current and future principals, officers, directors, managers, relevant employees, and successor business entities, and must obtain signed acknowledgments of receipt within 30 days of delivery.", "verbatim_text": "IT IS FURTHER ORDERED, that for a period of five (5) years from the date of entry of this Order, respondents shall deliver copies of the Order as directed below: A. Respondents must deliver a copy of this order to (1) all current and future principals, officers, directors and managers, (2) all employees, agents and representatives who engage in conduct related to the subject matter of the order, and (3) any business entity resulting from any change in structure set forth in Part VII. For current personnel, delivery shall be within five (5) days of service of this Order. For new personnel, delivery shall occur prior to them assuming their responsibilities. For any business entity resulting from any change in structure set forth in Part VII, delivery shall be at least ten (10) days prior to the change in structure.\n\nB. Respondents must secure a signed and dated statement acknowledging receipt of this Order, within thirty (30) days of delivery, from all persons receiving a copy of the Order pursuant to this section.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "docket_number": "C-4330" }, { "provision_number": "VII", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondents must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations, such as dissolution, merger, sale, bankruptcy filing, or name/address change, with expedited notice if less than 30 days' advance knowledge.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall notify the Commission at least thirty (30) days prior to any change in the corporations that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that with respect to any proposed change in the corporations about which respondents learn less than thirty (30) days prior to the date such action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nUnless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania 6 Avenue NW, Washington, D.C. 20580, with the subject line FTC v. SettlementOne Credit Corporation, and Sackett National Holdings, Inc. Provided, however, that, in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of such notices is contemporaneously sent to the Commission at DEbrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "docket_number": "C-4330" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file an initial written compliance report with the FTC within 60 days of service of the order and submit additional written reports within 10 days of written notice from the Commission.", "verbatim_text": "IT IS FURTHER ORDERED that respondents and their successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of their own compliance\n\nwith this order. Within ten (10) day of receipt of written notice from a representative of the Commission, they shall submit additional true and accurate written reports.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "docket_number": "C-4330" }, { "provision_number": "IX", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on August 17, 2031, or 20 years from the most recent date a complaint is filed in federal court alleging a violation of the order, whichever is later, with specific carve-outs for sub-provisions with shorter durations and for dismissed complaints.", "verbatim_text": "This order will terminate on August 17, 2031, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in less than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that respondents did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "docket_number": "C-4330" }, { "provision_number": "I", "title": "Mandated Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program protecting the security, confidentiality, and integrity of Personal Information before transferring, selling, sharing, collecting, maintaining, or storing such information.", "verbatim_text": "IT IS ORDERED that Respondent, and any business that Respondent controls directly, or indirectly, shall not transfer, sell, share, collect, maintain, or store Personal Information unless it establishes and implements, and thereafter maintains, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and Page 2 of 11 integrity of such Personal Information. To satisfy this requirement, Respondent must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Information Security Program;\n\nB. Provide the written program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Information Security Program at least once every twelve (12) months and promptly after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;\n\nD. Assess and document, at least once every twelve (12) months and promptly following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information;\n\nE. Design, implement, maintain, and document safeguards that control for the internal and external risks Respondent identifies to the security, confidentiality, or integrity of Personal Information identified in response to sub-Provision I.D. Such safeguards shall also include: 1. Training of all of Respondent’s employees, at least once every twelve (12) months, on how to safeguard Personal Information; 2. Technical measures to monitor all of Respondent’s networks and all systems and assets within those networks to identify data security events, including unauthorized attempts to exfiltrate Personal Information from those networks; 3. Data access controls for all databases storing Personal Information, including by, at a minimum, (a) restricting inbound connections to approved IP addresses, (b) requiring authentication to access them, and (c) limiting employee access to what is needed to perform that employee’s job function; 4. Encryption of all Social Security numbers and financial account information on Respondent’s computer networks; and 5. Policies and procedures to ensure that all devices on Respondent’s network with access to Personal Information are securely installed and inventoried at least once every twelve (12) months.\n\nF. Assess, at least once every twelve (12) months and promptly following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results.\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and promptly following a Covered Incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of Respondent’s network once every four months and promptly after a Covered Incident, and penetration testing of Respondent’s network at least once every twelve (12) months and promptly after a Covered Incident;\n\nH. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Respondent, and contractually require service providers to implement and maintain safeguards for Personal Information; and\n\nI. Evaluate and adjust the Information Security Program in light of any changes to Respondent’s operations or business arrangements, a Covered Incident, or any other circumstances that Respondent knows or has reason to know may have an impact on the effectiveness of the Information Security Program. At a minimum, Respondent must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "II", "title": "Information Security Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain an initial and biennial independent third-party assessments of its Information Security Program, with specific assessor qualifications, reporting periods, and submission requirements.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; and (3) retains all documents relevant to each Assessment for five (5) years after completion of such Assessment and will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or any similar claim.\n\nB. For each Assessment, Respondent shall provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name Page 4 of 11 and affiliation of the person selected to conduct the Assessment, which the Associate Director shall have the authority to approve in his sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each 2-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must: (1) determine whether Respondent has implemented and maintained the Information Security Program required by Provision I of this Order, titled Mandated Information Security Program; (2) assess the effectiveness of Respondent’s implementation and maintenance of sub-Provisions I.A-I; (3) identify any gaps or weaknesses in the Information Security Program; and (4) identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by Respondent’s management. The Assessment shall be signed by the Assessor and shall state that the Assessor conducted an independent review of the Information Security Program, and did not rely solely on assertions or attestations by Respondent’s management.\n\nE. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re LightYear Dealer Technologies, LLC, d/b/a DealerBuilt, FTC File No. 172 3051.” All subsequent biennial Assessments shall be retained by Respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "III", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondent must disclose all material facts to the Assessor and must not misrepresent any fact material to the Assessor's determinations regarding the Information Security Program.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in connection with any Assessment required by Provision II of this Order titled Information Security Assessments by a Third Party, must disclose all material facts to the Assessor, and must not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondent has implemented and maintained the Information Security Program required by Provision I of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub- Page 5 of 11 Provisions I.A-I; or (3) identification of any gaps or weaknesses in the Information Security Program.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "IV", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondent must provide the Commission with annual certifications from a senior corporate manager or officer attesting to compliance with the Order and disclosing any Covered Incidents.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Information Security Program that: (1) Respondent has established, implemented, and maintained the requirements of this Order; (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of a Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re LightYear Dealer Technologies, LLC, d/b/a DealerBuilt, FTC File No. 172 3051.”", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "V", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Respondent must submit a report to the Commission within 10 days of first notifying any government entity of a Covered Incident, containing specified details about the incident.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, within a reasonable time after the date of Respondent’s discovery of a Covered Incident, but in any event no later than ten (10) days after the date Respondent first notifies any U.S. federal, state, or local government entity of the Covered Incident, must submit a report to the Commission. The report must include, to the extent possible: A. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known; C. A description of each type of information that triggered the notification obligation to the U.S. federal, state, or local government entity; D. The number of consumers whose information triggered the notification obligation to the U.S. federal, state, or local government entity; Page 6 of 11 E. The acts that Respondent has taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of each materially different notice required by U.S. federal, state, or local law or regulation and sent by Respondent to consumers or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re LightYear Dealer Technologies, LLC, d/b/a DealerBuilt, FTC File No. 172 3051.”", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "VI", "title": "GLB Rule Violations", "category": "prohibition", "summary": "Respondent and all associated persons with notice of this Order are permanently restrained and enjoined from violating any provision of the FTC's Safeguards Rule, 16 C.F.R. Part 314.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, and Respondent’s officers, agents, employees and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, are hereby permanently restrained and enjoined from violating any provision of The Standards for Safeguarding Consumer Information Rule, 16 C.F.R. Part 314, appended hereto.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "VII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must submit its own acknowledgment of receipt of the Order within 10 days, deliver copies to all relevant personnel and successor entities, and obtain signed acknowledgments from each recipient within 30 days.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives with responsibilities related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in Provision VIII of this Order titled Compliance Reports and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "VIII", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report one year after issuance, sworn notices of material changes within 14 days, and notice of any bankruptcy filing within 14 days.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (1) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (2) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (4) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (5) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; or (2) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Page 8 of 11 Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re LightYear Dealer Technologies, LLC, d/b/a DealerBuilt, FTC File No. 172 3051.”", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create and retain for five years certain categories of records for 20 years after the Order issuance date, including accounting records, personnel records, consumer complaints, privacy representations, assessment materials, and all compliance records.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for twenty (20) years after the issuance date of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;\n\nD. A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, confidentiality, security, or integrity of any Personal Information, including any representation concerning a change in any website or other service controlled by Respondent that relates to the privacy, confidentiality, security, or integrity of Personal Information;\n\nE. For five (5) years after the date of preparation of each Assessment required by this Order, all materials and evidence that the Assessor considered, reviewed, relied upon or examined to prepare the Assessment, whether prepared by or on behalf of Respondents, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondents’ compliance with related Provisions of this Order, for the compliance period covered by such Assessment; and\n\nF. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "X", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting sworn reports and records, communicating directly with and interviewing Respondent's personnel, and using all other lawful means including undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested Page 9 of 11 information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "XI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC website and terminates on September 3, 2039, or 20 years from the most recent date the Commission files a complaint alleging a violation of this Order, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on September 3, 2039, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision. Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any Provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "docket_number": "C-4687" }, { "provision_number": "IV", "title": "Injunction Against Violating Section 521 of the Gramm-Leach-Bliley Act", "category": "prohibition", "summary": "Defendants are permanently restrained from violating or assisting any person in violating Section 521 of the Gramm-Leach-Bliley Act, including inducing consumers to divulge personal financial information through false representations.", "verbatim_text": "IT IS that the Defendants are hereby permanently restrained FUTHER ORDERED and enjoined from violating or assisting any person in the violation of Section 521 of the Gramm-Leach- 6821 (attached hereto as Appendix B), including, but not BliJey Act, 15 C. , inducing consumers to divulge their personal financial information by makng any limited to false, fictitious, or fraudulent representation, including, but not limited to, the following:\n\nAny false, fictitious, or fraudulent representation that the Defendants are affliated with or calling from or on behalf of, a bank, financial institution, or credit card company; and\n\nAny false, fictitious, or fraudulent representation that the Defendants already possess, and are merely verifying, consumers' prior credit ap?lications.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "V", "title": "Redress and Other Equitable Relief from the Canadian Defendants", "category": "affirmative_obligation", "summary": "Judgment of $9,066,434 is entered jointly and severally against the Canadian Defendants; they must pay $405,589.50 to the Commission within five business days of entry of the Order, with the remainder suspended upon timely payment.", "verbatim_text": "Judgment is entered jointly and severally against Quebec, Inc. , Mitchel Kastner, Corber, and Jason Kastner in the amount of $9,066,434; the Canadian Defendants shall pay the Commssion $405,589.50, on or before the fifth (51h ) business day following the date ofthe entry of this Order by wire transfer to the Commssion at Treasury ABA number: 021030004 (agency bank account -- via New York Federal Reserve Bank), Commssion s ALC number: 29000001 (agency location code).\n\nUpon timely makng the payment provided in this Paragraph, the remainder of the judgment shall be suspended.\n\nAll funds paid by the Canadian Defendants to the Commission pursuant to this Final Order may be deposited into a fund administered by the Commission or its agent to be used for equitable relief, including, but not limited to, consumer redress and any attendant expenses for the administration of any redress fund. In the event that direct redress to consumers is wholly or partially impracticable or funds remain after redress is completed, the Commssion may pay any remaining funds for such other equitable relief (including consumer infonnation remedies) as it determnes to be reasonably related to the Defendants ' practices as alleged in the complaint. Any funds not used for such equitable relief shaH be deposited into the United States Treasury as disgorgement. The Canadian Defendants shall have no right to challengethe Commission choice of remedies under this Paragraph.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "VI", "title": "Right to Enforce Suspended Judgment Against the Canadian Defendants", "category": "affirmative_obligation", "summary": "The Commission's agreement to suspend judgment is premised on the accuracy of the Canadian Defendants' sworn financial statements; if misrepresentation is found, the full $9,066,434 judgment becomes immediately due.", "verbatim_text": "The Commssion s agreement to this Final Order is expressly premised upon the financial conditions of Quebec, Inc., Mitchel Kastner, Corber, and Jason Kastner as represented in the sworn financial statements provided to the Commssion and dated December 19, 2003; December 22 2003; December 23 2003; December 24 2003; and November 17, 2004, any amendments thereto submitted to the Commission through the date of this Order, and any sworn testimony regarding assets given by any Canadian Defendant through the date of ths Order, which include material infonnation upon which the Commssion relied in negotiating and consenting to this Final Order. Quebec, Inc., Mitchel Kastner, Corber, and Jason Kastner state that those fina cial statements, any amendments thereto, and any sworn testimony regarding ths assets are complete and accurate representarions of their financial conditions as of the date of Order. The paries stipulate that the Commission s agreement to suspend the remainder of the 066,434 judgment is expressly conditioned on the truthfulness, accuracy, and completeness of the Canadian Defendants' sworn financial statements, any amendments thereto, and any sworn testimony regarding their assets. The parties further stipulate that the Commssion would not have agreed to suspend the remainder of the judgment if it had been aware that any such financial disclosure was not truthful, accurate, or complete. If, upon motion by the Commssion, this , . Court should find that Quebec, Inc., Mitchel Kastner, Corber, or Jason Kastner made a significant misrepresentation or omitted significant infonnation concerning their respective financial conditions, then the Court shall enter a modified judgment holding that any such defendant is liable to the Commission in the amount of $9,066,434, which Quebec, Inc., Mitchel Kastner, Corber, Jason Kastner, and the Commission stipulate, for the sole purpose of enforcement of this provision of the Order, is the amount of consumer injury caused by the Canadian Defendants. This amount, less the sum of payments made by any Defendant to the Commssion, shaH become immediately due and payable by any such Canadian Defendant, and interest computed at the rate prescribed under 28 U. 1961, as amended, shall immediately c. begin to accrue on the unpaid balance.\n\nQuebec, Inc. , Mitchel Kastner, Corber, and Jason Kastner agree that the facts as alleged in the Complaint filed in this action shall be taken as true for the purpose of any subsequent litigation filed by the Commssion to enforce its rights pursuant to this Order, , a nondischargeabi1ity complaint filed in any bankrptcy proceeding. including, but not limited to", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Redress" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "VII", "title": "Redress and Other Equitable Relief from the Florida Defendants", "category": "affirmative_obligation", "summary": "Judgment of $9,066,434 is entered jointly and severally against the Florida Defendants; they must pay $9,600 to the Commission within five business days of entry of the Order, with the remainder suspended upon timely payment.", "verbatim_text": "Judgment is entered jointly and severaHy against Sun Spectrum, NACO, WWCI, Maren $9,066, the Florida Defendants shaH pay the , and Bascove in the amount of 434; Commssion $9,600, on or before the fifth (Sth) business day fol1owing the date of entr of this Order by wire transfer to the Commssion at Treasury ABA number: 021030004 (agency bank account -- via New York Federal Reserve Bank), Commssion s ALC number: 29000001 (agency location code).\n\nUpon timely making the payment provided in this Paragraph, the remainder of the judgment shall be suspended.\n\nAll funds paid by the Florida Defendants to the Commission pursuant to this Final - , Order may be deposited into a fund administered by the Commission or its agent to be used for equitable relief, including, but not limited to, consumer redress and any attendant expenses for the administration of any redress fund. In the event that direct redress to consumers is wholly or partially impracticable or funds remain after redress is completed, the Commssion may use any remaining funds for such other equitable relief (including consumer information remedies) as it detenrnes to be reasonably related to the Defendants' practices as alleged in the complaint. Any funds not used for such equitable relief shall be deposited into the United States Treasury as disgorgement. The Florida Defendants shall have no right to challenge the Commssion s choice of remedies under this Pargraph.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Monetary Penalty" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "VIII", "title": "Right to Enforce Suspended Judgment Against the Florida Defendants", "category": "affirmative_obligation", "summary": "The Commission's agreement to suspend judgment is premised on the accuracy of the Florida Defendants' sworn financial statements; if misrepresentation is found, the full $9,066,434 judgment becomes immediately due.", "verbatim_text": "The Commssion s agreement to this Final Order is expressly premised upon the financial conditions of Sun Spectrum, NACO, WWCI, Marten, and Bascove as represented in the sworn financial statements provided to the Commssion and dated December 17, 2003 December 20, 2003, arid September 10, 2004, any amendments thereto submitted to the Commission through the date of this Order, and any sworn testimony regarding assets given by any Florida Defendant though the date of this Order, which include material infonnation upon which the Commssion relied in negotiating and consenting to this Final Order. Sun Spectrum, NACO, WWCI, Martell, and Bascove state that those financial statements, any amendments thereto, and any sworn testimony regarding assets are complete and accurate representations of their financial conditions as of the date of this Order. The pares stipulate that the Commssion agreement to suspend the remainder of the $9 066,434 judgment is expressly conditioned on the truthfulness, accuracy, and completeness of the Florida Defendants' sworn financial statements, any amendments thereto, and any sworn testimony regarding their assets. The paries further stipulate that the COrnssion would not have agreed to suspend the remainder of the judgment if it had been aware that any such financial disclosure was not trthful, accurate, or complete. If, upon motion by the Commssion , this Court should find that Sun Spectrum, NACO, WWCI, Maren, or Bascove made a significant misrepresentation or omitted significant infonnation concerning their respective financial conditions, then the Court shan enter a modified judgment holding that any such defendant is liable to the Commission in the amount of $9,066,434, which Sun Spectrum, NACO , WWCI, Maren, Bascove, and the Commssion stipulate, for the sole purpose of enforcement of this provision of the Order, is the amount of consumer injury caused by the Florida Defendants. This amount, less the sum of payments made by any Defendant to the Commssion, shall become immediately due and payable by any such Florida Defendant, and interest computed at the rate prescribed under 28 U. c. 9 1961, as amended, shaH immediately begin to accrue on the unpaid balance.\n\nSun Spectrum, NACO, WWCI, Martell, and Bascove agree that the facts as this action shan be taken as true for the purpose of any alleged in the Complaint fied in subsequent litigation filed by the Commssion to enforce its rights pursuant to this Order, , a nondischargeability complaint filed in any bankrptcy proceeding. including, but not Jimited to", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Redress" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "IX", "title": "Lifting of Asset Freeze", "category": "affirmative_obligation", "summary": "The asset freeze against all Defendants is lifted solely for the purpose of transferring funds to the FTC pursuant to the judgment paragraphs, and is dissolved upon transfer of all such funds.", "verbatim_text": "that the freeze against the assets of Quebec, Inc., Mitchel IT IS FURTHER ORDERED Kastner, Corber, Jason Kastner, Sun Spectrum, NACO, WWCI, Marten, and Bascove, pursuant to Section IV of the Stipulated Preliminar Injunction entered by this Court on Februar 5, 2004 shaH be lifted for the sole purpose of pursuant to Paragraphs V and transferrng funds to the FTC VI ofthis Final Order, and thereafter dissolved upon transfer of all such funds.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Redress" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "X", "title": "Transfer of Customer Lists", "category": "prohibition", "summary": "Defendants are permanently restrained from selling, renting, leasing, transferring, or disclosing identifying information of any person who paid money to any Defendant for any credit-related product, program, or service.", "verbatim_text": "IT IS that the Defendants are hereby pennanently restrained FUTHER ORDERED and enjoined from selling, renting, leasing, transferrng, disclosing the name or otherwise address, telephone number, credit card number, bank account number, e-mail address, or other identifying infonnation of any person who paid any money to any Defendant for any credit­ that related product, program, or service at any time prior to entry of this Order; provided Defendants may disclose such identifying infoI1ation to a law enforcement agency or as required by any law, regulation, or court order or to any contractor or vendor of the Defendants for the purposes of biling Defendants ' own charges only.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "XI", "title": "Acknowledgment of Receipt of Order by Defendants", "category": "acknowledgment", "summary": "All Defendants must submit a sworn statement to the Commission acknowledging receipt of the Order within five business days of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that within five (5) business days of receipt of this Order as entered by the Cour, Quebec, Inc., Mitchel Kastner, Corber, Jason Kastner, Sun Spectrm, NACO, WWCI, Marell, and Bascove each must submit to the Commission a truthful sworn statement acknowledging receipt of this Order.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "XII", "title": "Distribution of Order by Defendants", "category": "acknowledgment", "summary": "For five years from entry of the Order, all Defendants must distribute copies of the Order to principals, officers, directors, managers, employees, agents, and representatives, and obtain signed acknowledgments of receipt within 30 days of delivery.", "verbatim_text": "Quebec, Inc., Sun Spectrum NACO, and WWCI: Quebec, Inc., Sun Spectrum, NACO, and WWCI each must deliver a copy of this Order to all of their principals, officers, directors, and managers. Additionally, Quebec, Inc., Sun Spectrm, NACO, and WWCI each must deliver a copy of this Order to a11 of their employees, agents, and representatives having responsibilities with respect to the subject matter of this Order. For CUlTent personnel, Quebec Inc., Sun Spectrum, NACO, and WWCI each must deliver this Order within five (5) days after the date of service of this Order. For new personnel, Quebec , Inc., Sun Spectrm, NACO, and WWCI each must deJiver this Order prior to the date that the new personnel assumes his or her responsibilities.\n\nEntities for which Mitchel Kastner, Corber, Jason Kastner, Martell, or Bascove is a Control Person: For any business or other entity that Mitchel Kastner, Corber Jason Kastner, Marell, or Bascove controls, directly or indirectly, serves as an officer or director or in wilch Mitchel Kastner, Corber, Jason Kastner, Marell, or Bascove has a majority ownership interest, Mitchel Kastner, Corber, Jason Kastner, Martell, or Bascove must deliver a copy of this Order to all principals, officers, directors, and managers of that business or entity. Additionally, Mitchel Kastner, Corber, Jason Kastner, Marell, or Bascove must deliver copies of this Order to all employees, agents. and representatives of any such business or entity who engage in conduct related to the subject matter of this Order. For current personnel, Mitchel Kastner, Corber, Jason Kastner, Marten, and Bascove must deliver this Order within five (5) days after the date of service of this Order. For new personnel, Mitchel Kastner, Corber, Jason Kastner, Marten, and Bascove must deliver this Order prior to the date that the new personnel assumes his or her responsibilities.\n\nEntities for which Mitchel Kastner, Corber, Jason Kastner, Martell, or Bascove is an Employee or Non-Control Person: For any business or other entity that employs or contracts personal services from Mitchel Kastner, Corber, Jason Kastner, Marell, or Bascove and engages in conduct related to the subject matter of this Order, but is not controlled by Mitchel Kastner, Corber, Jason Kastner, MarteJl, or Bascove, Mitchel Kastner, Corber, Jason Kastner, Marell, or Bascove must deliver a copy of this Order to all principals and managers of such business or entity before becoming an employee or contractor.\n\nMitchel Kastner, Corber, Jason Kastner, Quebec, Inc. , Sun Spectrm, NACO, WWCI, Martell , and Bascove must each secure a signed and dated statement acknowledging receipt of the Order, within thirty (30) days of delivery, from each person to whom the defendant is required to deliver a copy of the Order pursuant to this Paragraph.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "XIII", "title": "Compliance Reporting by Defendants", "category": "compliance_reporting", "summary": "For five years from entry of the Order, Defendants must notify the Commission of changes in residence, employment, and corporate structure, and must file a sworn written compliance report 180 days after entry.", "verbatim_text": "For a period of five (5) years from the date of entry of this (1) Mitchel Kastner, Corber, Jason Kastner, Marell and Bascove shan each notify the Commssion of the foJlowing: (a) Any changes in the defendant s residence, mailng addresses, or telephone numbers, within ten (10) days of the date of such change;\n\n(b) Any changes in the defendant's employment status (including self­ shan include the name employment) within ten (10) days of the date of such change. Such notice and address of each business that the defendant is affiliated with, employed by, creates or forms, or performs services for; a statement of the nature of the business; and a statement of the defendant's duties and responsibilities in connection with the business or employment; or\n\n(c) Any changes in the defendant's name or use of any aliases or fictitious names;\n\n(2) Mitchel Kastner, Corber, Ja.son Kastner, and Quebec, Inc. shan each notify the Commssion of any changes in corporate structure to Quebec, Inc. or any other business entity that Mitchel Kastner, Corber, or Jason Kastner directly or indirectly controls or has an ownership interest in, that may affect compliance obligations arsing under this Order, including but not limited to a dissolution, assignment, sale, merger, or other action that would result in the , or affiiate emergence of a successor entity; the creation or dissolution of a subsidiar, parent bankrptcy petition; or that engages in any acts or practices subject to this Order; the filing of a provided change in the corporate name or address, at least thirty (30) days prior to such change, that, with respect to any proposed change in the entity about which the defendant learns less than , defendant shan notify the thirty (30) days prior to the date such action is to take place Commssion as soon as is practicable after obtaining such knowledge; and\n\nSpectrm, NACO, and WWCI shan each notify the (3) Marten, Bascove, Sun Spectrum, NACO, or WWCI or any Commssion of any changes in corporate strcture to Sun other business entity that Marten or Bascove directly or indirectly control or has an ownership arsing under this Order, including but not interest in, that may affect compliance obligations limited to a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor entity; the creation or dissolution of a subsidiary, parent, or affiliate banptcy petition; or a that engages in any acts or practices subject to this Order; the filing of a provided change in the corporate name or address, at least thirty (30) days prior to such change, lears less than that, with respect to any proposed change in the entity about which the defendant the thirty (30) days prior to the date such action is to take place, defendant shaH notify Commssion as soon as is practicable after obtaining such knowledge.\n\nOne hundred eighty (180) days after the date of entry of this Order Kastner, Corber, Jason Kastner, Quebec, Inc. , Sun Spectrum, NACO, WWCI, Marell, and Bascove shal1 each provide a written report to the FfC, sworn to under penalty of perjury, setting forth in detail the manner and form in which they have complied and are complying with this Order. This report shall incJude, but not be limited to: (1) For Mitchel Kastner, Corber, Jason Kastner , Marell, and Bascove: (a) The then-current residence address, and an mailing addresses and telephone numbers of the defendant; (b) Al1 then-current employment and business addresses and telephone numbers of the defendant, and for each such employer or business: a description of the business activities of that employer or business and the title and responsibilties of the defendant with that employer or business; and (c) Any other changes required to be reponed pursuant to subparagraph A of this Section. (2) For Mitchel Kastner, Corber, Jason Kastner, Quebec, Inc., Sun Spectrum NACO, WWCI, Maren, and Bascove: (a) A copy of each acknowledgment of receipt of this Order, obtained pursuant to Paragraph Xl; and (b) Any other changes required to be reported pursuant to subparagraph A of this Section.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "XIV", "title": "Record Keeping Provisions", "category": "recordkeeping", "summary": "For eight years from entry of the Order, all Defendants must create and retain specified business records including accounting records, personnel records, customer files, complaints, marketing materials, and compliance documentation.", "verbatim_text": "that, for a period of eight (8) years from the date of entry IT IS FURTHER ORDERED of this Order, Mitchel Kastner, Corber, Jason Kastner, Quebec, Inc. , Sun Spectrum, NACO, WWCI. Martell, and Bascove and their agents, employees, officers, corporations, successors, and assigns, and those persons in active concert or participation with them who receive actual notice of this Order by personal service or otherwise, are hereby each restrained and enjoined, in connection with any business that Mitchel Kastner, Corber, Jason Kastner, Quebec, Inc., Sun Spectrm, NACO, WWCI, Marell, or Bascove directly or indirectly manages, controls, or has a majority ownership interest in, from failing to create and retain the following records: Accounting records that reflect the cost of goods or services sold, revenues generated, and the disbursement of such revenues;\n\nPersonnel records accurately reflecting: the name, address , and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person s job title or position; the date upon which the person commenced work; and the date and reason for the person s termination, if applicable;\n\nCustomer files containing the names, addresses, phone numbers, donar amounts paid, quantity of items or services purchased, and description of items or services purchased, to the extent such information is obtained in the ordinar course of business;\n\nComplaints and refund requests (whether received directly, indirectly or through any third pary) and any responses to those complaints or requests;\n\nCopies of all sales scripts, training materials, advertsements, or other marketing materials; and\n\nAll records and documents necessary to demonstrate full compliance with each provision of this Order, including but not limited to, copies of acknowledgments of receipt of this Order as required by Paragraph Xl of this Order and all reports submitted to the FTC pursuant to Paragraph xm of this Order.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "remedy_types": [ "Recordkeeping" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "XV", "title": "Authority to Monitor Compliance", "category": "monitoring", "summary": "The Commission is authorized to monitor compliance by all lawful means; Defendants must submit additional reports, produce documents, appear for deposition, and provide access to business locations within ten days of written notice.", "verbatim_text": "Within ten (10) days of receipt of written notice from a representative of the Commssion, Mitchel Kastner, Corber, Jason Kastner, Quebec, Inc. , Sun Spectrum, NACO, WWCI, Maren, and Bascove each shall submit additional written reports, sworn to under the penalty of perjury; produce documents for inspection and copying; appear for depositon; and/or agent of the Commssion with entr during normal business hours provide any representative or to any business location in such defendant s possession or direct or indirect control for inspection of the location and any documents or materials contained therein;\n\nIn addition, the Commssion is authorized to monitor compliance with this Order by all lawful means, including but not limited to the following: obtaining discovery from any person, without further leave of the Court, (1) using the procedures prescribed by Fed. R. Civ. P. 26-37 and 45;\n\n(2) using representatives posing as consumers or suppliers to: Mitchel Kastner, Corber, Jason Kastner, Quebec, Inc. , Sun Spectrum, NACO, WWCI, Maren, or Bascove; employees of Mitchel Kastner, Corber, Jason Kastner, Quebec, Inc., Sun Spectrm, NACO, WWCI, Marell, or Bascove; or any other entity managed or controlled in whole or in par by Mitchel Kastner, Corber, Jason Kastner, Quebec, Inc. , Sun Spectrum, NACO, WWCI, Marell, or Bascove, without the necessity of identification or prior notice; and\n\nMjtehel Kastner, Corber, Jason Kastner, Quebec, Inc., Sun Spectrum, NACO, WWCI, Marell, and Bascove shall permt representatives of the Commssion to interview any employer, consultant, independent contractor, representative, agent, or employee who has agreed to such an interview, relating in any way to any conduct subject to this Order. The person interviewed may have counsel present.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "XVI", "title": "Fees and Costs", "category": "acknowledgment", "summary": "Each party to this Order agrees to bear its own costs and attorneys' fees incurred in connection with this action.", "verbatim_text": "that each pary to this Order hereby agrees to bear its own IT IS FURTHER ORDERED costs and attorneys' fees incurred in connection with this action.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "XVII", "title": "Retention of Jurisdiction and Entry of Judgment", "category": "monitoring", "summary": "This Court retains jurisdiction of this matter to apply for further orders and directives, to enforce compliance, or to punish violations.", "verbatim_text": "that this Court shall retain jurisdiction of this matter for IT IS FURTHER ORDERED the purpose of enabling the pares 10 apply to the Court at any time for such further orders and directives as may be necessar or appropriate for the interpretation or modification ofthis Order, for the enforcement of compliance therewith, or for the punishment of violations thereof.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "XVIII", "title": "Complete Settlement", "category": "acknowledgment", "summary": "The FTC and Defendants consent to entry of the foregoing Order as a final judgment and full, complete, and final settlement of this action.", "verbatim_text": "and the Defendants, by their respective counsel, hereby consent to entry of the The FTC and foregoing Order which shall constitute a final judgment and order in this matter. The FTC the Defendants further stipulate and agree that the entry of the foregoing Order shall constitute a fun, complete and final settlement of this action.", "violation_type": "both", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "docket_number": "03-8110-CIV-COHN/SNOW" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondent is prohibited from misrepresenting the extent to which it maintains and protects the privacy, confidentiality, or security of personal information collected from or about consumers.", "verbatim_text": "IT IS ORDERED that respondent and its officers, agents, representatives, and employees, directly or indirectly, or through any corporation, subsidiary, division, website or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, is prohibited from misrepresenting in any manner, expressly or by implication, the extent to which respondent maintains and protects the privacy, confidentiality, or security of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "II", "title": "Compliance with GLB Act Safeguards Rule and Privacy Rule", "category": "prohibition", "summary": "Respondent must not violate any provision of the GLB Act's Safeguards Rule or Privacy Rule.", "verbatim_text": "IT IS FURTHER ORDERED that respondent and its officers, agents, representatives, and employees, shall not, directly or indirectly, or through any corporation, subsidiary, division, website, or other device, violate any provision of the GLB Act’s Standards for Safeguarding Consumer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, or the GLB Act’s Privacy of Consumer Financial Information Rule (“Privacy Rule”), 16 C.F.R. Part 313. In the event that the Safeguards Rule or Privacy Rule is hereafter amended or modified, respondent’s compliance with these Rules as so amended or modified shall not be a violation of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "III", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondent must establish, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information.", "verbatim_text": "IT IS FURTHER ORDERED that respondent, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. The designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. The identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nC. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. The evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "IV", "title": "Third-Party Assessments", "category": "assessment", "summary": "Respondent must obtain initial and biennial assessments from a qualified, objective, independent third-party professional for 20 years after service of the order.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with the Safeguards Rule and Part III of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:\n\nA. Set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;\n\nB. Explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. Explain how the safeguards that have been implemented meet or exceed the protections required by the Part III of this order; and\n\nD. Certify that respondent’s information security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial\n\nreporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is\n\nprepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. Unless otherwise directed by a representative of the Commission, initial and biennial", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must maintain and make available to the Commission documents relating to compliance with this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall maintain and, upon request, make available to the Commission for inspection and copying: A. For a period of five (5) years, a print or electronic copy of each document relating to compliance, including but not limited to documents, prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and\n\nB. For a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including, but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to respondent’s compliance with Parts II and III of this order, for the compliance period covered by such Assessment.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "VI", "title": "Order Acknowledgment", "category": "acknowledgment", "summary": "Respondent must deliver copies of the Order to current and future personnel and secure signed acknowledgments of receipt.", "verbatim_text": "IT IS FURTHER ORDERED that for a period of five (5) years from the date of entry of this Order, respondent shall deliver copies of the Order as directed below: A. Respondent must deliver a copy of this Order to (1) all current and future principals, officers, directors, and managers, (2) all current and future employees, agents and representatives who engage in conduct related to the subject matter of the Order, and (3) any business entity resulting from any change in structure set forth in Part VII. For current personnel, delivery shall be within five (5) days of service of this Order. For new personnel, delivery shall occur prior to them assuming their responsibilities. For any business entity resulting from any change in structure set forth in Part VII, delivery shall be at least ten (10) days prior to the change in structure.\n\nB. Respondent must secure a signed and dated statement acknowledging receipt of this Order, within thirty (30) days of delivery, from all persons receiving a copy of the Order pursuant to this section.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "VII", "title": "Notification of Changes Affecting Compliance", "category": "compliance_reporting", "summary": "Respondent must notify the Commission at least 30 days prior to any change that may affect compliance obligations arising under this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the Page 5 of 7 proposed filing of a bankruptcy petition; or a change in respondent’s name or address. Provided, however, that, with respect to any proposed change in the entity about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line “In re Franklin’s Budget Car Sales, Inc., FTC File Number 1023094.” Provided, however, that, in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of such notices is contemporaneously sent to the Commission at DEBrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "VIII", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file initial and periodic compliance reports with the Commission setting forth in detail the manner and form of its compliance with this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondent and its successors and assigns, within sixty (60) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission,\n\norder. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports. Unless otherwise directed by a representative of the Commission, each report required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line “In re Franklin’s Budget Car Sales, Inc., FTC File Number 1023094.” Provided, however, that, in lieu of overnight courier, reports may be sent by first-class mail, but only if an electronic version of such reports is contemporaneously sent to the Commission at DEBrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "IX", "title": "Order Duration and Termination", "category": "duration", "summary": "This order will terminate on October 3, 2032, or 20 years from the most recent date that the United States or the FTC files a complaint in federal court alleging any violation of the order, whichever comes later.", "verbatim_text": "This order will terminate on October 3, 2032, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Page 6 of 7 Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "docket_number": "C-4371" }, { "provision_number": "II.A", "title": "Prohibition Against Misrepresentations About Security", "category": "prohibition", "summary": "Defendants are permanently prohibited from making false or misleading representations about the extent to which they protect the security, privacy, confidentiality, or integrity of personal information collected from consumers.", "verbatim_text": "A. Defendants and their agents, servants, and employees and all persons in active concert or participation with any one or more of them, including all Covered Entities, whether acting directly or through any sole proprietorship, partnership, limited liability company, corporation, subsidiary, branch, division, or other entity who receive actual notice of this Order by personal service or otherwise, are hereby permanently restrained and enjoined, in connection with their advertising, marketing, promotion, or offering of any service or product in or affecting commerce, from making any representation, in any manner, expressly or by implication, about the extent to which Defendants maintain and protect the security, privacy, confidentiality, or integrity of any personal information collected from or about consumers, unless the representation is true, and non-misleading.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "II.B.2", "title": "Prohibition Against Violating GLB Safeguards Rule", "category": "prohibition", "summary": "Defendants are permanently prohibited from violating the Gramm-Leach-Bliley Act Safeguards Rule, including failing to develop, implement, or maintain a comprehensive written information security program.", "verbatim_text": "2. Violating Title V, Subtitle A of the GLB Act or the Safeguards Rule, including but not limited to, by failing to develop, implement, or maintain a comprehensive written information security program containing reasonable administrative, technical and physical safeguards, including safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information; and", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "II.B.3", "title": "Prohibition Against Violating GLB Privacy Rule", "category": "prohibition", "summary": "Defendants are permanently prohibited from violating the Gramm-Leach-Bliley Act Privacy Rule, including failing to provide privacy notices to consumers at the start of the relationship and annually thereafter.", "verbatim_text": "3. Violating Title V, Subtitle A of the GLB Act or the Privacy Rule, including but not limited to, by failing to provide consumers, no later than when a customer relationship arises and annually for the duration of that relationship, a clear and conspicuous notice that accurately reflects its privacy policies and practices, including its security policies and pmctices.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "III", "title": "Required Information Security Program", "category": "affirmative_obligation", "summary": "Defendants must establish and maintain a comprehensive written information security program designed to protect the security, confidentiality, and integrity of personal information collected from consumers.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants, for themselves and all Non-Defendant Covered Entities, shall, no later than the date of entry of this Order, establish and implement, and thereafter maintain, a comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to Defendants' and the Covered Entity's size and complexity, the nature and scope of Defendants' 7 Case: 1:12-cv-08334 Document #: 6 Filed: 10/26/12 Page 8 of 16 PageID #:39 and the Covered Entity's activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. The designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. The identification of material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and the assessment of the sufficiency of any safeguards in place to control the risks. At a minimum, this risk assessment should include consideration of the risks in each relevant area of operations, including but not limited to (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other system failures;\n\nC. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing and monitoring of the effectiveness of the safeguards' key controls, systems, and procedures;\n\nD. The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information received from Defendants and the Covered Entity, and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. The evaluation and adjustment of the information security program in light of the results of the testing and monitoring required by paragraph C of this Section III, any material changes to operations or business arrangements, or any other circumstances that Defendants or 8 Case: 1:12-cv-08334 Document #: 6 Filed: 10/26/12 Page 9 of 16 PageID #:40 the Covered Entity knows or has reason to know may have a material impact on the effectiveness of the information security program.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "IV", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Defendants must obtain initial and biennial third-party security assessments from qualified professionals for 20 years, certifying that their security program provides reasonable assurance of protection for personal information.", "verbatim_text": "A. In connection with their compliance with Sections II(B)(l), II(B)(2) and III of this Order, Defendants shall obtain initial and biennial assessments and reports (Assessments) for Defendants and any Non-Defendant Covered Entity from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, DC 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the Order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the Order for the biennial Assessments. Each Assessment shall:\n\nI. Set forth the specific administrative, technical, and physical safeguards that Defendants or the Covered Entity has implemented and maintained during the reporting period;\n\n2. Explain how such safeguards are appropriate to Defendants' or the Covered Entity's size and complexity, the nature and scope of Defendants' or the Covered 9 Case: 1:12-cv-08334 Document #: 6 Filed: 10/26/12 Page 10 of 16 PageID #:41 Entity's activities, and the sensitivity of the personal information collected from or about consumers;\n\n3. Explain how the safeguards that have been implemented meet or exceed the protections required by Section 628 of the FCRA, the Disposal Rule, the Safeguards Rule, and Section III of this Order; and\n\n4. CertifY that Defendants' or the Covered Entity's security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nB. Each Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Defendants and any Covered Entity\n\nend of the reporting period to which the Assessment applies. Defendants and any Covered Entity shall provide the initial Assessment to the Associate Director of Enforcement, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by Defendants until the Order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request. Unless otherwise dire.cted by a representative of the Commission, initial and biennial Assessments shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580, with the subject line USA v. PLS Financial Services, Inc., FTC File Number 1023172. Provided, however, that, in lieu of overnight courier, Assessments may be sent by first class mail, but only if an electronic version of such Assessments is contemporaneously sent to the Commission at DEBrief@ftc.gov.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "V", "title": "Order Acknowledgments", "category": "acknowledgment", "summary": "Defendants must submit acknowledgments of receipt of the Order to the FTC and deliver copies of the Order to relevant personnel and entities, obtaining signed acknowledgments from recipients.", "verbatim_text": "A. Each Defendant, within 7 days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after entry of this Order, each Defendant must deliver a copy of this Order to: (1) all principals, officers, directors, and managers; (2) all employees, agents, and representatives who participate in conduct related to the subject matter of this Order; and (3) any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting. Delivery must occur within 7 days of entry of this Order for current personnel. To all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Defendants delivered a copy of this Order, Defendants must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "VI.A", "title": "Annual Compliance Report", "category": "compliance_reporting", "summary": "Defendants must submit a comprehensive annual compliance report one year after entry of the Order, detailing contact information, business activities, and compliance with each section of the Order.", "verbatim_text": "A. One year after entry of this Order, each Defendant must submit a compliance report, sworn under penalty of perjury. Each Defendant must: (a) designate at least one telephone number and an email, physical, and postal address as points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendant; (b) identifY all of Defendant's businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the 11 Case: 1:12-cv-08334 Document #: 6 Filed: 10/26/12 Page 12 of 16 PageID #:43 products and services offered, and the means of advertising, marketing, and sales, and the involvement of any other Defendant; (d) describe in detail whether and how that Defendant is in compliance with each Section of this Order; and (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission;", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "VI.B", "title": "Compliance Notice for Changes", "category": "compliance_reporting", "summary": "Defendants must notify the FTC within 14 days of any changes to designated contact points or structural changes that may affect compliance obligations.", "verbatim_text": "B. For 20 years following entry of this Order, each Defendant must submit a compliance notice, sworn under penalty ofpetjury, within 14 days of any change in (a) any designated point of contact; or (b) the structure of any Defendant or any entity that Defendant has any ownership interest in or directly or indirectly controls that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "VI.C", "title": "Bankruptcy Notice", "category": "compliance_reporting", "summary": "Defendants must notify the FTC within 14 days of filing any bankruptcy petition, insolvency proceeding, or similar proceeding.", "verbatim_text": "C. Each Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or any similar proceeding by or against such Defendant within 14 days of its filing.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "VII", "title": "Recordkeeping Requirements", "category": "recordkeeping", "summary": "Defendants must create and retain specified records for 20 years after Order entry, including accounting records, personnel records, complaints, compliance documentation, and marketing materials.", "verbatim_text": "IT IS FURTHER ORDERED that Defendants must create certain records for 20 years after entry of the Order, and retain each such record for 5 years. Specifically, Defendants must maintain the following records: A. Accounting records showing the revenues from all goods and services sold, all costs incurred in generating those revenues, and the resulting net profit or loss;\n\nB. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person's: name, addresses, and telephone numbers; job title or position; dates of service; and, if applicable, the reason for termination;\n\nC. Written complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response;\n\nD. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Conunission; and\n\nE. A copy of each advertisement or other marketing material.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "VIII", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC and Plaintiff are authorized to monitor Defendants' compliance through document requests, depositions, interviews, and other discovery methods, including the ability to communicate directly with Defendants and pose as consumers.", "verbatim_text": "A. Within 14 days of receipt of a written request from a representative of the Commission or Plaintiff, each Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Conunission and Plaintiff are also\n\nand produce documents for inspection and copying. The Conunission and Plaintiff are also 13 Case: 1:12-cv-08334 Document #: 6 Filed: 10/26/12 Page 14 of 16 PageID #:45 authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29,30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.\n\nB. For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with each Defendant. Defendants must permit representatives of the Commission and Plaintiff to interview any employee or other person affiliated with any Defendant who has agreed to such an interview. The person interviewed may have counsel present.\n\nC. The Commission and Plaintiff may use all other lawful means, including posing, through their representatives, as consumers, suppliers, or other individuals or entities, to Defendants or any individual or entity affiliated with Defendants, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49 and 57b-1.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "IX", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of the Order.", "verbatim_text": "IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.", "violation_type": "both", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "docket_number": "1:12-cv-08334" }, { "provision_number": "I", "title": "GLB Rule Violations – Permanent Injunction", "category": "prohibition", "summary": "Respondent and all persons acting in concert with it are permanently restrained from violating the Privacy Rule (16 C.F.R. Part 313 / 12 C.F.R. Part 1016) and the Safeguards Rule (16 C.F.R. Part 314).", "verbatim_text": "IT IS ORDERED that Respondent, and Respondent’s officers, agents, employees and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, are hereby permanently restrained and enjoined from violating any provision of: A. The Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313, or the Privacy of Consumer Financial Information Rule (Regulation P), 12 C.F.R. Part 1016; or\n\nB. The Standards for Safeguarding Consumer Information Rule, 16 C.F.R. Part 314. In the event that any of the statutory sections or rules identified in this Part are hereafter amended or modified, compliance with that statutory section or rule as so amended or modified shall not be a violation of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security", "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "11.17_taxslayer", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313; the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "docket_number": "C-4626" }, { "provision_number": "II", "title": "Biennial Assessment Requirements", "category": "assessment", "summary": "Respondent must obtain an initial and then biennial third-party assessments of its security safeguards for ten years, covering compliance with the GLB Rules, with each assessment completed within 60 days after its reporting period ends.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, and its successors and assigns, in connection with their compliance with Section I (A) and (B) of this Order, shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third- party professional, using procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the Order for the initial Assessment, and (2) each two-year period thereafter for ten (10) years after service of this Order for the biennial Assessments. Each Assessment shall:\n\nA. Set forth the specific administrative, technical, and physical safeguards that Respondent has implemented and maintained during the reporting period;\n\nB. Explain how such safeguards are appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the personal information collected from or about consumers;\n\nC. Explain how the safeguards that have been implemented meet or exceed the protections required by Section I (B) of this Order, and\n\nD. Certify that Respondent’s security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.\n\nEach Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. The Assessment must be obtained from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. A professional qualified to prepare such Assessments must be: an individual qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); an individual holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nRespondent must submit the initial Assessment to the Commission within 10 days after the\n\nAssessment has been completed. Respondent must retain all subsequent biennial Assessments, at least until the Order terminates. Respondent must submit any biennial Assessments to the Commission within 10 days of a request from a representative of the Commission.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "11.17_taxslayer", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313; the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "docket_number": "C-4626" }, { "provision_number": "III", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order, deliver copies to key personnel and future personnel, and obtain signed acknowledgments from all recipients.", "verbatim_text": "A. Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For 20 years after issuance of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives having managerial responsibilities for the conduct specified in Provisions I through IV; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which a Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "11.17_taxslayer", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313; the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "docket_number": "C-4626" }, { "provision_number": "IV", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit a sworn compliance report one year after issuance, provide timely notices of structural changes or bankruptcy, ensure all sworn submissions comply with 28 U.S.C. § 1746, and route all submissions by email or overnight courier.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which: 1. Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (b) identify all of the Respondent’s businesses by their names, primary telephone numbers, and primary physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: 1. Respondent must submit notice of any change in: (a) any designated point of contact; or (b) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or 4 dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re TaxSlayer, LLC.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "11.17_taxslayer", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313; the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "docket_number": "C-4626" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified categories of records for 20 years after the Order's issuance and retain them for at least 5 years, covering financials, personnel, consumer complaints, compliance evidence, privacy representations, and assessment materials.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent must create certain records for 20 years after the issuance date of the Order, and retain such records for 5 years. Specifically, Respondent must create and retain the following records: A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and, if applicable, the reason for termination;\n\nC. Records of all consumer complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response;\n\nD. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission;\n\nE. A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security and confidentiality of Personal Information, including any representation concerning a change in any website or other service controlled by Respondent that relates to the privacy, security and confidentiality of Personal Information;\n\nF. For 5 years from the date of the last dissemination of any representation covered by this Order: 1. All materials that were relied upon in making the representation; and 2. All evidence in Respondent’s possession, custody, or control that contradicts, qualifies, or otherwise calls into question the representation, or the basis relied upon for the representation, including complaints and other communications with consumers or with governmental or consumer protection organizations; and\n\nG. For 5 years from the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "11.17_taxslayer", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313; the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "docket_number": "C-4626" }, { "provision_number": "VI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission may monitor Respondent's compliance by requesting additional reports and records, interviewing affiliated personnel, and using undercover means, without prior notice.", "verbatim_text": "A. Within 10 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "11.17_taxslayer", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313; the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "docket_number": "C-4626" }, { "provision_number": "VII", "title": "Order Effective Dates and Duration", "category": "duration", "summary": "The Order is effective upon publication on ftc.gov and terminates on October 20, 2037, or 20 years from the most recent federal court complaint alleging any violation, whichever is later, subject to specified exceptions.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on October 20, 2037, or 20 years from the most recent date that the United States or the Commission files a complaint (with or without accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: 6 A. Any provision in this Order that terminates in less than 20 years; B. This Order’s application to a Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision.\n\nProvided further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision, as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "11.17_taxslayer", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313; the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "docket_number": "C-4626" }, { "provision_number": "I", "title": "Bond Requirements for Unsolicited Commercial E-mail", "category": "affirmative_obligation", "summary": "Defendant is permanently enjoined from sending Unsolicited Commercial E-mail unless he first obtains a $1,000,000 performance bond, subject to specific terms regarding duration, surety, notice, and disclosure.", "verbatim_text": "IT IS THEREFORE ORDERED that Defendant Peter W. Stolz, whether acting directly or indirectly through any persons or entities under his control, is hereby permanently enjoined and restrained from engaging in the sending of Unsolicited Commercial E-mail, unless, prior to engaging in such activities, he first obtains a performance bond in the principal sum of $1,000,000 (One Million Dollars) (\"Bond\"). The ternw and conditions of the Bond are as follows: A. The Bond shall be conditioned upon compliance with Section 5(a) of the FTC Act and the provisions of this Order. The Bond shall be deemed continuous and remain in full force and effect as long as Defendant Peter W. Stolz is engaging in the sending of Unsolicited Commercial E-mail. Defendant Peter W. Stolz shall maintain the Bond for a period of three (3) years after he provides notice to the Commission that he has ceased engaging in the sending of Unsolicited Comnlercial E-mail. The Bond shall cite this Order as the subject matter of the Bond, and shall provide surety thereunder against financial loss resulting from whole or partial failure of performance due, in whole or in part, to any violation of Section 5 of the FTC Act or the provisions of this Order, or to any other violation of law;\n\nB. The Bond required pursuant to this Section shall be an insurance agreement providing surety for financial loss issued by a surety company that is admitted to do business in each state in which Defendant Peter W. Stolz, or any entity directly or indirectly under such defendant's control, is doing business and that holds a Federal Certificate of Authority As Acceptable Surety on Federal Bond and Reinsuring. The Bond shall be in favor of both: (1) the Federal Trade Commission for the benefit of any consumer injured as a result of any activities that required obtaining the Bond; and (2) any consumer so injured;\n\nC. The Bond required pursuant to this Section is in addition to, and not in lieu of, any other bonds required by federal, state, or local law;\n\nD. At least ten (1 0) days before commencing any activity that requires obtaining the Bond, Defendant Peter W. Stolz shall provide notice to the Cornmission describing in reasonable detail said activities, and include in such notice a copy of the Bond obtained;\n\nE. Defendant Peter W. Stolz shall not disclose the existence of any performance bond required by this Section to any recipient of Unsolicited Commercial E-mail, without also disclosing clearly and prominently, at the same time \"AS REQUlRED BY ORDER OF THE US,D ISTRICT COURT IN SETTLEMENT OF CHARGES OF FALSE AND MISLEADING REPRESENTATIONS IN THE USAGE OF UNSOLICITED COMMERCIAL E-MAIL.\"", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Consumer Notification" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "II", "title": "Injunction Against Misrepresentations", "category": "prohibition", "summary": "Defendant is permanently enjoined from making any false or misleading express or implied misrepresentation or material omission in connection with Internet-advertised goods/services or residential mortgages, including mortgage terms, lender status, website security, and personal financial information.", "verbatim_text": "1T IS FURTHER ORDERED that, in connection with the advertising, promotion, offering or sale of goods or services in or affecting commerce that are advertised or sold using the Internet (including but not limited to e-mail or websites) or that relate directly or indirectly to residential mortgages, Defendant is hereby permanently restrained and enjoined from making any express or implied misrepresentation or omission of material fact that is false or misleading, in any manner, directly or indirectly, to my consumer or entity, including but not limited to misrepresenting, expressly or by implication: A, the mortgage terms or rates that are in fact available through them; B, that 30 Minute Mortgage Tnc, is a mortgage lender; C. the security measures employed on any website; and D. any information material to a consumer's decision to provide personal financial information.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "III", "title": "Injunction Against TILA and Regulation Z Violations", "category": "prohibition", "summary": "Defendant is permanently enjoined from violating TILA and/or Regulation Z in connection with any advertisement promoting consumer credit extensions, including advertising inaccurate credit terms, rates, payment rates, or repayment periods.", "verbatim_text": "A, advertising credit terms other than those terms that actually are or will be arranged or offered by the creditor, in violation of Section 226.24(a) of Regulation Z, 12 C.F.R. 8 226.24(a);\n\nB. stating a rate of finance charge without disclosing the accurate \"annual percentage rate,\" and, if the annual percentage rate may be increased after consummation, that fact, in violation of Sections 1441~a)n d 107 of TEA, 1 5 U.S .C. $9 l664(c) & 1606, and Sections 226.24@) and 226.22 of Regulation 2, 12 C.F.R. $5 226.24(b) & 226.22;\n\nC. advertising a payment rate in a transaction where the consumer's payments are based upon a lower interest rate than'the rate at which interest is accruing, without also making all other disclosures requi~edb y Section 226.24@)-4 of the FRB Official Staff Commentary on Regulation 2, 12 C.F.R. tj 226.24e)-4, Supp. 1 (including the rate at which the interest is in fact accruing and the annual percentage rate);\n\nD. stating the period of repayment, but failing to disclose: (1) the terms of repayment and (2) the annual percentage rate, using that tern?, and, if the rate may be increased after consummation, that fact, in violation of Section 144(d) of TILA, 15 U.S.C. 4 1664(d), and Section 226.24(c) ofRegulation Z, 12 C.F.R. $\n\nE. failing to comply in any other respect with TILA andlor Regulation Z.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "IV", "title": "Injunction Against Violations of Subtitle A of Title V of the GLB Act", "category": "prohibition", "summary": "Defendant is permanently enjoined from violating or assisting others in violating Subtitle A of Title V of the GLB Act or the Privacy Rule, including failing to provide required privacy/opt-out notices, improper disclosure of nonpublic personal information, and prohibited reuse or redisclosure of such information.", "verbatim_text": "A. failing to provide privacy and opt out notices at the time and in the manner 8 required by Sections 502 and 503 of the GLB Act, 15 U.S.C. 5 $ 6802-03, and Sections 3 13.4 to 313.9 of the Privacy Rule, 16 C.F.R. $8 3 13.4-9;\n\nB. disclosing to any nonaffiliated third party any nonpublic personal information about a consumer in a manner that violates Section 502 of the GLB Act, 15 U.S.C. 3 6802, or Section 313.10 of the Privacy Rule, 16 C.F.R. $ 313.10; or\n\nC. reusing or redisclosing nonpublic personal information received from a nonaffiliated financial institution in a manner that is prohibited by Section 502(c) of the GLB Act, 15 U.S.C. $ 6802(c), or Section 3 13.1 1 of the Privacy Rule, 16 C.F.R. 5 313.11.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "V", "title": "Injunction Against Violations of Subtitle B of Title V of the GLB Act", "category": "prohibition", "summary": "Defendant is permanently enjoined from violating or assisting others in violating Subtitle B of Title V of the GLB Act, including obtaining or attempting to obtain customer information of a financial institution through false, fictitious, or fraudulent statements.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant is hereby permanently restrained and enjoined from violating, or assisting others in violating, any part of Subtitle B of Title V of the GLB Act, including but not limited to obtaining or attempting to obtain \"customer information of a financial institution\" (including but not limited to monthly mortgage payment amounts and account'asset types and balances) by making false, fictitious, or fraudulent statements or representations to consumers or financial institutions.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Prohibition" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "VI", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The FTC is authorized to monitor Defendant's compliance through written reports, document production, depositions, business inspections, discovery, undercover posing as consumers or suppliers, and interviews of personnel.", "verbatim_text": "A. within fifteen (15 ) days of receipt of written notice from a representative of the Commission, Defendant Peter W. Stolz shall submit written reports in addition to those required by Section VII, sworn to under penalty of perjury; produce 9 documents for inspection and copying; appear for deposition; andlor provide entry during normal business hours to my business location in his possession or direct or indirect controI to inspect the business operation, provided that the Commission shall return any materials removed fiarn any business location pursuant to this Subsection within ten (10) business days of removing such materials for inventory and copying, and that Defendant Peter W. Stolz, after attempting to resolve a diSpute without court action and for good cause shown, may file a motion with this Court seeking an order including one or more of the protections set forth in Fed. R. Civ. P. 26(c);\n\nB, in addition, the Commission is authorized to monitor compliance with this Order by all other lawful means, including but not limited to the following: 1, obtaining discovery from any person, without further leave of court, using the procedures prescribed by Fed. R. Civ. P. 30, 3 1, 33,34,36, and 45; 2. posing as consumers and suppliers to: Defendant Peter W. Stolz, Defendant Peter W. Stolz's employees, or any other entity managed or controlled in whole or in part by Defendant Peter W. Stolz, without the necessity of identification or prior notice;\n\nC. Defendant Peter W. Slolz shall permit representatives of the Commission to interview any employer, consultant, independent contractor, representative, agent, or enlployee who has agreed to such an interview, relating in any way to any conduct subject to this Order. The person interviewed may have counsel present.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "VII", "title": "Compliance Reporting by Defendant", "category": "compliance_reporting", "summary": "For five years, Defendant must notify the Commission of changes in residence, employment, name, and corporate structure; and must submit a sworn written compliance report 180 days after entry of the Order.", "verbatim_text": "A. for a period of five (5) years from the date of entry of this Order, 1. Defendant Peter W. Stolz shall notify the Commission of the following: a. any changes in his residence, mailing addresses, and telephone numbers, within ten (10) days of the date of such change; b. any changes in his employment status (including self-employment) within ten (10) days of the date of such change. Such notice shall include the name and address of each business that he is affiliated with, employed by, or perfoms services for; a statement of the nature of the business; and a statement of his duties and responsibilities in connection with the business;\n\nc. any changes in his name or use of any aliases or fictitious names; and\n\n2. Defendant Peter W. Stolz shall notify the Commission of any changes in corporate structure that may affect compliance obligations arising under this Order, including but not limited to a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order; the filing of a bankruptcy petition; or a change in the corporate name or address, at least thirty (30) days prior to such change, provided that, with respect to any proposed change in the corporation about which he learns less than thirty (30) days prior to the date such action is to take place, he shall notify the Commission as soon as is practicable after obtaining such knowledge.\n\nB. One hundred eighty (180) days after the date of entry of this Order, Defendant Peter W. Stolz shall provide a written report to the FTC, sworn to under penalty of perjury, setting forth in detail the manner and form in which he has complied and is complying with this Order. This report shall include, but not be limited to: 1. any changes required to be reported pursuant to Subsection A above; 2. a copy of each acknowledgment of receipt of this Order obtained by Defendant pursuant to Section K; and 3. a copy of any performance bond obtained by Defendant pursuant to Section I.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "VIII", "title": "Record Keeping Provisions", "category": "recordkeeping", "summary": "For eight years from entry of the Order, Defendant must create and retain accounting records, personnel records, customer files, complaints/refund requests, and all sales/marketing materials for any qualifying business he owns or controls.", "verbatim_text": "A. Ac.counting records that reflect the cost of goods or services sold, revenues generated, and the disbursement of such revenues;\n\nB. Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person's job title or position; the date upon which the person conmlenced work; and the date and reason for the person's termination, if applicable;\n\nC. Customer files containing the names, addresses, phone numbers, dollar amounts paid, quantity of items or services purchased, and description of items or services purchased, to the extent such information is obtained in the ordinary course of business;\n\nD. Complaints and refund requests (whether received directly, indirectly or through any third party) and any responses to those complaints or requests; and\n\nE. Copies of all sales scripts, training materials, advertisements, or other marketing materials.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Recordkeeping" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "IX", "title": "Distribution of Order by Defendant", "category": "acknowledgment", "summary": "For five years, Defendant must deliver a copy of this Order to relevant employees, principals, officers, directors, and managers of qualifying businesses and obtain signed, dated acknowledgments of receipt within 30 days.", "verbatim_text": "IT IS FURTHER ORDERED that, for a period of five (5) years fi-om the date of entry of this Order, Defendant Peter W. Stolz shall deliver a copy of this Order to the employees (with responsibilities with respect to the subject matter of this Order), principals, officers, directors, and managers under Defendant Peter W. Stolz's control for any business that (a) employs or contracts for personal services from Defendant Peter W. Stolz and (b) engages in (1) the marketing, advertising, promotion, or offering of residential mortgages or services related to residential mortgages or (2) the marketing, advertising, promotion, or sending of Unsolicited Commercial E-mail. Defendant Peter W. Stolz shall secure from each such person a signed and\n\nCommercial E-mail. Defendant Peter W. Stolz shall secure from each such person a signed and dated statement acknowledging receipt of the Order within thirty (30) days after the date of service of the Order or the commencement of the employment relationship. Defendant Peter W. Stolz shall maintain signed and dated acknowledgments ofthe receipt of copies of this Order, as required by this Section, until eight (8) years after the date of entry of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "X", "title": "Acknowledgment of Receipt of Order by Defendant", "category": "acknowledgment", "summary": "Defendant must submit a sworn statement to the Commission acknowledging receipt of this Order within five business days of receiving it.", "verbatim_text": "IT IS FURTHER ORDERED that Defendant Peter W. Stolz, within five (5) business days of receipt of this Order as entered by the Court, shall submit to the Commission a truthful sworn statement acknowledging receipt of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "XI", "title": "Retention of Jurisdiction", "category": "duration", "summary": "The Court retains jurisdiction over this matter for purposes of construction, modification, and enforcement of the Order.", "verbatim_text": "IT IS FURTHER ORDERED that this Court shall retain jurisdiction of this matter for purposes of construction, modification and enforcement of this Order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "XII", "title": "Monitoring Compliance of Sales Personnel", "category": "monitoring", "summary": "Defendant is permanently enjoined from failing to take reasonable steps to monitor sales personnel compliance, failing to investigate consumer complaints, and failing to take corrective action against non-compliant salespersons.", "verbatim_text": "A. Failing to take reasonable steps sufficient to monitor and ensure that all employees and independent contractors engaged in sales or other customer service functions (\"salespersons\") comply with Sections I, 11,111, W, and V of this Order. Such steps shall include adequate monitoring of sales presentations or other calls with customers, and shall also include, at a minimum, the following: (I) listening to the oral representations made by salespersons; (2) establishing a procedure for receiving and responding to consumer complaints; and (3) ascertaining the number and nature of consumer complaints regarding transactions in which each salesperson is involved;\n\nB. Failing promptly to investigate fully any consumer conlplaint received by any business to which this Section applies; and\n\nC. Failing to take corrective action with respect to any salesperson whom Defendant Peter W. Stolz determines is not complying with this Order, which may include training, disciplining, andlor terminating such salesperson.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "XIII", "title": "Prohibitions Involving Consumer Lists", "category": "prohibition", "summary": "Defendant is permanently enjoined from selling, renting, transferring, or otherwise disclosing personal identifying information of any person who submitted information to 30 Minute Mortgage Inc., and from benefiting from or using such information obtained as a result of the activities alleged in the complaint.", "verbatim_text": "A. Selling, renting, leasing, transferring, or otherwise disclosing the name, address, telephone number, credit card number, bank account number, e-mail address, or other identifying information of any person who submitted such information to 30 Minute Mortgage Inc. at any time prior to entry of this Order, in connection with the advertising, promotion, telemarketing, offering for sale, or sale of any product or service in or affecting commerce; and\n\nB. Benefiting from or using the name, address, telephone number, credit card number, bank account number, e-mail address, or other identifying or financial information of any person who submitted such infomation to Defendant, Defendant Gregory P. Roth, or 30 Minute Mortgage Inc. as a result of, derived fhm, or othenvise related to the activities alleged in the Commission's complaint.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "XIV", "title": "Fees and Costs", "category": "acknowledgment", "summary": "Each party agrees to bear its own costs and attorneys' fees incurred in connection with this action.", "verbatim_text": "IT IS FURTHER ORDERED that each party to this Order hereby agrees to bear its own costs and attorneys' fees incurred in connection with this action.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "XV", "title": "Entry of This Judgment", "category": "duration", "summary": "The Court orders immediate entry of this judgment by the Clerk, finding no just reason for delay.", "verbatim_text": "IT IS FURTHER 0RI)ERED that, as there is no just reason for delay of entry of this judgment, pursuant to Fed. R. Civ. P. 54(b), the Clerk shall enter this Order immediately.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "remedy_types": [ "Order Administration" ], "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Security and Privacy", "category": "prohibition", "summary": "Respondent must not misrepresent the extent to which consumer personal information submitted through its websites is protected by SSL encryption, or the extent to which respondent maintains and protects the privacy, confidentiality, or security of personal information.", "verbatim_text": "IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, (a) the extent to which personal information submitted by consumers through respondent’s websites is protected by SSL encryption, or (b) the extent to which respondent maintains and protects the privacy, confidentiality, or security of any personal information collected from or about consumers.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "12.05_superior_mortgage", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "docket_number": "C-4153" }, { "provision_number": "II", "title": "Prohibition Against Violating the GLB Safeguards Rule", "category": "prohibition", "summary": "Respondent must not violate any provision of the Gramm-Leach-Bliley Act's Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall not, directly or through any corporation, subsidiary, division, website, or otherdevice,violateanyprovision of the Gramm-Leach-Bliley Act’s (“GLB Act”) Standards for SafeguardingCustomerInformationRule(“Safeguards Rule”), 16 C.F.R. Part 314. 2 In the event the Safeguards Rule is hereafter amended or modified, respondent’s compliance with this Rule as so amended or modified shall not be a violation of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "12.05_superior_mortgage", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "docket_number": "C-4153" }, { "provision_number": "III", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondent must obtain biennial third-party security assessments from a qualified independent professional within 180 days of service and every two years thereafter for ten years, covering implemented safeguards, their appropriateness, compliance with the Safeguards Rule, and certification of program effectiveness.", "verbatim_text": "IT IS FURTHER ORDERED that, in connection with its compliance with the Safeguards Rule, respondent shall obtain an assessment and report (an “Assessment”) from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession, within one hundred and eighty (180) days after service of the order, and biennially thereafter for ten (10) years after service of the order, that: A. sets forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period; B. explains how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the nonpublic personal information collected from or about consumers; C. explains how such safeguards meet or exceed the protections required by the Safeguards Rule; and D. certifies that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of nonpublic personal information is protected and, for biennial reports, has so operated throughout the reporting period.\n\nEach Assessment shall be prepared by a person qualified as a Certified Information System Security Professional (CISSP); a person qualified as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security Institute (SANS); or by a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nRespondent shall provide the first Assessment, as well as all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, whether prepared by or on behalf of respondent, relied upon to prepare such Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. Respondent shall retain all subsequent biennial Assessments until the order is terminated and shall retain all materials relied upon in preparing each such Assessment, as listed above, for a period of three (3) years after the date of preparation of such Assessment. Respondent shall provide such subsequent Assessments and related materials to the Associate Director of Enforcement within ten (10) days of request.\n\n20580, within ten (10) days after the Assessment has been prepared. Respondent shall retain all subsequent biennial Assessments until the order is terminated and shall retain all materials relied upon in preparing each such Assessment, as listed above, for a period of three (3) years after the date of preparation of such Assessment. Respondent shall provide such subsequent Assessments and related materials to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "12.05_superior_mortgage", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "docket_number": "C-4153" }, { "provision_number": "IV", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondent must deliver a copy of this order to all current and future principals, officers, directors, managers, and employees with supervisory responsibilities, within 30 days of service for current personnel and within 30 days of assuming a position for future personnel.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having supervisory responsibilities with respect to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after the date of service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.\n\nsubject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after the date of service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "12.05_superior_mortgage", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "docket_number": "C-4153" }, { "provision_number": "V", "title": "Notification of Corporate Changes", "category": "compliance_reporting", "summary": "Respondent must notify the FTC at least 30 days before any corporate change that may affect compliance obligations under this order, including dissolution, merger, bankruptcy, or name/address changes; if notice is not possible 30 days in advance, notification must be as soon as practicable.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.05_superior_mortgage", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "docket_number": "C-4153" }, { "provision_number": "VI", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondent must file a written compliance report with the FTC within 180 days of service and at such other times as the FTC may require, including a copy of the initial biennial Assessment.", "verbatim_text": "IT IS FURTHER ORDERED that respondent shall within one hundred eighty (180) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which it has complied with this order. This report shall include a copy of the initial biennial Assessment required by Part III of this order.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.05_superior_mortgage", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "docket_number": "C-4153" }, { "provision_number": "VII", "title": "Order Duration and Termination", "category": "duration", "summary": "The order terminates on December 14, 2025, or twenty years from the most recent date a complaint alleging a violation of the order is filed in federal court, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on December 14, 2025, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: 4 A. Any Part in this order that terminates in less than twenty (20) years; B. This order’s application to any respondent that is not named as a defendant in such complaint; and C. This order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "both", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "12.05_superior_mortgage", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "administration": "G.W. Bush", "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "docket_number": "C-4153" }, { "provision_number": "I", "title": "Prohibition Against Misrepresentations About Privacy and Security", "category": "prohibition", "summary": "Respondents must not misrepresent, in any manner, the extent to which they maintain and protect the privacy, confidentiality, or security of consumers' personal information.", "verbatim_text": "IT IS ORDERED that respondents, and their officers, agents, representatives, and employees, shall not directly or through any corporation, subsidiary, division, website, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, misrepresent in any manner, expressly or by implication, the extent to which respondents maintain and protect the privacy, confidentiality, or security of any personal information collected from or about consumers.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy", "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "II", "title": "Comprehensive Information Security Program", "category": "affirmative_obligation", "summary": "Respondents must establish, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to the size, complexity, and sensitivity of personal information handled.", "verbatim_text": "IT IS FURTHER ORDERED that respondents, and their officers, agents, representatives, and employees, directly or through any corporation, subsidiary, division, website, or other device, no later than the date of service of this order, shall establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of consumers’ personal information. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent PCL’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers, including:\n\nA. the designation of an employee or employees to coordinate and be accountable for the information security program;\n\nB. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to, (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, and (3) prevention, detection, and response to attacks, intrusions, or other systems failure;\n\nC. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;\n\nD. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondents and requiring service providers by contract to implement and maintain appropriate safeguards; and\n\nE. the evaluation and adjustment of respondents’ information security program in Page 3 of 7 light of the results of the testing and monitoring required by subpart C, any material changes to respondents’ operations or business arrangements, or any other circumstances that respondents know or have reason to know may have a material impact on the effectiveness of their information security program.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "III", "title": "Compliance with Safeguards Rule and Privacy Rule", "category": "prohibition", "summary": "Respondents must not violate any provision of the FTC Safeguards Rule (16 C.F.R. Part 314) or the Privacy Rule (16 C.F.R. Part 313); compliance with future amendments to those rules will not constitute a violation of this order.", "verbatim_text": "IT IS FURTHER ORDERED that respondents, and their officers, agents, representatives, and employees, shall not, directly or through any corporation, subsidiary, division, website, or other device, violate any provision of: A. the Safeguards Rule, 16 C.F.R. Part 314; or\n\nIT IS FURTHER ORDERED that respondents, and their officers, agents, representatives, and employees, shall not, directly or through any corporation, subsidiary, division, website, or other device, violate any provision of: A. the Safeguards Rule, 16 C.F.R. Part 314; or B. the Privacy Rule, 16 C.F.R. Part 313.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security", "Privacy" ], "remedy_types": [ "Prohibition" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "IV", "title": "Third-Party Security Assessments", "category": "assessment", "summary": "Respondents must obtain initial and biennial independent third-party assessments of their information security program covering the first 180 days and each two-year period thereafter for 20 years, with each assessment prepared by a qualified security professional and submitted or retained according to specified timelines.", "verbatim_text": "shall obtain initial and biennial assessments and reports (\"Assessments\") from a qualified, objective, independent third-party professional using procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (A) the first one hundred and eighty (180) days after service of the order for the initial Assessment; and (B) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall: A. set forth the specific administrative, technical, and physical safeguards that respondent PCL has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent PCL’s size and complexity, the nature and scope of respondent PCL’s activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by the Safeguards Rule; and D. certify that respondent PCL’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and, for biennial reports, has so operated throughout the reporting period. Each Assessment shall be prepared and completed within sixty (60) days after the end of the Page 4 of 7 reporting period to which the Assessment applies by: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\naccepted in the profession. The reporting period for the Assessments shall cover: (A) the first one hundred and eighty (180) days after service of the order for the initial Assessment; and (B) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall: A. set forth the specific administrative, technical, and physical safeguards that respondent PCL has implemented and maintained during the reporting period; B. explain how such safeguards are appropriate to respondent PCL’s size and complexity, the nature and scope of respondent PCL’s activities, and the sensitivity of the personal information collected from or about consumers; C. explain how the safeguards that have been implemented meet or exceed the protections required by the Safeguards Rule; and D. certify that respondent PCL’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and, for biennial reports, has so operated throughout the reporting period. Each Assessment shall be prepared and completed within sixty (60) days after the end of the Page 4 of 7 reporting period to which the Assessment applies by: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.\n\nRespondents shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) business days after the Assessment has been prepared. All subsequent biennial\n\nten (10) business days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondents until three years after completion of the final Assessment and provided to the Associate Director of Enforcement upon request within ten (10) business days after respondents receives such request.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "V", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondents must maintain and make available to the FTC compliance-related documents for specified periods: five years for most compliance records and consumer complaints, and three years for materials used to prepare each security assessment.", "verbatim_text": "A. for a period of five (5) years: 1. any documents, whether prepared by or on behalf of either respondent, that contradict, qualify, or call into question respondents’ compliance with this order;\n\n2. consumer complaints (whether received in written or electronic form, directly, indirectly or through any third party), and any responses to those complaints, whether in written or electronic form, that relate to respondents’ activities as alleged in the draft Complaint and respondents’ compliance with the provisions of this order;\n\n3. copies of all subpoenas and other communications with law enforcement entities or personnel, whether in written or electronic form, if such documents bear in any respect on respondents’ collection, maintenance, or furnishing of consumer reports or other personal information of consumers; and\n\n4. all records and documents necessary to demonstrate full compliance with each provision of this order; and\n\nB. for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of either respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to Page 5 of 7 respondents’ compliance with Parts II and III.A. of this order, for the compliance period covered by such Assessment. Respondents shall provide such documents to the Associate Director of Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "VI", "title": "Order Acknowledgment and Delivery", "category": "acknowledgment", "summary": "Respondents must deliver a copy of this order to all current and future principals, officers, directors, managers, employees, agents, and representatives with relevant responsibilities — current personnel within 30 days of service, future personnel within 30 days of assuming their role.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondents shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person\n\nthis order. Respondents shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "VII", "title": "Employment Notification — Respondent Stiles", "category": "compliance_reporting", "summary": "Respondent Stiles must notify the FTC within the required period of any discontinuance of her current business or employment, or any new affiliation with a business providing financial products or services, for a period of ten years.", "verbatim_text": "IT IS FURTHER ORDERED that respondent Stiles, for a period of ten (10) years after the date of issuance of the order, shall notify the Commission of the discontinuance of her current business or employment or of her affiliation with any new business or employment that provides financial products or services. The notice shall include respondent Stiles’ new business address and telephone number and a description of the nature of the business or employment and her duties or responsibilities. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "VIII", "title": "Corporate Change Notification", "category": "compliance_reporting", "summary": "Respondents must notify the FTC at least 30 days prior to any corporate change that may affect compliance obligations under this order, such as dissolution, merger, sale, bankruptcy filing, or change of name or address.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondents learn fewer than thirty (30) days prior to the date such action is to take place, respondents shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "IX", "title": "Compliance Reporting", "category": "compliance_reporting", "summary": "Respondents must file a written compliance report with the FTC within 180 days after service of the order, and at such other times as the Commission may require.", "verbatim_text": "IT IS FURTHER ORDERED that respondents shall, within one hundred and eighty (180) days after service of this order, and at such other times as the Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which they have complied with this order.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "X", "title": "Order Duration", "category": "duration", "summary": "The order terminates on December 10, 2028, or twenty years from the most recent date the FTC or U.S. files a federal court complaint alleging a violation, whichever is later, subject to specified exceptions.", "verbatim_text": "This order will terminate on December 10, 2028, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order’s application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part. Provided, further, that if such complaint is dismissed or a federal court rules that respondent(s) did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent(s) will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "docket_number": "C-4241" }, { "provision_number": "I", "title": "GLB Rule Violations", "category": "prohibition", "summary": "Respondent and all persons acting in concert with it must not violate any provision of the Standards for Safeguarding Consumer Information Rule (16 C.F.R. Part 314).", "verbatim_text": "IT IS ORDERED that Respondent, and Respondent’s officers, agents, employees and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not violate any provision of the Standards for Safeguarding Consumer Information Rule, 16 C.F.R. Part 314, a copy of which is attached hereto as Exhibit A.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Prohibition" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "II", "title": "Mandated Data Security Program", "category": "affirmative_obligation", "summary": "Each Covered Business must establish, implement, and maintain a comprehensive data security program protecting Covered Information, meeting numerous specific minimum requirements.", "verbatim_text": "IT IS FURTHER ORDERED that each Covered Business must not transfer, sell, share, collect, maintain, or store Covered Information unless it establishes and implements, and thereafter maintains, a comprehensive data security program (“Data Security Program”) that protects the security of such Covered Information. To satisfy this requirement, each Covered Business must, at a minimum:\n\nA. Document in writing the content, implementation, and maintenance of the Data Security Program;\n\nB. Provide the written program and any evaluations thereof or updates thereto to its board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer responsible for its Data Security Program at least once every twelve (12) months and promptly after a Covered Incident;\n\nC. Designate a qualified employee or employees to coordinate and be responsible for the Data Security Program;\n\nD. Assess and document, at least once every twelve (12) months and promptly following a Covered Incident, internal and external risks to the security of Covered Information that could result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information. Each such assessment must evaluate risks in each area of relevant operation, including: (1) employee training and management; (2) information systems, such as network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;\n\nE. Design, implement, maintain, and document safeguards that control the internal and external risks identified in response to sub-Provision II.D. Each safeguard must be based on the volume and sensitivity of the Covered Information at risk, and the likelihood that the risk could be realized and result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information. Each Covered Business’s safeguards must also include:\n\n1. Require each Vendor to: 3 a. Before the Covered Business provides access to Covered Information: i. Provide documentation of its information security policies and practices related to protecting any Covered Information that may be obtained from the Covered Business; ii. Describe in writing how and where the Covered Information will be maintained and what safeguards are in place or will be implemented to protect it;\n\nb. Update in writing the information required by sub-Provision II.E.1.a when there is a material change or at least once every twelve (12) months; and\n\nc. Implement measures to assess the cybersecurity risk to Covered Information obtained from the Covered Business that is stored on the Vendor’s networks, if any, and if any is stored, provide documentation to the Covered Business of the scope of the measures and their results, including, at least once every twelve (12) months and promptly after a Covered Incident: (i) vulnerability scanning; and (ii) penetration testing;\n\n2. Maintain all documentation provided by each Vendor pursuant to sub-Provision II.E.1 for a period of five (5) years from when it was provided; and\n\n3. At least once every twelve (12) months, and promptly following a Covered Incident involving a Vendor, conduct written assessments of each Vendor to determine the continued adequacy of their safeguards to control the internal and external risks to the security of Covered Information. The level of the assessment for each Vendor should be commensurate with the risk it poses to the security of Covered Information.\n\n4. Provided, however, that sub-Provisions II.E.1-3 are not required of any Covered Business for a Vendor that receives, maintains, processes, or otherwise is permitted access to only names and/or property addresses, and to no other Covered Information, from, by, or at the direction of the Covered Business.\n\nF. Assess, at least once every twelve (12) months and promptly following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security of Covered Information, and modify the Data Security Program based on the results;\n\nG. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months, and promptly following a Covered Incident, and modify the Data Security Program based on the results;\n\nH. Select and retain Vendors capable of safeguarding Covered Information they access through or receive from Covered Businesses, and contractually require Vendors to implement and maintain safeguards for Covered Information; and\n\nI. Evaluate and adjust the Data Security Program in light of any changes to its operations or business arrangements, a Covered Incident, or any other circumstances that each Covered Business knows or has reason to know may have an impact on the effectiveness of the Data Security Program. At a minimum, each Covered Business must evaluate the Data Security Program at least once every twelve (12) months and modify the Data Security Program based on the results.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Comprehensive Security Program" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "III", "title": "Data Security Assessments by a Third Party", "category": "assessment", "summary": "Respondent must obtain initial and biennial third-party assessments of each Covered Business's Data Security Program from a qualified, independent assessor, with specific reporting and submission requirements.", "verbatim_text": "A. The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Data Security Program; and (3) retains all documents relevant to each Assessment for five (5) years after completion of such Assessment and will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or any similar claim.\n\nB. For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name and affiliation of the person selected to conduct the Assessment, which the Associate Director shall have the authority to approve in his or her sole discretion.\n\nC. The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each 2-year period thereafter for ten (10) years after issuance of the Order for the biennial Assessments.\n\nD. Each Assessment must: (1) determine whether each Covered Business has implemented and maintained the Data Security Program required by Provision II of this Order, titled Mandated Data Security Program; (2) assess the effectiveness of each Covered Business’s implementation and maintenance of sub-Provisions II.A-I; (3) identify any gaps or weaknesses in the Data Security Program; and (4) identify specific evidence (including, but not limited to documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by a Covered Business’s management. The Assessment must be signed by the Assessor and must state that the Assessor conducted an independent review of the Data Security Program, and did not rely solely on assertions or attestations by a Covered Business’s management.\n\nE. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit its initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Ascension Data & Analytics, LLC, FTC File No. 1923126.” All subsequent biennial Assessments must be retained by Respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "IV", "title": "Cooperation with Third Party Information Security Assessor", "category": "affirmative_obligation", "summary": "Respondent must fully cooperate with the Assessor by disclosing all material facts without misrepresentation, and providing all relevant information and materials in its possession.", "verbatim_text": "A. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether the Covered Business has implemented and maintained the Data Security Program required by Provision II of this Order, titled Mandated Data Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions II.A-I; or (3) identification of any gaps or weaknesses in the Data Security Program; and\n\nB. Provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Third-Party Assessment" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "V", "title": "Annual Certification", "category": "compliance_reporting", "summary": "Respondent must provide the Commission with annual certifications from a senior corporate manager or officer confirming compliance with the Order, awareness of no uncorrected material noncompliance, and a description of any Covered Incidents.", "verbatim_text": "A. One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of each Covered Business responsible for each Covered Business’s Data Security Program that: (1) each Covered Business has established, implemented, and maintained the requirements of this Order; (2) each Covered Business is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of any Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.\n\nB. Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, 6 Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Ascension Data & Analytics, LLC, FTC File No. 1923126.”", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "VI", "title": "Covered Incident Reports", "category": "compliance_reporting", "summary": "Respondent must submit a report to the Commission within ten days of first notifying any government entity of a Covered Incident, including specified details about the incident and remediation steps.", "verbatim_text": "IT IS FURTHER ORDERED that Respondent, for any Covered Business, within a reasonable time after the date of discovery of a Covered Incident, but in any event no later than ten (10) days after the date the Covered Business first notifies any U.S. federal, state, or local government entity of the Covered Incident, must submit a report to the Commission. The report must include, to the extent possible:\n\nA. The date, estimated date, or estimated date range when the Covered Incident occurred; B. A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known; C. A description of each type of information that triggered the notification obligation to the U.S. federal, state, or local government entity; D. The number of consumers whose information triggered the notification obligation to the U.S. federal, state, or local government entity; E. The acts that the Covered Business has taken to date to remediate the Covered Incident and protect Covered Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and F. A representative copy of each materially different notice required by U.S. federal, state, or local law or regulation and sent by the Covered Business or any of its clients to consumers or to any U.S. federal, state, or local government entity.\n\nUnless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Ascension Data & Analytics, LLC, FTC File No. 1923126.”", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "VII", "title": "Acknowledgments of the Order", "category": "acknowledgment", "summary": "Respondent must acknowledge receipt of the Order, deliver copies to relevant personnel and entities, and obtain signed acknowledgments of receipt.", "verbatim_text": "A. Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.\n\nB. For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision VIII of this Order titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.\n\nC. From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "VIII", "title": "Compliance Reports and Notices", "category": "compliance_reporting", "summary": "Respondent must submit an initial compliance report one year after the Order, and timely notices of changes in contact information, organizational structure, or bankruptcy proceedings.", "verbatim_text": "A. One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must: (a) identify the primary physical, postal, and email address, and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, and the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes Respondent made to comply with the Order; and (e) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.\n\nB. Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (a) any designated point of contact; or (b) the structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.\n\nC. Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.\n\nD. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by 8 concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.\n\nE. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Ascension Data & Analytics, LLC, FTC File No. 1923126.”", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "IX", "title": "Recordkeeping", "category": "recordkeeping", "summary": "Respondent must create specified records for twenty years after the Order issuance date and retain each record for five years, unless otherwise specified.", "verbatim_text": "A. Accounting records showing the revenues from all goods or services sold;\n\nB. Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;\n\nC. Copies or records of all consumer complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response;\n\nD. For five (5) years after the date of preparation of each Assessment required by this Order, all materials and evidence that the Assessor considered, reviewed, relied upon or examined to prepare the Assessment, whether prepared by or on behalf of a Covered Business, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Covered Businesses’ compliance with related Provisions of this Order, for the compliance period covered by such Assessment;\n\nE. For five (5) years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to a Covered Business’s compliance with this Order;\n\nF. For five (5) years from the date created or received, all records, whether prepared by or on behalf of a Covered Business, that address compliance by a Covered Business with this Order or lack thereof; and\n\nG. All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Recordkeeping" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "X", "title": "Compliance Monitoring", "category": "monitoring", "summary": "The Commission is authorized to monitor Respondent's compliance by requesting reports and records, communicating directly with and interviewing Respondent's personnel, and using all other lawful means including undercover methods.", "verbatim_text": "A. Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.\n\nB. For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.\n\nC. The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Compliance Monitoring" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" }, { "provision_number": "XI", "title": "Order Effective Dates", "category": "duration", "summary": "The Order is effective upon publication on the FTC's website and terminates on December 22, 2041, or twenty years from the most recent date the Commission files a complaint alleging a violation, whichever is later.", "verbatim_text": "IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on\n\npublication on the Commission’s website (ftc.gov) as a final order. This Order will terminate on December 22, 2041, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. Any Provision in this Order that terminates in less than twenty (20) years; B. This Order’s application to any Respondent that is not named as a defendant in such complaint; and C. This Order if such complaint is filed after the Order has terminated pursuant to this Provision.\n\nProvided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any Provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.", "violation_type": "unfair", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "remedy_types": [ "Order Administration" ], "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "docket_number": "C-4758" } ] }