Friday, December 28, 2007

Mortgage Company to Pay $50,000 for Tossing Loan Documents in Dumpster

This posting was written by Darius Sturmer, Editor of CCH Trade Regulation Reporter.

An Illinois-based mortgage company that left loan documents with consumers' sensitive personal and financial information in and around an unsecured dumpster has agreed to pay a $50,000 civil penalty to settle FTC charges that the conduct violated federal regulations.

According to a complaint filed by the Department of Justice at the request of the FTC, the company violated the Disposal, Safeguards, and Privacy Rules by failing to properly dispose of credit reports or information taken from credit reports, failing to develop or implement reasonable safeguards to protect customer information, and failing to provide customers with privacy notices. The action marks the FTC's first Disposal Rule case, as well as its 15th challenge to the data security practices of companies that handle sensitive consumer information.

The complaint alleged that since at least December 2005, the company engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for consumers' personal information. Among other things, the company allegedly failed to implement reasonable policies and procedures requiring the proper disposal of consumers' personal information, including consumer reports; to take reasonable actions in disposing of such information; and to identify reasonably foreseeable internal and external risks to consumer information.

The company also allegedly failed to develop, implement, or maintain a comprehensive written information security program, it was alleged. As a result of these failures, on multiple occasions documents containing consumers' personal information were found in and around a dumpster near the company's office that was unsecured and easily accessible to the public.

The complaint charged specifically that in February 2006, hundreds of these documents were found, many in open trash bags, including consumer reports for 36 consumers. The FTC averred that although its staff notified the company in writing about this situation in March 2006, more such documents were found in and around the same dumpster on at least two occasions afterward.

In addition to requiring the company to pay the civil penalty for violations of the Disposal Rule, the proposed settlement would prohibit the company from further violations of the Disposal, Safeguards, and Privacy Rules. It would also require the company to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.

The action is FTC v. American United Mortgage Corporation, FTC File No. 062 3103, court complaint and proposed consent decree filed December 18, 2007. Further details appear at CCH Trade Regulation Reporter ¶16,090.

No comments: