Monday, November 10, 2008

Mortgage Company Settles FTC Data Security Charges

This posting was written by Jeffrey May, Editor of CCH Trade Regulation Reporter.

A Texas-based mortgage lender has agreed to establish a comprehensive information security program and to refrain from making deceptive claims about privacy and security to settle FTC charges that it violated the FTC Safeguards and Privacy Rules, as well as Sec. 5 of the FTC Act. A proposed FTC consent order would settle the charges.

The FTC alleged that the lender violated Sec. 5 of the FTC Act and the Commission’s Privacy Rule (CCH Trade Regulation Reporter ¶38,060) by failing to live up to its own privacy policy.

In its privacy policy, the lender claimed:

“We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. Our control policies, for example, authorize access to customer information only by individuals who need access to do their work.”

Safeguards Rule

The FTC further alleged that the lender violated the Commission’s Safeguards Rule (CCH Trade Regulation Reporter ¶38,061). The Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires financial institutions to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information.

The lender allegedly made sensitive customer data vulnerable by allowing a third-party home seller to access the data without taking reasonable steps to protect it. A hacker compromised the data by breaking into the home seller’s computer, obtaining the lender’s user name and password, and using these credentials to access hundreds of consumer reports, according to the agency.

The action is In the Matter of Premier Capital Lending, Inc., FTC File No.0723004, November 6, 2008. Further details will appear in the CCH Trade Regulation Reporter.

A press release, complaint, and an agreement containing the consent order appears here on the FTC website.

No comments: