Mortgage Company Settles Information Security Charges
|December 6, 2005
FTC Alleges Customer Data Was Not Secure
Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security for sensitive customer data and falsely claiming that it encrypted data submitted online. The settlement bars future deceptive claims and requires the company to establish data security procedures that will be reviewed by independent third-party auditors for 10 years.
The FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires financial institutions, including lenders like Superior, to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information. Superior maintained customers’ Social Security numbers, credit histories, and credit card numbers, among other sensitive information. The FTC complaint alleges that Superior violated the Safeguards Rule because it:
- Failed to assess risks to its customer information until more than a year after the Safeguards Rule took effect;
- Failed to implement appropriate password policies to limit access to company systems and documents containing sensitive customer information;
- Did not encrypt or otherwise protect sensitive customer information before sending it by e-mail; and
- Failed to ensure that its service providers were providing appropriate security for customer information and addressing known security risks in a timely manner.
The FTC also alleged that despite Superior’s claims that sensitive personal information collected at its www.supmort.com Web site was encrypted using secure socket layer technology, the information was only encrypted while it was being transmitted between a visitor’s web browser and the Web site’s server. Once the information was received at the Web site, it was decrypted and e-mailed to Superior’s headquarters and branch offices in clear, readable text. The agency alleged that these claims were deceptive and violated the FTC Act.
The settlement bars Superior from misrepresenting the extent to which it maintains and protects the privacy, confidentiality, or security of any personal information collected from or about consumers, and prohibits violations of the Safeguards Rule. The settlement also requires that Superior hire an independent, third-party auditor to assess its security procedures every two years for the next 10 years, and to certify that these procedures meet or exceed the protections required by the Safeguards Rule. The settlement also contains certain record keeping requirements to allow the FTC to monitor compliance.
Superior Mortgage Corp. is based in Tuckerton, New Jersey. It has offices in New Jersey, Pennsylvania, Florida, Virginia, Maryland, North Carolina, Connecticut, Indiana, and Delaware.
The Commission vote to accept the consent agreement was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through October 27, 2005 after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC requests that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.