Franklin Budget Car Sales, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 35391-35393 [2012-14372]
Download as PDF
<![CDATA[
Federal Register / Vol. 77, No. 114 / Wednesday, June 13, 2012 / Notices
any personal information collected from
or about consumers. Part II of the
proposed order requires EPN to
establish, implement, and thereafter
maintain a comprehensive information
security program, including the
designation of an employee to oversee
EPN’s security program, employee
training, and implementation of
reasonable safeguards. Part III of the
order requires EPN to obtain, for a
period of twenty years, biennial
assessments of its information security
program from an independent thirdparty professional possessing certain
credentials or certifications.
Parts IV through VIII of the proposed
order are reporting and compliance
provisions. Part IV requires EPN to
retain documents relating to its
compliance with the order. For most
records, the order requires that the
documents be retained for a five-year
period. For the third party assessments
and supporting documents, EPN must
retain the documents for a period of
three years after the date that each
assessment is prepared. Part V requires
dissemination of the order now and in
the future to persons with
responsibilities relating to the subject
matter of the order. Part VI ensures
notification to the FTC of changes in
corporate status. Part VII mandates that
EPN submit a compliance report to the
FTC within 90 days, and periodically
thereafter as requested. Part VIII is a
provision ‘‘sunsetting’’ the order after
twenty (20) years, with certain
exceptions.
The purpose of the analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the proposed
order or to modify its terms in any way.
By direction of the Commission.
Richard C. Donohue,
Acting Secretary.
[FR Doc. 2012–14369 Filed 6–12–12; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
[File No. 102 3094]
Franklin Budget Car Sales, Inc.;
Analysis of Proposed Consent Order
To Aid Public Comment
Federal Trade Commission.
Proposed Consent Agreement.
erowe on DSK2VPTVN1PROD with NOTICES
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
SUMMARY:
VerDate Mar<15>2010
14:45 Jun 12, 2012
Jkt 226001
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before July 9, 2012.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘Franklin Auto Mall, File
No. 102 3094’’ on your comment, and
file your comment online at https://
ftcpublic.commentworks.com/ftc/
franklinautomallconsent, by following
the instructions on the Web-based form.
If you prefer to file your comment on
paper, mail or deliver your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
FOR FURTHER INFORMATION CONTACT:
Karen Jagielski (202–326–2509), FTC,
Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and 2.34 the Commission Rules of
Practice, 16 CFR 2.34, notice is hereby
given that the above-captioned consent
agreement containing a consent order to
cease and desist, having been filed with
and accepted, subject to final approval,
by the Commission, has been placed on
the public record for a period of thirty
(30) days. The following Analysis to Aid
Public Comment describes the terms of
the consent agreement, and the
allegations in the complaint. An
electronic copy of the full text of the
consent agreement package can be
obtained from the FTC Home Page (for
June 7, 2012), on the World Wide Web,
at https://www.ftc.gov/os/actions.shtm. A
paper copy can be obtained from the
FTC Public Reference Room, Room 130–
H, 600 Pennsylvania Avenue NW.,
Washington, DC 20580, either in person
or by calling (202) 326–2222.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before July 9, 2012. Write ‘‘Franklin
Auto Mall, File No. 102 3094’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
PO 00000
Frm 00041
Fmt 4703
Sfmt 4703
35391
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which is obtained
from any person and which is privileged
or confidential,’’ as provided in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2).
In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).1 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
franklinautomallconsent by following
the instructions on the web-based form.
If this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘Franklin Auto Mall, File No. 102
3094’’ on your comment and on the
envelope, and mail or deliver it to the
following address: Federal Trade
Commission, Office of the Secretary,
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\13JNN1.SGM
13JNN1
35392
Federal Register / Vol. 77, No. 114 / Wednesday, June 13, 2012 / Notices
erowe on DSK2VPTVN1PROD with NOTICES
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580. If possible, submit your
paper comment to the Commission by
courier or overnight service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before July 9, 2012. You can find more
information, including routine uses
permitted by the Privacy Act, in the
Commission’s privacy policy, at https://
www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from Franklin’s
Budget Car Sales, Inc., also doing
business as Franklin Toyota/Scion
(‘‘Franklin Toyota’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
The Commission’s proposed
complaint alleges that Franklin Toyota,
a Georgia corporation, is a franchise
automobile dealership that sells both
new and used automobiles, leases
automobiles, provides repair services for
automobiles, and sells automobile parts.
In connection with its automobile sales,
Franklin Toyota also provides financing
services to individual consumers. The
complaint alleges that In the course of
its business, Franklin Toyota routinely
collects personal information from or
about its customers, including but not
limited to names, Social Security
numbers, addresses, telephone numbers,
dates of birth, and drivers’ license
numbers. The complaint alleges that
Franklin Toyota is a ‘‘financial
institution’’ as defined in the GrammLeach-Bliley (‘‘GLB’’) Act, 15 U.S.C.
§ 6801 et seq.
According to the complaint, Franklin
Toyota engaged in a number of practices
that, taken together, failed to provide
reasonable and appropriate security for
personal information on its computers
and networks. In particular, Franklin
VerDate Mar<15>2010
14:45 Jun 12, 2012
Jkt 226001
Toyota failed to: (1) Assess risks to the
consumer personal information it
collected and stored online; (2) adopt
policies, such as an incident response
plan, to prevent, or limit the extent of,
unauthorized disclosure of personal
information; (3) use reasonable methods
to prevent, detect, and investigate
unauthorized access to personal
information on its networks, such as
inspecting outgoing transmissions to the
Internet to identify unauthorized
disclosures of personal information; (4)
adequately train employees about
information security to prevent
unauthorized disclosures of personal
information; and (5) employ reasonable
measures to respond to unauthorized
access to personal information on its
networks or to conduct security
investigations where unauthorized
access to information occurred.
The complaint alleges that as a result
of these failures, Franklin Toyota
customers’ personal information was
accessed and disclosed on peer-to-peer
(‘‘P2P’’) networks by a P2P application
installed on a computer connected to
Franklin Toyota’s computer network.
The complaint alleges that information
for approximately 95,000 consumers,
including but not limited to consumers’
names, Social Security numbers,
addresses, dates of birth, and drivers’
license numbers, was made available on
a P2P network. Such information can
easily be used to facilitate identity theft
and fraud.
Files shared to a P2P network are
available for viewing or downloading by
anyone using a personal computer with
access to the network. Generally, a file
that has been shared cannot be
permanently removed from P2P
networks.
In fact, the use of P2P software poses
very significant data security risks to
consumers. A 2010 FTC examination of
P2P-related breaches uncovered a wide
range of sensitive consumer data
available on P2P networks, including
health-related information, financial
records, and drivers’ license and social
security numbers. See Widespread Data
Breaches Uncovered by FTC Probe: FTC
Warns of Improper Release of Sensitive
Consumer Data on P2P File-Sharing
Networks (Feb. 22, 2010), https://
www.ftc.gov/opa/2010/02/
p2palert.shtm. Files shared to a P2P
network are available for viewing or
downloading by any computer user with
access to the network. Generally, a file
that has been shared cannot be removed
permanently from the P2P network. In
addition, files can be shared among
computers long after they have been
deleted from the original source
computer.
PO 00000
Frm 00042
Fmt 4703
Sfmt 4703
According to the complaint, Franklin
Toyota violated the GLB Safeguards
Rule by, among other things, failing to
identify reasonably foreseeable internal
and external risks to the security,
confidentiality, and integrity of
customer information; design and
implement information safeguards to
control the risks to customer
information and failing to regularly test
and monitor them; investigate, evaluate,
and adjust the information security
program in light of known or identified
risks; develop, implement, and maintain
a comprehensive written information
security program; and designate an
employee to coordinate the company’s
information security program.
In addition, the proposed complaint
alleges that Franklin Toyota
misrepresented that it implements
reasonable and appropriate measures to
protect consumers’ personal information
from unauthorized access, in violation
of Section 5 of the Federal Trade
Commission Act (‘‘FTC Act’’), 15 U.S.C.
45(a). Furthermore, the proposed
complaint alleges that Franklin violated
the GLB Privacy Rule by failing to send
consumers annual privacy notices and
by failing to provide a mechanism by
which consumers could opt out of
information sharing with nonaffiliated
third parties.
The proposed order contains
provisions designed to prevent Franklin
Toyota from engaging in the future in
practices similar to those alleged in the
complaint.
Part I of the proposed order prohibits
misrepresentations about the privacy,
security, confidentiality, and integrity of
any personal information collected from
or about consumers. Part II of the
proposed order prohibits Franklin
Toyota from violating any provision of
the GLB Act’s Standards for
Safeguarding Consumer Information
Rule (‘‘Safeguards Rule’’), 16 CFR part
314, or the GLB Act’s Privacy of
Consumer Financial Information Rule
(‘‘Privacy Rule’’), 16 CFR part 313. Part
III requires Franklin Toyota to establish,
implement, and thereafter maintain a
comprehensive information security
program, including the designation of
an employee to oversee Franklin
Toyota’s security program, employee
training, and implementation of
reasonable safeguards. Part IV of the
order requires Franklin Toyota to
obtain, for a period of twenty years,
biennial assessments of its information
security program from an independent
third-party professional possessing
certain credentials or certifications.
Parts V through IX of the proposed
order are reporting and compliance
provisions. Part V requires Franklin
E:\FR\FM\13JNN1.SGM
13JNN1
Federal Register / Vol. 77, No. 114 / Wednesday, June 13, 2012 / Notices
Toyota to retain documents relating to
its compliance with the order. For most
records, the order requires that the
documents be retained for a five-year
period. For the third party assessments
and supporting documents, Franklin
Toyota must retain the documents for a
period of three years after the date that
each assessment is prepared. Part VI
requires dissemination of the order now
and in the future to persons with
responsibilities relating to the subject
matter of the order. Part VII ensures
notification to the FTC of changes in
corporate status. Part VIII mandates that
Franklin Toyota submit a compliance
report to the FTC within 90 days, and
periodically thereafter as requested. Part
IX is a provision ‘‘sunsetting’’ the order
after twenty (20) years, with certain
exceptions.
The purpose of the analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the proposed
order or to modify its terms in any way.
By direction of the Commission.
Richard C. Donohue,
Acting Secretary.
35393
GENERAL SERVICES
ADMINISTRATION
Dated:
Dan Tangherlini,
Acting Administrator of General Services.
[FMR Bulletin–PBS–2012–03; Docket 2012–
0002; Sequence 11]
U.S. GENERAL SERVICES
ADMINISTRATION
Federal Management Regulation; FMR
Bulletin PBS–2012–03; Redesignations
of Federal Buildings
REDESIGNATIONS OF FEDERAL
BUILDINGS
Public Buildings Service (PBS),
General Services Administration (GSA).
SUBJECT: Redesignations of Federal
Buildings
AGENCY:
ACTION:
Notice of a bulletin.
The attached bulletin
announces the designation and
redesignation of three Federal buildings.
Expiration Date: This bulletin
announcement expires October 31,
2012. The building designation and
redesignations remains in effect until
canceled or superseded by another
bulletin.
SUMMARY:
U.S.
General Services Administration, Public
Buildings Service (PBS), 1800 F Street
NW., Washington, DC 20405, telephone
number: (202) 501–1100.
FOR FURTHER INFORMATION CONTACT:
[FR Doc. 2012–14372 Filed 6–12–12; 8:45 am]
BILLING CODE 6750–01–P
TO: Heads of Federal Agencies
1. What is the purpose of this
bulletin? This bulletin announces the
designation and redesignation of three
Federal buildings.
2. When does this bulletin expire?
This bulletin announcement expires
October 31, 2012. The building
designation and redesignations remain
in effect until canceled or superseded by
another bulletin.
3. Designation. The name of the
designated property (between the
United States Federal Courthouse and
the Ed Jones Building located at 109
South Highland Avenue in Jackson,
Tennessee) is as follows:
M.D. Anderson Plaza
Jackson, TN 38301
4. Redesignation. The former and new
names of the redesignated buildings are
as follows:
Former name
New name
United States Courthouse, 80 Lafayette Street, Jefferson City, MO
65101.
United States Courthouse, 222 West 7th Avenue, Anchorage, AL
99501.
Christopher S. Bond United States Courthouse, 80 Lafayette Street,
Jefferson City, MO 65101.
James M. Fitzgerald United States Courthouse, 222 West 7th Avenue,
Anchorage, AL 99501.
5. Who should we contact for further
information regarding redesignation of
these Federal buildings? U.S. General
Services Administration, Public
Buildings Service (PBS), 1800 F Street,
NW., Washington, DC 20405, telephone
number: (202) 501–1100.
Dated: June 7, 2012
Dan Tangherlini,
Acting Administrator of General
Services.
[FR Doc. 2012–14416 Filed 6–12–12; 8:45 am]
BILLING CODE 6820–23–P
erowe on DSK2VPTVN1PROD with NOTICES
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Biennial Progress Report of the
Interagency Coordinating Committee
on the Validation of Alternative
Methods (ICCVAM)
Division of the National
Toxicology Program (DNTP), National
Institute of Environmental Health
AGENCY:
VerDate Mar<15>2010
14:45 Jun 12, 2012
Jkt 226001
Sciences (NIEHS), National Institutes of
Health (NIH).
ACTION: Availability of Report.
The NTP Interagency Center
for the Evaluation of Alternative
Toxicological Methods (NICEATM)
announces the availability of the
Biennial Progress Report 2010–2011:
Interagency Coordinating Committee on
the Validation of Alternative Methods.
The report was prepared in accordance
with requirements of the ICCVAM
Authorization Act of 2000 (42 U.S.C.
285l–3).
The Biennial Progress Report
describes activities and progress by
NICEATM and ICCVAM during the
period from January 2010 through
December 2011. During the past two
years, NICEATM, ICCVAM, and
ICCVAM member agencies contributed
to the national and international
endorsement and adoption of 14 new
and updated alternative safety testing
methods. Since ICCVAM was
SUMMARY:
PO 00000
Frm 00043
Fmt 4703
Sfmt 4703
established, NICEATM, ICCVAM, and
the ICCVAM member agencies have
contributed to the regulatory acceptance
of over 50 alternative methods that can
be used to protect the health of people,
animals, and the environment while
reducing, refining, and replacing animal
use.
The Biennial Progress Report is
available on the NICEATM–ICCVAM
Web site at https://iccvam.niehs.nih.gov/
about/ICCVAMrpts.htm. Copies can also
be requested from NICEATM (see
‘‘ADDRESSES’’).
Requests for copies of the
report should be sent by mail, fax, or
email to Dr. William S. Stokes, Director,
NICEATM, NIEHS, P.O. Box 12233,
Mail Stop: K2–16, Research Triangle
Park, NC 27709, (telephone) 919–541–
2384, (fax) 919–541–0947, (email)
niceatm@niehs.nih.gov. Courier address:
NICEATM, NIEHS, Room 2034, 530
Davis Drive, Morrisville, NC 27560.
ADDRESSES:
E:\FR\FM\13JNN1.SGM
13JNN1
]]>Agencies
[Federal Register Volume 77, Number 114 (Wednesday, June 13, 2012)]
[Notices]
[Pages 35391-35393]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-14372]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 102 3094]
Franklin Budget Car Sales, Inc.; Analysis of Proposed Consent
Order To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before July 9, 2012.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``Franklin Auto Mall,
File No. 102 3094'' on your comment, and file your comment online at
https://ftcpublic.commentworks.com/ftc/franklinautomallconsent, by
following the instructions on the Web-based form. If you prefer to file
your comment on paper, mail or deliver your comment to the following
address: Federal Trade Commission, Office of the Secretary, Room H-113
(Annex D), 600 Pennsylvania Avenue NW., Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Karen Jagielski (202-326-2509), FTC,
Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and 2.34 the
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that
the above-captioned consent agreement containing a consent order to
cease and desist, having been filed with and accepted, subject to final
approval, by the Commission, has been placed on the public record for a
period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for June 7, 2012), on the World Wide Web, at https://www.ftc.gov/os/actions.shtm. A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue NW., Washington, DC
20580, either in person or by calling (202) 326-2222.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before July 9, 2012.
Write ``Franklin Auto Mall, File No. 102 3094'' on your comment. Your
comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to
remove individuals' home contact information from comments before
placing them on the Commission Web site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which is obtained from any person and which is privileged or
confidential,'' as provided in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do
not include competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/franklinautomallconsent by following the instructions on the web-
based form. If this Notice appears at https://www.regulations.gov/#!home, you also may file a comment through that Web site.
If you file your comment on paper, write ``Franklin Auto Mall, File
No. 102 3094'' on your comment and on the envelope, and mail or deliver
it to the following address: Federal Trade Commission, Office of the
Secretary,
[[Page 35392]]
Room H-113 (Annex D), 600 Pennsylvania Avenue NW., Washington, DC
20580. If possible, submit your paper comment to the Commission by
courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before July 9, 2012. You can find more information,
including routine uses permitted by the Privacy Act, in the
Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from Franklin's Budget Car Sales, Inc.,
also doing business as Franklin Toyota/Scion (``Franklin Toyota'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
The Commission's proposed complaint alleges that Franklin Toyota, a
Georgia corporation, is a franchise automobile dealership that sells
both new and used automobiles, leases automobiles, provides repair
services for automobiles, and sells automobile parts. In connection
with its automobile sales, Franklin Toyota also provides financing
services to individual consumers. The complaint alleges that In the
course of its business, Franklin Toyota routinely collects personal
information from or about its customers, including but not limited to
names, Social Security numbers, addresses, telephone numbers, dates of
birth, and drivers' license numbers. The complaint alleges that
Franklin Toyota is a ``financial institution'' as defined in the Gramm-
Leach-Bliley (``GLB'') Act, 15 U.S.C. Sec. 6801 et seq.
According to the complaint, Franklin Toyota engaged in a number of
practices that, taken together, failed to provide reasonable and
appropriate security for personal information on its computers and
networks. In particular, Franklin Toyota failed to: (1) Assess risks to
the consumer personal information it collected and stored online; (2)
adopt policies, such as an incident response plan, to prevent, or limit
the extent of, unauthorized disclosure of personal information; (3) use
reasonable methods to prevent, detect, and investigate unauthorized
access to personal information on its networks, such as inspecting
outgoing transmissions to the Internet to identify unauthorized
disclosures of personal information; (4) adequately train employees
about information security to prevent unauthorized disclosures of
personal information; and (5) employ reasonable measures to respond to
unauthorized access to personal information on its networks or to
conduct security investigations where unauthorized access to
information occurred.
The complaint alleges that as a result of these failures, Franklin
Toyota customers' personal information was accessed and disclosed on
peer-to-peer (``P2P'') networks by a P2P application installed on a
computer connected to Franklin Toyota's computer network. The complaint
alleges that information for approximately 95,000 consumers, including
but not limited to consumers' names, Social Security numbers,
addresses, dates of birth, and drivers' license numbers, was made
available on a P2P network. Such information can easily be used to
facilitate identity theft and fraud.
Files shared to a P2P network are available for viewing or
downloading by anyone using a personal computer with access to the
network. Generally, a file that has been shared cannot be permanently
removed from P2P networks.
In fact, the use of P2P software poses very significant data
security risks to consumers. A 2010 FTC examination of P2P-related
breaches uncovered a wide range of sensitive consumer data available on
P2P networks, including health-related information, financial records,
and drivers' license and social security numbers. See Widespread Data
Breaches Uncovered by FTC Probe: FTC Warns of Improper Release of
Sensitive Consumer Data on P2P File-Sharing Networks (Feb. 22, 2010),
https://www.ftc.gov/opa/2010/02/p2palert.shtm. Files shared to a P2P
network are available for viewing or downloading by any computer user
with access to the network. Generally, a file that has been shared
cannot be removed permanently from the P2P network. In addition, files
can be shared among computers long after they have been deleted from
the original source computer.
According to the complaint, Franklin Toyota violated the GLB
Safeguards Rule by, among other things, failing to identify reasonably
foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information; design and
implement information safeguards to control the risks to customer
information and failing to regularly test and monitor them;
investigate, evaluate, and adjust the information security program in
light of known or identified risks; develop, implement, and maintain a
comprehensive written information security program; and designate an
employee to coordinate the company's information security program.
In addition, the proposed complaint alleges that Franklin Toyota
misrepresented that it implements reasonable and appropriate measures
to protect consumers' personal information from unauthorized access, in
violation of Section 5 of the Federal Trade Commission Act (``FTC
Act''), 15 U.S.C. 45(a). Furthermore, the proposed complaint alleges
that Franklin violated the GLB Privacy Rule by failing to send
consumers annual privacy notices and by failing to provide a mechanism
by which consumers could opt out of information sharing with
nonaffiliated third parties.
The proposed order contains provisions designed to prevent Franklin
Toyota from engaging in the future in practices similar to those
alleged in the complaint.
Part I of the proposed order prohibits misrepresentations about the
privacy, security, confidentiality, and integrity of any personal
information collected from or about consumers. Part II of the proposed
order prohibits Franklin Toyota from violating any provision of the GLB
Act's Standards for Safeguarding Consumer Information Rule
(``Safeguards Rule''), 16 CFR part 314, or the GLB Act's Privacy of
Consumer Financial Information Rule (``Privacy Rule''), 16 CFR part
313. Part III requires Franklin Toyota to establish, implement, and
thereafter maintain a comprehensive information security program,
including the designation of an employee to oversee Franklin Toyota's
security program, employee training, and implementation of reasonable
safeguards. Part IV of the order requires Franklin Toyota to obtain,
for a period of twenty years, biennial assessments of its information
security program from an independent third-party professional
possessing certain credentials or certifications.
Parts V through IX of the proposed order are reporting and
compliance provisions. Part V requires Franklin
[[Page 35393]]
Toyota to retain documents relating to its compliance with the order.
For most records, the order requires that the documents be retained for
a five-year period. For the third party assessments and supporting
documents, Franklin Toyota must retain the documents for a period of
three years after the date that each assessment is prepared. Part VI
requires dissemination of the order now and in the future to persons
with responsibilities relating to the subject matter of the order. Part
VII ensures notification to the FTC of changes in corporate status.
Part VIII mandates that Franklin Toyota submit a compliance report to
the FTC within 90 days, and periodically thereafter as requested. Part
IX is a provision ``sunsetting'' the order after twenty (20) years,
with certain exceptions.
The purpose of the analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed order or to modify its terms in any way.
By direction of the Commission.
Richard C. Donohue,
Acting Secretary.
[FR Doc. 2012-14372 Filed 6-12-12; 8:45 am]
BILLING CODE 6750-01-P
