Company Tossed Consumers' Confidential Information in Dumpster; Company Computers Were Hacked
A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.
NHC, based in Kansas City, Kansas, is a privately held holding company that provides real estate services in 44 states. Its subsidiary, NTA, provides a variety of services in connection with financing home purchases and refinancing existing home mortgages. Likens is the president and sole owner of NHC and its subsidiaries.
"Careless handling of consumers’ sensitive financial information is an open invitation to identity thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Enforcing the laws designed to protect consumers’ sensitive financial data is a priority at the FTC. This is the thirteenth case challenging faulty data security practices, and we will bring more cases if companies continue to fail consumers."
According to the FTC’s complaint, NHC, NTA, and Likens routinely obtain sensitive consumer information from banks, real estate brokers, consumers, and public records that include such things as consumer names, Social Security numbers, bank and credit card account numbers, and credit histories. The FTC alleges that they engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to protect the information. Specifically, the FTC charges that they failed to:
- assess risks to the information they collected and stored, both online and offline;
- implement reasonable policies and procedures in key areas such as employee screening and training and the collection, handling, and disposal of personal information;
- implement simple, low-cost, readily available defenses to common Web site attacks or implement reasonable measures to prevent hackers from gaining access to their computer network;
- employ reasonable measures to detect and respond to unauthorized access to the data or to conduct security investigations; and
- provide reasonable oversight for the handling of personal information by service providers, such as third parties employed to process the information and assist in real estate closings.
According to the complaint, a hacker exploited these failures by using a common Web site attack to gain access to NHC’s computer network. In addition, a Kansas City television station found documents containing sensitive consumer information discarded in NHC’s and NTA’s unsecured dumpster.
The proposed settlement bars misrepresentations about the extent to which NHC, NTA, and Likens protect the privacy, confidentiality, or integrity of any personal information collected from or about consumers. It requires that they establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms that their security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions. Finally, the settlement bars future violations of the Safeguards Rule and Privacy Rule, as well as the FTC’s Disposal Rule. The Disposal Rule, which took effect on June 1, 2005, requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner.
The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through June 9, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: Consent agreements are for settlement purposes only and do not constitute an admission by the defendant of a law violation.
Copies of the legal documents associated with these cases are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to thousands of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 052 3117)
Office of Public Affairs
Alain Sheer or Loretta Garrison
Bureau of Consumer Protection