FTC settles breach complaint with student lender

The U.S. Federal Trade Commission (FTC) has settled a complaint against student lender Goal Financial after allegations that the company failed to safeguard personal data.

Goal Financial allowed two employees to access the personal information of about 7,000 customers and take the information to a competing firm between 2005 and 2006, and the company allowed an employee to sell a hard drive containing the unencrypted personal information of 34,000 customers sometime in 2006, the FTC said. The company failed to protect personal information such as birth dates, Social Security numbers, and income and employment information, the FTC said in its complaint against Goal Financial.

In a letter that Goal Financial sent to affected customers in early 2007, the company said it was taking steps to “prevent future employee theft.” It pointed customers to places where they could ask for free credit reports.

As part of the settlement, Goal Financial must implement a comprehensive information security program and be audited by an independent security professional every other year for 10 years.

Goal Financial, based in San Diego, gave customers a privacy policy that said, in part: “Access to nonpublic personal information about you is limited to those employees who need to know such information to provide products or services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information.”

E-mail sent to Goal Financial officers seeking comment on the FTC settlement was not immediately returned.

The FTC accused the company of violating the agency’s Safeguards Rule by failing to adequately assess the risks to consumers’ personal information, adequately restrict access to this information to authorized employees, implement a comprehensive information security program, provide adequate employee training, and, in some instances, contractually require third-party service providers to protect the information.

Goal Financial also violated the FTC’s Privacy Rule by providing customers with a privacy policy that contained false or misleading statements and violated the FTC Act by falsely representing to consumers that it implemented reasonable and appropriate measures to protect personal information, the FTC said.

The proposed settlement bars Goal Financial from making future data security misrepresentations in addition to requiring the implementation of an information security program and independent audits.

This is the 17th case the FTC has brought against companies for allegedly lax data security practices.