A mortgage company that left loan documents with consumers’ sensitive personal and financial information in and around an unsecured dumpster has agreed to settle Federal Trade Commission charges that it violated federal regulations. The FTC’s complaint alleges that Northbrook, Illinois-based American United Mortgage Company violated the Disposal, Safeguards, and Privacy rules by failing to properly dispose of credit reports or information taken from credit reports, failing to develop or implement reasonable safeguards to protect customer information, and not providing customers with privacy notices.
“Every business, whether large or small, must take reasonable and appropriate measures to protect sensitive consumer information, from acquisition to disposal,” FTC Chairman Deborah Platt Majoras said. “This agency will continue to prosecute companies that fail to fulfill their legal responsibility to protect consumers’ personal information.”
According to the FTC’s complaint, American United collects personal information about consumers, including Social Security numbers, bank and credit card account numbers, income and credit histories, and consumer reports. Since at least December 2005, the company engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for consumers’ personal information. Among other things, the company allegedly failed to implement reasonable policies and procedures requiring the proper disposal of consumers’ personal information, including consumer reports; to take reasonable actions in disposing of such information; and to identify reasonably foreseeable internal and external risks to consumer information. The company also allegedly failed to develop, implement, or maintain a comprehensive written information security program.
As a result of the company’s failures, the complaint alleges, on multiple occasions American United documents containing consumers’ personal information were found in and
around a dumpster, near its office, that was unsecured and easily accessible to the public. In February 2006, for example, hundreds of such documents were found, many in open trash bags, including consumer reports for 36 consumers. In March 2006, FTC staff notified the company in writing about this situation, and on at least two occasions afterward, more such documents were found in and around the same dumpster.
The complaint charges American United Mortgage Company with violating the FTC’s
Disposal Rule, which requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner, and the FTC’s Safeguards Rule, which requires financial institutions to take appropriate measures to protect customer information. The complaint also alleges that from July 1, 2001 until March 2006, the company failed to provide its customers with a privacy notice describing its information collection and sharing practices with respect to affiliated and non-affiliated third parties, as required by the FTC’s Privacy Rule.
The stipulated judgment and final order requires American United to pay a $50,000 civil penalty for violations of the Disposal Rule and prohibits the company from further violations of the Disposal, Safeguards, and Privacy rules. The settlement also requires American United to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.
This is the FTC’s first Disposal Rule case and its 15th case challenging faulty data security practices by companies that handle sensitive consumer information.
The Commission vote to refer the complaint and stipulated judgment and order to the Department of Justice for filing was 5-0. The complaint and stipulated judgment and order were filed in the U.S. District Court for the Northern District of Illinois, Eastern Division, by the Department of Justice at the request of the FTC.
NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendant has actually violated the law. The stipulated order is for settlement purposes only and does not constitute an admission by the defendant of a law violation.
Copies of the complaint and stipulated judgment and order are available from the FTC’s Web site at http://www.ftc.gov and the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://ftc.gov/bcp/consumer.shtm.
Office of Public Affairs
FTC Midwest Region