We used a lead generator. We belatedly found out the lead generation company used nonpublic personal information. Our regulator picked up on it in an examination and cited us for violations for every single one of the leads.
Our CEO fired the lead generator, even though they are big and highly recommended. But now we’re forced to deal with the regulator doing special monitoring as well as the penalties.
I am an associate in the compliance department. Our Compliance Manager asked me to write you for some advice on how we can go about distinguishing between a customer’s nonpublic personal information and public information. We are revising our policy for lead generators. Your feedback would be really helpful.
How do we distinguish between nonpublic personal information and public information?