A real estate title company that allegedly promised consumers it maintained "physical, electronic and procedural safeguards" of their personal financial information, but tossed their home loan applications in an open dumpster, has agreed to settle Federal Trade Commission charges that its procedures for handling this information violated federal laws.
The settlement with Nations Title Agency, Inc., Nations Holding Co. and Christopher M. Likens bars deceptive claims about privacy and security policies and requires that they implement a comprehensive information security program and obtain audits by an independent security professional every other year for 20 years. NHC, Kansas City, KS, is a privately held holding company that provides real estate services in 44 states. Its subsidiary, NTA, provides a variety of home financing services. Likens is the president and sole owner of NHC and its subsidiaries.
According to the FTC’s complaint, NHC, NTA, and Likens routinely obtained consumer names, Social Security numbers, bank and credit card account numbers and credit histories from banks, real estate brokers and public records.
Specifically, the FTC charges that they failed to:
* Assess risks to the online and offline information they collected and stored.
* Implement reasonable policies and procedures for screening and training employees in the collection, handling, and disposal of personal information.
* Implement readily available defenses to common Web site attacks or implement reasonable measures to prevent hackers from gaining access to their computer network.
* Employ reasonable measures to detect and respond to unauthorized access to the data or to conduct security investigations.
* Provide reasonable oversight for the handling of personal information by service providers.
According to the complaint, a computer hacker exploited these failures and gained access to NHC’s computer network. In addition, a local television station found documents containing sensitive consumer information discarded in NHC’s and NTA’s unsecured dumpster.
The FTC alleged that NHC, NTA and Likens made security claims in their privacy policies. For example, NTA’s privacy policy claimed: “NTA, at all times, strives to maintain the confidentiality and integrity of the personal information in its possession and has instituted measures to guard against its unauthorized access. We maintain physical, electronic and procedural safeguards in compliance with federal standards to protect the information.”
The FTC further charged that the failure to provide reasonable and appropriate security to protect the information violates the agency’s Safeguards Rule, which requires financial institutions to take appropriate measures to protect customer information.
The complaint also alleged that NTA’s privacy policy claims are deceptive because of these failures, in violation of the FTC’s Privacy Rule and the FTC Act. The Privacy Rule, among other things, requires financial institutions to disclose accurately the manner in which they safeguard customer information. The FTC Act prohibits unfair or deceptive practices.
