The FTC has settled charges with a small real estate title company that it failed to provide reasonable and appropriate security to protect customer's personal information, in violation the FTC’s Safeguards Rule.
The complaint also alleged that the company's privacy policy claims were deceptive because of these failures, in violation of the FTC’s Privacy Rule and the FTC rules prohibiting unfair or deceptive practices.
The FTC alleged that the title company, NHC, based in Kansas City, promised consumers that it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but discarded consumer home loan applications in an open dumpster.
According to the complaint, a hacker exploited these failures by using a common Web site attack to gain access to NHC’s computer network. In addition, a Kansas City television station found documents containing sensitive consumer information discarded in NHC’s and NTA’s unsecured dumpster.
Specifically, the FTC charges that they failed to:
* Assess risks to the information they collected and stored, both online and offline;
* Implement reasonable policies and procedures in key areas such as employee screening and training and the collection, handling, and disposal of personal information;
* Implement simple, low-cost, readily available defenses to common Web site attacks or implement reasonable measures to prevent hackers from gaining access to their computer network;
* Employ reasonable measures to detect and respond to unauthorized access to the data or to conduct security investigations; and
* Provide reasonable oversight for the handling of personal information by service providers, such as third parties employed to process the information and assist in real estate closings.
The Settlement
The settlement bars misrepresentations about the extent to which the company and its affiliates protect the privacy, confidentiality, or integrity of any personal information collected from or about consumers. It requires that they establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to get an audit from a qualified, independent, third-party professional every two years for the next 20 years. The compnaies must also comply with standard bookkeeping and record-keeping provisions. The settlement also bars future violations of the Safeguards Rule and Privacy Rule, as well as the FTC’s Disposal Rule. The Disposal Rule, which took effect on June 1, 2005, requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner.
"Careless handling of consumers’ sensitive financial information is an open invitation to identity thieves. Enforcing the laws designed to protect consumers’ sensitive financial data is a priority at the FTC. This is the thirteenth case challenging faulty data security practices, and we will bring more cases if companies continue to fail consumers," said Deborah Platt Majoras, Chair of the FTC.