California-based mortgage broker Mortgage Solutions FCS also does business under the name Mount Diablo Lending. And according to the FTC, the company gave consumers a devil of a time if they posted negative reviews on Yelp. Is your business pondering how to address unfavorable consumer comments? Heaven knows you should avoid Mount Diablo’s approach, which, according to the complaint, violated Regulation P, the Fair Credit Reporting Act, and the FTC Act.
For more than a year, when consumers posted negative reviews on Yelp.com about their experiences with Mount Diablo, owner Ramon Walker fired back with public responses on Yelp. But they weren’t just “Says you” replies. As part of their business, mortgage brokers have a substantial amount of personal data about their customers – credit histories, income sources, debt-to-income ratios, and even family dynamics. The FTC says the defendants revealed some of that highly confidential information in their Yelp responses.
For example, according to one rejoinder the defendants lobbed at a customer on Yelp:
The truth of the matter is you didn’t have one late 2 years ago. Your credit report shows 4 late payments from the Capital One account, 1 late from Comenity Bank which is Pier 1, another late from Credit First Bank, 3 late payments from an account named SanMateo. Not to mention the mortgage lates. All of these late payments are having an enormous negative impact on your credit score.
Another response from the company claimed, “The high debt to income ratio was caused by this borrower cosigning on multiple mortgages for his children. The borrower was also self employed and took high deductions from his business.”
In a third example cited by the FTC, the defendants referred to personal health information about a close relative of the consumer.
Among other things, the lawsuit alleges that Mount Diablo and Walker violated Reg P (you may know it by its previous name, the GLB Privacy Rule) by disclosing nonpublic personal information. In addition, the FTC says the defendants violated the Fair Credit Reporting Act by using information in credit reports for impermissible purposes – in this case, to clap back at consumers on Yelp. The complaint also alleges the defendants violated the FTC Act by deceptively claiming they wouldn’t publicly disclose consumers’ personal information and by unfairly revealing sensitive data in its online responses.
In addition to a $120,000 civil penalty for violating the FCRA, the proposed order imposes injunctive provisions to protect consumers in the future. Mount Diablo also must implement a comprehensive data security program, get third-party assessments every two years, and get annual certifications from a senior corporate manager that the company is complying with the order.
What can other businesses take from this settlement?
Responding to ire with fire is an unwise strategy. Retaliating against dissatisfied consumers is an imprudent response to negative feedback – and weaponizing their highly sensitive personal information is ill-considered, ill-advised, and illegal.
See to it that you’re complying with the CRFA. Some companies might try to prevent negative feedback by putting clauses in their form contracts that prohibit consumers from posting reviews about their products or performance. Let’s be clear: The FTC’s action against Mount Diablo doesn’t allege that the company used a clause of that sort. But if you’re thinking that a non-disparagement provision might nip negative comments in the bud, think again because the Consumer Review Fairness Act prohibits terms like that. The FTC has guidance on what your business needs to know about the CRFA.
Keep your information security program current. Aside from challenging the defendants’ response to negative reviews, the FTC says they also violated the Safeguards Rule, which requires certain companies to implement a comprehensive written information security program and test it regularly. According to the complaint, the defendants didn’t implement a program until May 2017 and never assessed its effectiveness. The FTC also says that for a six-year period, the defendants failed to provide customers with the clear, conspicuous, and accurate privacy notice required by Reg P. If your company is covered by the Safeguards Rule and Reg P, are you honoring the rules’ ongoing obligations?