Consumers Financial Information at Risk by Lack of Required Security Practices
A mortgage company identified during a nationwide sweep monitoring compliance with federal privacy laws has settled Federal Trade Commission charges that it failed to adequately protect customers’ personal and financial information. In late 2004, the FTC charged the company with violating the Gramm-Leach-Bliley (GLB) Safeguards Rule. The Safeguards Rule requires financial institutions to implement policies and procedures to ensure the security of customer information. This is the second FTC settlement resolving alleged violations of the GLB Safeguards Rule.
According to the FTC’s complaint, Nationwide Mortgage Group, Inc. failed to assess risks to sensitive customer information; implement safeguards to control these risks; train employees on information security issues; oversee loan holders’ handling of customer information; or monitor its computer network for vulnerabilities. The FTC also alleged that the company violated the GLB Privacy Rule by failing to provide required privacy notices to consumers explaining how their personal information may be used or disclosed.
The Safeguards Rule requires financial institutions to implement a written program to secure customers’ information. In addition to mortgage companies and other traditional financial institutions, the Rule covers entities such as payday lenders, tax preparers, auto dealers, credit counselors, and retailers that issue credit cards. To accommodate the wide range of institutions covered, the Rule allows each institution to develop a program that is appropriate to its size and complexity, the sensitivity of the information it handles, and the nature and scope of its business. Each institution is required to: (1) assign employees to oversee the program; (2) conduct a risk assessment; (3) take steps to control the risks identified; (4) contractually require service providers to protect customers’ information; and (5) make periodic updates to its security program.
The proposed consent order bars Nationwide and its president, John D. Eubank, from violating the Safeguards Rule or the Privacy Rule in the future. The company must retain an independent professional to certify its security program meets the standards listed in the order within 180 days, and then once every other year for 10 years. The order also requires thecompany to distribute a copy of the order to all of its employees, and it contains standard record keeping provisions to allow the FTC to monitor Nationwide’s compliance.
The Commission vote to accept the proposed consent agreement was 5-0.
The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, until April 4, 2005, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC requests that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Note: This consent agreement is for settlement purposes only and does not constitute an admission by the defendants of a law violation.
Copies of the proposed consent agreement are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 0423104)
Office of Public Affairs
Bureau of Consumer Protection