Virtually every company that provides goods or services to the public will, at some point, have a negative review posted online by a dissatisfied consumer. While such reviews are understandably upsetting, a company should not respond in kind with negative comments about the reviewer and certainly should not reveal personal or sensitive information about them.

One California business owner learned this the hard way. According to allegations in a complaint filed on behalf of the Federal Trade Commission (FTC), a mortgage company (through its sole owner) allegedly responded to consumers who posted negative reviews on Yelp by revealing their credit histories, debt-to-income ratios, taxes, health information, sources of income, family relationships, and other personal data. Further, several of the responses revealed the first and last names of the reviewers. According to the FTC, this conduct violated the Fair Credit Reporting Act (FCRA), which places a legal obligation on credit reports users to keep that information confidential and disclose it to third parties only when there is a legitimate need to do so.

The FTC further alleged that the company and its owner violated the FTC Act and other federal law, including by their failure to implement an information security program until September 2017 and not subsequently testing the program.

To resolve the litigation, the broker and his company agreed to pay a $120,000 penalty to settle the alleged FCRA violation. In addition, the broker and company are prohibited from misrepresenting their privacy and data security practices, misusing credit reports, and improperly disclosing nonpublic personal information to third parties. The company also was ordered to implement a comprehensive data security program to protect personal information it collects. It must obtain third-party assessments of this program every two years (for a period of 10 years). Furthermore, the company must designate a senior corporate manager responsible for overseeing the data security program to certify compliance with the order every year.

As for those negative online reviews, rather than privately seething or engaging in a personal attack on the person who posted it, a better approach would be to acknowledge the customer’s concerns and apologize for their experience (even if you believe they are wrong), say something positive about your company and your willingness to try to resolve the issue, and move to take the conversation offline by providing contact information should the reviewer wish to continue the discussion.