Real Estate Services Company Settles FTC Charges Over Confidential Consumer Data
Posted by Ronald G. London
The Federal Trade Commission has announced a proposed consent decree between the government and Nations Title Agency, Inc./Nations Holding Company arising from alleged privacy and security breaches at the companies, as a result the disposal of consumers' confidential data in an unsecured dumpster and hacking of the companies' computers. Nations Title provides a variety of services in connection with financing home purchases and refinancing existing mortgages, while Nations Holding provides real estate services in 44 states. Accord¬ing to the FTC, the companies failed in their promise to consumers to maintain "physical, electronic and procedural safeguards" that protect confidential information, which the companies routinely obtained from banks, real estate brokers, and consumers, and which included names, Social Security numbers, bank and credit card account numbers, and credit histories. The consent decree requires Nations to refrain from making future deceptive claims about its privacy and security measures, to adopt a comprehensive information security program, and to undergo audits by an independent third-party security professional every other year for the next 20 years. This brings to over a dozen the number of cases the FTC has brought challenging data security practices, and it vowed to "bring more if companies continue to fail consumers."
The FTC alleged that the companies' inadequate storage and disposal procedures violated federal laws, including engaging in deceptive practices by failing to honor privacy policy claims that Nations "at all times strives to maintain the confidentiality and integrity of the personal informa¬tion in its possession and has instituted measures to guard against its unauthorized access" and that it "maintains physical, electronic and procedural safeguards in compliance with federal standards to protect information." In this regard, the FTC further alleged that Nations' failure to provide reasonable and appropriate security to protect consumer information violated the FTC Safeguards Rule that requires financial institutions to take appropriate steps to protect such infor¬mation, which must include, among other things, accurately disclosing the manner in which the company safeguards the data.
The violations arose, according to the FTC, from a number of practices that, taken together, resulted a failure to provide reasonable and appropriate information security. These included failure to assess risks to data collected and stored both online and offline; failure to effectuate policies and procedures in areas such as employee screening/training and in collecting, handling, and disposing of personal data; failure to adopt simple, low-cost, readily available defenses to common website attacks or reasonable measures against hackers; failure to employ reasonable measures to detect and respond to unauthorized access; failure to conduct security investigations; and failure to reasonably oversee service providers such as third-parties employed to process the personal information and assist in real estate closings. According to the FTC, a hacker exploited these failures by using a common website attack, and a TV station found documents containing sensitive consumer information in the companies' unsecured dumpster.
In addition to the going-forward prohibition on misrepresenting its privacy and security prac¬tices and adopting a comprehensive security program subject to regular audit, the settlement also pro¬hibits future violation of the FTC's Disposal Rule, which took effect June 1, 2005, and requires companies to dispose of credit reports and information therefrom in an appropriate manner.