FTC “Dumpster Diving” Nets $50,000 Fine for Alleged Failure to Shred or Burn Consumer Data
In December 2007, the federal government filed suit against the American United Mortgage Co. for allegedly failing to shred, burn, or otherwise make secure disposal of credit reports or other documents containing personally identifiable consumer information. The Complaint for the Federal Trade Commission alleged that American United violated the FTC's Privacy, Safeguards and Disposal rules by (1) failing to provide privacy notices to customers; (2) failing to develop or implement reasonable safeguards to protect customer information; and (3) failing to make secure disposal of consumer credit reports or information obtained from credit reports.
The FTC claimed that it discovered hundreds of documents "in and around" an unsecured dumpster near American United's premises, which contained personal information about three dozen individual consumers. Without admitting any liability, American United agreed to pay a $50,000 civil penalty. The company also agreed to refrain from any further violations of the FTC's Privacy, Safeguards and Disposal rules.
Perhaps most significantly, American United agreed to develop and implement a data security program for ensuring compliance with the FTC rules and the Consent Order. Every two years for the next 10 years, the company must obtain an independent audit of its security program and report the results of the audit to the FTC in order to demonstrate compliance with the rules and Consent Order.
This case marked the FTC's 15th action challenging the security practices of companies that handle sensitive consumer information, and the first case brought under the Disposal Rule based upon so-called "dumpster diving." Combined with similar "dumpster diving" by the Kentucky Attorney General, the FTC's American United case makes clear that both federal and state agencies are determined to identify and penalize businesses that fail to handle and dispose of consumer data securely.