Real Estate Services Company Settles Privacy and Security Charge
|May 10, 2006
Company Tossed Consumers' Confidential Information in Dumpster; Company Computers Were Hacked
A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.
NHC, based in Kansas City, Kansas, is a privately held holding company that provides real estate services in 44 states. Its subsidiary, NTA, provides a variety of services in connection with financing home purchases and refinancing existing home mortgages. Likens is the president and sole owner of NHC and its subsidiaries.
"Careless handling of consumers’ sensitive financial information is an open invitation to identity thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Enforcing the laws designed to protect consumers’ sensitive financial data is a priority at the FTC. This is the thirteenth case challenging faulty data security practices, and we will bring more cases if companies continue to fail consumers."
According to the FTC’s complaint, NHC, NTA, and Likens routinely obtain sensitive consumer information from banks, real estate brokers, consumers, and public records that include such things as consumer names, Social Security numbers, bank and credit card account numbers, and credit histories. The FTC alleges that they engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to protect the information. Specifically, the FTC charges that they failed to:
- assess risks to the information they collected and stored, both online and offline;
- implement reasonable policies and procedures in key areas such as employee screening
and training and the collection, handling, and disposal of personal information;
- implement simple, low-cost, readily available defenses to common Web site attacks or
implement reasonable measures to prevent hackers from gaining access to their computer
- employ reasonable measures to detect and respond to unauthorized access to the data or
to conduct security investigations; and
- provide reasonable oversight for the handling of personal information by service providers,
such as third parties employed to process the information and assist in real estate closings.
According to the complaint, a hacker exploited these failures by using a common Web site attack to gain access to NHC’s computer network. In addition, a Kansas City television station found documents containing sensitive consumer information discarded in NHC’s and NTA’s unsecured dumpster.
The proposed settlement bars misrepresentations about the extent to which NHC, NTA, and Likens protect the privacy, confidentiality, or integrity of any personal information collected from or about consumers. It requires that they establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms that their security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions. Finally, the settlement bars future violations of the Safeguards Rule and Privacy Rule, as well as the FTC’s Disposal Rule. The Disposal Rule, which took effect on June 1, 2005, requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner.