FTC Settlement of Student Loan Data Breach

Between 2005 and 2006 Goal Financial, LLC, a San Diego based student loan lender, allowed two employees to have access to the personal information of 7,000 customers and that information was taken to a competitor. In 2006 they allowed an employee to sell a hard drive which had unencrypted personal information on 34,000 customers. The data included Social Security numbers, income and employment information.

The FTC accused Goal Financial of violating the FTC's Safeguards Rule "by failing to: adequately assess the risks to consumers' personal information, adequately restrict access to this information to authorized employees, implement a comprehensive information security program, provide adequate employee training, and, in some instances, contractually require third-party service providers to protect the information." In addition, the Privacy Policy that was provided to customers contained false or misleading statements.

Goal Financial directed customers to where they could access free credit reports. As terms of the settlement, they must implement a new comprehensive information security program and have it audited by an independent authority biennially, for ten years. They must also make accurate Privacy Policy disclosures.

The press release is at the FTC site.