Goal Financial, LLC; Analysis of Proposed Consent Order to Aid Public Comment, 13898-13900 [E8-5090]
Download as PDF
<![CDATA[
13898
Federal Register / Vol. 73, No. 51 / Friday, March 14, 2008 / Notices
rwilkins on PROD1PC63 with NOTICES
chiropractic benefits on behalf of payors
and their enrollees in Connecticut.
Neither CCA nor CCC has undertaken
any programs or activities that create
any integration among their members in
the delivery of chiropractic services.
Members do not share any financial risk
in providing chiropractic services, do
not collaborate in a program to monitor
and modify clinical practice patterns of
their members to control costs and
ensure quality, or otherwise integrate
their delivery of care to patients. By the
acts set forth in the complaint, CCA,
CCC, and Mr. Hirtle have violated
Section 5 of the FTC Act.
The Proposed Consent Order
The proposed order is designed to
remedy the illegal conduct charged in
the complaint and prevent its
recurrence. It is similar to other consent
orders that the Commission has issued
to settle charges that health care
providers engaged in unlawful refusals
to deal with health plans. Unlike prior
consent orders, however, this order also
settles charges that an attorney
participated in the unlawful refusals to
deal with the providers.
The proposed order’s specific
provisions are as follows:
Paragraph II.A prohibits CCA, CCC,
and Mr. Hirtle from entering into or
facilitating any agreement between or
among any chiropractors: (1) to
negotiate with payors on any
chiropractor’s behalf; (2) to deal, not to
deal, or threaten not to deal with payors;
or (3) on what terms to deal with any
payor.
Other parts of Paragraph II reinforce
these general prohibitions. Paragraph
II.B prohibits the proposed respondents
from persuading in any way a
chiropractor to deal or not deal with a
payor, or accept or not accept the terms
or conditions on which the chiropractor
is willing to deal with a payor.
Paragraph II.C forbids the proposed
respondents from facilitating exchanges
of information between chiropractors
concerning whether, or on what terms,
to contract with a payor. Paragraph II.D
prohibits proposed respondents from
continuing a meeting of chiropractors
after any person makes any statements
regarding any chiropractor’s intentions
that if agreed to would violate
Paragraphs II.A through II.C unless that
person is ejected from the meeting.
Paragraph E bars attempts to engage in
any action prohibited by Paragraphs II.A
through II.D, and Paragraph F proscribes
inducing anyone to engage in any action
prohibited by Paragraphs II.A through
II.E.
As in other Commission orders
addressing health care providers’
VerDate Aug<31>2005
19:17 Mar 13, 2008
Jkt 214001
concerted action against health care
purchasers, certain kinds of agreements
are excluded from the general bar on
joint negotiations. Mr. Hirtle would not
be precluded from engaging in conduct
that is reasonably necessary to form
legitimate joint contracting
arrangements among competing
chiropractors, whether a ‘‘qualified risksharing joint arrangement’’ or a
‘‘qualified clinically-integrated joint
arrangement,’’ or conduct that only
involves chiropractors who are part of
the same chiropractic group practice
(defined in Paragraph I.F).
As defined in the proposed order, a
‘‘qualified risk-sharing joint
arrangement’’ possesses two key
characteristics. First, all chiropractor
participants must share substantial
financial risk through the arrangement,
such that the arrangement creates
incentives for the participants jointly to
control costs and improve quality by
managing the provision of services.
Second, any agreement concerning
reimbursement or other terms or
conditions of dealing must be
reasonably necessary to obtain
significant efficiencies through the joint
arrangement.
A ‘‘qualified clinically-integrated joint
arrangement,’’ on the other hand, need
not involve any sharing of financial risk.
Instead, as defined in the proposed
order, participants must participate in
active and ongoing programs to evaluate
and modify their clinical practice
patterns in order to control costs and
ensure the quality of services provided,
and the arrangement must create a high
degree of interdependence and
cooperation among chiropractors. As
with qualified risk-sharing
arrangements, any agreement
concerning price or other terms of
dealing must be reasonably necessary to
achieve the efficiency goals of the joint
arrangement.
Paragraph III provides that the order
does not prevent CCA or CCC from
exercising rights permitted under the
First Amendment to the United States
Constitution to petition the government.
Paragraph IV requires that CCA and
CCC maintain copies of written
communications distributed to any
chiropractor relating to the order.
Paragraph V.A requires CCA and CCC
to distribute the complaint and order to
all chiropractors who have participated
in CCA or CCC, and to payors identified
in Appendix A. For five years,
Paragraph V.B requires both CCA and
CCC, respectively, to distribute the
complaint and order to all chiropractors
who become a member of CCA or CCC.
Paragraphs V.C, V.D, VI, VII, and VIII
of the proposed order impose various
PO 00000
Frm 00072
Fmt 4703
Sfmt 4703
obligations on proposed respondents to
report or provide access to information
to the Commission to facilitate
monitoring their compliance with the
order.
Paragraph IX provides that the
proposed order will expire in 20 years.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. E8–5089 Filed 3–13–08; 8:45 am]
BILLING CODE 6750–01–S
FEDERAL TRADE COMMISSION
[File No. 072 3013]
Goal Financial, LLC; Analysis of
Proposed Consent Order to Aid Public
Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
SUMMARY: The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
Comments must be received on
or before April 3, 2008
ADDRESSES: Interested parties are
invited to submit written comments.
Comments should refer to ‘‘Goal
Financial, File No. 072 3013,’’ to
facilitate the organization of comments.
A comment filed in paper form should
include this reference both in the text
and on the envelope, and should be
mailed or delivered to the following
address: Federal Trade Commission/
Office of the Secretary, Room 135-H,
600 Pennsylvania Avenue, N.W.,
Washington, D.C. 20580. Comments
containing confidential material must be
filed in paper form, must be clearly
labeled ‘‘Confidential,’’ and must
comply with Commission Rule 4.9(c).
16 CFR 4.9(c) (2005).1 The FTC is
requesting that any comment filed in
paper form be sent by courier or
overnight service, if possible, because
U.S. postal mail in the Washington area
DATES:
1 The comment must be accompanied by an
explicit request for confidential treatment,
including the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record.
The request will be granted or denied by the
Commission’s General Counsel, consistent with
applicable law and the public interest. See
Commission Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\14MRN1.SGM
14MRN1
rwilkins on PROD1PC63 with NOTICES
Federal Register / Vol. 73, No. 51 / Friday, March 14, 2008 / Notices
and at the Commission is subject to
delay due to heightened security
precautions. Comments that do not
contain any nonpublic information may
instead be filed in electronic form by
following the instructions on the webbased form at https://
secure.commentworks.com/ftcGoalFinancial. To ensure that the
Commission considers an electronic
comment, you must file it on that webbased form.
The FTC Act and other laws the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. All timely and responsive
public comments, whether filed in
paper or electronic form, will be
considered by the Commission, and will
be available to the public on the FTC
website, to the extent practicable, at
www.ftc.gov. As a matter of discretion,
the FTC makes every effort to remove
home contact information for
individuals from the public comments it
receives before placing those comments
on the FTC website. More information,
including routine uses permitted by the
Privacy Act, may be found in the FTC’s
privacy policy, at https://www.ftc.gov/
ftc/privacy.htm.
FOR FURTHER INFORMATION CONTACT:
Jessica Rich, FTC Bureau of Consumer
Protection, 600 Pennsylvania Avenue,
NW, Washington, D.C. 20580, (202) 3262148.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 of the Commission
Rules of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for March 4, 2008), on the
World Wide Web, at https://www.ftc.gov/
os/2008/03/index.htm. A paper copy
can be obtained from the FTC Public
Reference Room, Room 130-H, 600
Pennsylvania Avenue, NW, Washington,
D.C. 20580, either in person or by
calling (202) 326-2222.
Public comments are invited, and may
be filed with the Commission in either
paper or electronic form. All comments
should be filed as prescribed in the
ADDRESSES section above, and must be
VerDate Aug<31>2005
19:17 Mar 13, 2008
Jkt 214001
received on or before the date specified
in the DATES section.
Analysis of Agreement Containing
Consent Order to Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from Goal Financial,
LLC (‘‘Goal Financial’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Goal Financial markets and originates
a variety of student loans and provides
loan-related services. In conducting its
business, Goal Financial routinely
obtains personal information from loan
applications and other sources,
including name, address, telephone
number, driver’s license number, Social
Security number, date of birth, and
income, debt, and employment
information. Goal Financial, therefore,
is a ‘‘financial institution’’ subject to the
requirements of the Gramm-LeachBliley (‘‘GLB’’) Safeguards Rule and
Privacy Rule. This matter concerns Goal
Financial’s alleged violations of the GLB
Safeguards Rule, the GLB Privacy Rule,
and Section 5 of the Federal Trade
Commission (‘‘FTC’’) Act.
The Commission’s proposed
complaint alleges that Goal Financial
engaged in a number of practices that,
taken together, failed to employ
reasonable and appropriate security
measures to protect personal
information. In particular, Goal
Financial failed: (1) to assess adequately
risks to the information it collected and
stored in its paper files and on its
computer network; (2) to restrict
adequately access to personal
information stored in its paper files and
on its computer network to authorized
employees; (3) to implement a
comprehensive information security
program, including reasonable policies
and procedures in key areas such as the
collection, handling, and disposal of
personal information; (4) to provide
adequate training to employees about
handling and protecting personal
information and responding to security
incidents; and (5) in a number of
instances to require third-party service
providers by contract to protect the
security and confidentiality of personal
information. As a result of these alleged
failures, Goal Financial put at risk the
PO 00000
Frm 00073
Fmt 4703
Sfmt 4703
13899
sensitive information of more than
41,000 consumers.
The complaint alleges that these
security failures violated the GLB
Safeguards Rule. In addition, the
complaint alleges that Goal Financial
misrepresented that it implemented
reasonable and appropriate security
measures to protect personal
information from unauthorized access,
in violation of Section 5 of the FTC Act.
Further, the proposed complaint alleges
that Goal Financial disseminated a
privacy policy that does not accurately
reflect its privacy practices, including
its security policies and practices, in
violation of the GLB Privacy Rule.
The proposed order applies to
personal information Goal Financial
collects from or about consumers in
connection with its student loan and
related services and contains provisions
designed to prevent Goal Financial from
engaging in the future in practices
similar to those alleged in the
complaint.
Part I of the proposed order requires
that Goal Financial not misrepresent the
extent to which it maintains and
protects the privacy, confidentiality, or
integrity of any personal information
collected from or about consumers.
Part II of the proposed order requires
Goal Financial to establish and maintain
a comprehensive information security
program in writing that is reasonably
designed to protect the security,
confidentiality, and integrity of personal
information it collects from or about
consumers. The security program must
contain administrative, technical, and
physical safeguards appropriate to its
size and complexity, the nature and
scope of its activities, and the sensitivity
of the personal information collected.
Specifically, the order requires Goal
Financial to:
1. Designate an employee or
employees to coordinate and be
accountable for the information security
program.
2. Identify material internal and
external risks to the security,
confidentiality, and integrity of
consumer information that could result
in unauthorized disclosure, misuse,
loss, alteration, destruction, or other
compromise of such information, and
assess the sufficiency of any safeguards
in place to control these risks.
3. Design and implement reasonable
safeguards to control the risks identified
through risk assessment, and regularly
test or monitor the effectiveness of the
safeguards’ key controls, systems, and
procedures.
4. Develop and use reasonable steps to
retain service providers capable of
appropriately safeguarding personal
E:\FR\FM\14MRN1.SGM
14MRN1
rwilkins on PROD1PC63 with NOTICES
13900
Federal Register / Vol. 73, No. 51 / Friday, March 14, 2008 / Notices
information they receive from Goal
Financial, require service providers by
contract to implement and maintain
appropriate safeguards, and monitor
their safeguarding of personal
information.
5. Evaluate and adjust its information
security program in light of the results
of testing and monitoring, any material
changes to its operations or business
arrangements, or any other
circumstances that it knows or has
reason to know may have a material
impact on the effectiveness of its
information security program.
Part III of the proposed order requires
that Goal Financial not violate any
provision of the GLB Safeguards Rule
and Privacy Rule.
Part IV of the proposed order requires
that Goal Financial obtain, within 180
days after being served with the final
order approved by the Commission, and
on a biennial basis thereafter for ten (10)
years, an assessment and report from a
qualified, objective, independent thirdparty professional, certifying that: (1)
Goal Financial has in place a security
program that provides protections that
meet or exceed the protections required
by Parts II and IIIA of the proposed
order, and (2) its security program is
operating with sufficient effectiveness to
provide reasonable assurance that the
security, confidentiality, and integrity of
nonpublic personal information has
been protected. This provision is
substantially similar to comparable
provisions obtained in prior
Commission orders under the
Safeguards Rule and Section 5 of the
FTC Act.
Parts V through IX of the proposed
order are reporting and compliance
provisions. Part V requires Goal
Financial to retain documents relating
to its compliance with the order. For
most records, the order requires that the
documents be retained for a five-year
period. For the third-party assessments
and supporting documents, Goal
Financial must retain the documents for
a period of three years after the date that
each assessment is prepared. Part VI
requires dissemination of the order now
and in the future to persons with
responsibilities relating to the subject
matter of the order. Part VII ensures
notification to the FTC of changes in
company status. Part VIII mandates that
Goal Financial submit an initial
compliance report to the FTC, and make
available to the FTC subsequent reports.
Part IX is a provision ‘‘sunsetting’’ the
order after twenty (20) years, with
certain exceptions.
VerDate Aug<31>2005
19:17 Mar 13, 2008
Jkt 214001
The purpose of this analysis is to
facilitate public comment on the
proposed order. It is not intended to
constitute an official interpretation of
the proposed order or to modify its
terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. E8–5090 Filed 3–13–08: 8:45 am]
BILLING CODE 6750–01–S
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Agency for Healthcare Research and
Quality
Agency Information Collection
Activities: Proposed Collection;
Comment Request
Agency for Healthcare Research
and Quality, HHS.
AGENCY:
ACTION:
Notice.
SUMMARY: This notice announces the
intention of the Agency for Healthcare
Research and Quality (AHRQ) to request
that the Office of Management and
Budget (OMB) approve the proposed
information collection project: ‘‘Focus
Groups on Consumer Engagement in
Developing Electronic Health
Information Systems.’’ In accordance
with the Paperwork Reduction Act of
1995, (44 U.S.C. 3506(c)(2)(A)), AHRQ
invites the public to comment on this
proposed information collection.
This proposed information collection
was previously published in the Federal
Register on December 28th, 2007 and
allowed 60 days for public comment.
Comments were received. The purpose
of this notice is to allow an additional
30 days for public comment.
Comments on this notice must be
received by May 13, 2008.
DATES:
Written comments should
be submitted to: Doris Lefkowitz,
Reports Clearance Officer, AHRQ, by email at doris.lefkowitz@ahrq.hhs.gov.
Copies of the proposed collection
plans, data collection instruments, and
specific details on the estimated burden
can be obtained from the AHRQ Reports
Clearance Officer.
ADDRESSES:
FOR FURTHER INFORMATION CONTACT:
Doris Lefkowitz, AHRQ Reports
Clearance Officer, (301) 427–1477, or by
email at doris.letkowitz@ahrq.hhs.gov.
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00074
Fmt 4703
Sfmt 4703
Proposed Project: ‘‘Focus Groups on
Consumer Engagement in Developing
Electronic Health Information Systems’’
This project will consist of focus
groups to gain insights into healthcare
consumers’ awareness and perceptions
of Health Information Technology (IT),
and how best to engage consumers in
the development of these technologies.
AHRQ has so far invested significant
resources in initiatives to promote the
planning and development of new
Health IT that should improve
healthcare, lower healthcare costs, and
improve patient safety. For such
benefits to be maximized, it is important
to understand how consumers view
Heath IT and how to engage them in the
design and implementation of future
innovations.
AHRQ will conduct 20 focus groups
(in addition to two pretest groups) with
healthcare consumers, that is persons
who have visited a healthcare provider
(either for their own health or the health
of a family member) in the previous two
years. For the most part, the groups will
be homogenous with respect to the
presence or absence of either of the
following characteristics: (a) Managing a
chronic health condition (or the
condition of a close family member), or
(b) Having visited at least three
healthcare providers in the past two
years.
Participants will be covered by a
range of health insurance plans, and
persons not covered by health insurance
will also be recruited. Some groups will
include only persons 2 enrolled in a
Health Maintaince Organization (HMO).
The data to be collected for this
project will be in two form a) answers
to a screener questionnaire designed to
identify and recruit eligible participants,
and b) verbal reports—i.e., focus group
participants’ answers to questions posed
by the moderator and reactions to
comments of other group members. The
focus group discussions will be audiotaped with participants’ consent and
transcribed for analysis purposes.
Method of Collection
Participants will be screened for
eligibility and recruited for the focus
groups by telephone. The focus group
sessions will be conducted in-person
with approximately 10 persons per
group. The focus group discussion will
take approximately 2 hours, and we
have assumed a 20-minute travel time
(each way) per participant. Thus, focus
group participation will require 2.67
hours per response. Estimated Annual
Respondent Burden
E:\FR\FM\14MRN1.SGM
14MRN1
]]>Agencies
[Federal Register Volume 73, Number 51 (Friday, March 14, 2008)]
[Notices]
[Pages 13898-13900]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-5090]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 072 3013]
Goal Financial, LLC; Analysis of Proposed Consent Order to Aid
Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before April 3, 2008
ADDRESSES: Interested parties are invited to submit written comments.
Comments should refer to ``Goal Financial, File No. 072 3013,'' to
facilitate the organization of comments. A comment filed in paper form
should include this reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission/Office of the Secretary, Room 135-H, 600 Pennsylvania
Avenue, N.W., Washington, D.C. 20580. Comments containing confidential
material must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with Commission Rule 4.9(c). 16 CFR
4.9(c) (2005).\1\ The FTC is requesting that any comment filed in paper
form be sent by courier or overnight service, if possible, because U.S.
postal mail in the Washington area
[[Page 13899]]
and at the Commission is subject to delay due to heightened security
precautions. Comments that do not contain any nonpublic information may
instead be filed in electronic form by following the instructions on
the web-based form at https://secure.commentworks.com/ftc-GoalFinancial.
To ensure that the Commission considers an electronic comment, you must
file it on that web-based form.
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See Commission Rule 4.9(c),
16 CFR 4.9(c).
---------------------------------------------------------------------------
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC website, to the extent
practicable, at www.ftc.gov. As a matter of discretion, the FTC makes
every effort to remove home contact information for individuals from
the public comments it receives before placing those comments on the
FTC website. More information, including routine uses permitted by the
Privacy Act, may be found in the FTC's privacy policy, at https://
www.ftc.gov/ftc/privacy.htm.
FOR FURTHER INFORMATION CONTACT: Jessica Rich, FTC Bureau of Consumer
Protection, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580, (202)
326-2148.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 of
the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given
that the above-captioned consent agreement containing a consent order
to cease and desist, having been filed with and accepted, subject to
final approval, by the Commission, has been placed on the public record
for a period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for March 4, 2008), on the World Wide Web, at https://www.ftc.gov/os/
2008/03/index.htm. A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW, Washington,
D.C. 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order to Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from Goal Financial, LLC (``Goal
Financial'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Goal Financial markets and originates a variety of student loans
and provides loan-related services. In conducting its business, Goal
Financial routinely obtains personal information from loan applications
and other sources, including name, address, telephone number, driver's
license number, Social Security number, date of birth, and income,
debt, and employment information. Goal Financial, therefore, is a
``financial institution'' subject to the requirements of the Gramm-
Leach-Bliley (``GLB'') Safeguards Rule and Privacy Rule. This matter
concerns Goal Financial's alleged violations of the GLB Safeguards
Rule, the GLB Privacy Rule, and Section 5 of the Federal Trade
Commission (``FTC'') Act.
The Commission's proposed complaint alleges that Goal Financial
engaged in a number of practices that, taken together, failed to employ
reasonable and appropriate security measures to protect personal
information. In particular, Goal Financial failed: (1) to assess
adequately risks to the information it collected and stored in its
paper files and on its computer network; (2) to restrict adequately
access to personal information stored in its paper files and on its
computer network to authorized employees; (3) to implement a
comprehensive information security program, including reasonable
policies and procedures in key areas such as the collection, handling,
and disposal of personal information; (4) to provide adequate training
to employees about handling and protecting personal information and
responding to security incidents; and (5) in a number of instances to
require third-party service providers by contract to protect the
security and confidentiality of personal information. As a result of
these alleged failures, Goal Financial put at risk the sensitive
information of more than 41,000 consumers.
The complaint alleges that these security failures violated the GLB
Safeguards Rule. In addition, the complaint alleges that Goal Financial
misrepresented that it implemented reasonable and appropriate security
measures to protect personal information from unauthorized access, in
violation of Section 5 of the FTC Act. Further, the proposed complaint
alleges that Goal Financial disseminated a privacy policy that does not
accurately reflect its privacy practices, including its security
policies and practices, in violation of the GLB Privacy Rule.
The proposed order applies to personal information Goal Financial
collects from or about consumers in connection with its student loan
and related services and contains provisions designed to prevent Goal
Financial from engaging in the future in practices similar to those
alleged in the complaint.
Part I of the proposed order requires that Goal Financial not
misrepresent the extent to which it maintains and protects the privacy,
confidentiality, or integrity of any personal information collected
from or about consumers.
Part II of the proposed order requires Goal Financial to establish
and maintain a comprehensive information security program in writing
that is reasonably designed to protect the security, confidentiality,
and integrity of personal information it collects from or about
consumers. The security program must contain administrative, technical,
and physical safeguards appropriate to its size and complexity, the
nature and scope of its activities, and the sensitivity of the personal
information collected. Specifically, the order requires Goal Financial
to:
1. Designate an employee or employees to coordinate and be
accountable for the information security program.
2. Identify material internal and external risks to the security,
confidentiality, and integrity of consumer information that could
result in unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.
3. Design and implement reasonable safeguards to control the risks
identified through risk assessment, and regularly test or monitor the
effectiveness of the safeguards' key controls, systems, and procedures.
4. Develop and use reasonable steps to retain service providers
capable of appropriately safeguarding personal
[[Page 13900]]
information they receive from Goal Financial, require service providers
by contract to implement and maintain appropriate safeguards, and
monitor their safeguarding of personal information.
5. Evaluate and adjust its information security program in light of
the results of testing and monitoring, any material changes to its
operations or business arrangements, or any other circumstances that it
knows or has reason to know may have a material impact on the
effectiveness of its information security program.
Part III of the proposed order requires that Goal Financial not
violate any provision of the GLB Safeguards Rule and Privacy Rule.
Part IV of the proposed order requires that Goal Financial obtain,
within 180 days after being served with the final order approved by the
Commission, and on a biennial basis thereafter for ten (10) years, an
assessment and report from a qualified, objective, independent third-
party professional, certifying that: (1) Goal Financial has in place a
security program that provides protections that meet or exceed the
protections required by Parts II and IIIA of the proposed order, and
(2) its security program is operating with sufficient effectiveness to
provide reasonable assurance that the security, confidentiality, and
integrity of nonpublic personal information has been protected. This
provision is substantially similar to comparable provisions obtained in
prior Commission orders under the Safeguards Rule and Section 5 of the
FTC Act.
Parts V through IX of the proposed order are reporting and
compliance provisions. Part V requires Goal Financial to retain
documents relating to its compliance with the order. For most records,
the order requires that the documents be retained for a five-year
period. For the third-party assessments and supporting documents, Goal
Financial must retain the documents for a period of three years after
the date that each assessment is prepared. Part VI requires
dissemination of the order now and in the future to persons with
responsibilities relating to the subject matter of the order. Part VII
ensures notification to the FTC of changes in company status. Part VIII
mandates that Goal Financial submit an initial compliance report to the
FTC, and make available to the FTC subsequent reports. Part IX is a
provision ``sunsetting'' the order after twenty (20) years, with
certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed order or to modify its terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. E8-5090 Filed 3-13-08: 8:45 am]
BILLING CODE 6750-01-S
