Since the beginning of this year, the Texas Attorney General has taken several enforcement actions alleging that national companies, such as CVS and Radio Shack, have failed to safeguard consumer data properly. The Attorney General is using recently enacted laws that prohibit the improper disposal of personally identifiable data and require all businesses to adopt “reasonable procedures to protect and safeguard” sensitive information from unauthorized disclosure. The most recent target is Life Time Fitness, Inc., a Minnesota-based fitness spa, which, the Attorney General alleges, improperly disposed of business records containing personal identifying information, such as names, dates of birth, driver’s license numbers, credit card numbers, and SSNs, thereby violating the Texas statutes.
According to the complaint filed by the Texas Attorney General, the defendants collect large amounts of personal identifying information. In doing so, the defendants’ Website represented to consumers that the company had “implemented security policies, rules and technical measures to protect the personal data” from “improper use or disclosure” and “unlawful destruction or accidental loss.” The defendant’s Web-based “Privacy Statement” further represented to consumers that all of the company’s employees who have access to personal data are obliged to respect the confidentiality of personal information of consumers.
The defendants also represented that the company maintained internal review procedures in order to comply with the rules and regulations of consumer protection and that the company was “in substantial compliance with all applicable statutes, rules and decisions.” The complaint filed by the Texas Attorney General, however, alleged that the defendants failed to safeguard personal data. For example, more than 100 business records of the defendants’ containing personal identifying information relating to its customers were found in publicly accessible trash dumpsters at several locations.
The Texas Attorney General alleged that the defendants failed to securely dispose of or otherwise make the information unreadable or undecipherable. Instead, “these business records were placed in trash dumpsters that were readily accessible to the public.” Furthermore, the defendants put their customers in danger of becoming victims of identity theft by failing to disclose to their customers that the company did not properly safeguard their personal identifying information.
The Texas Attorney General charged the defendants with violating the Texas Deceptive Trade Practices Act (“DTPA”) (Tex. Bus. & Com. Code Ann. § 17.46) and the Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code Ann. § 35.48), which require the safeguarding and proper destruction of the sensitive personal information of clients. Under Texas law, the Texas Attorney General has the authority to seek penalties of up to $25,000 per violation of the DTPA and $50,000 per violation of the Identity Theft Enforcement and Protection Act. The Texas Attorney General also charged the defendants with violations of the Texas Business and Commerce Code, which requires businesses to develop retention and disposal procedures for client personal information and provides for civil penalties of up to $500 for each abandoned record.