FTC smacks company with $50,000 fine for throwing customer information in trash

A mortgage company that left loan documents with consumers’ sensitive personal and financial information in and around a dumpster today agreed it had violated Federal Trade Commission information protection statutes today said it would pay $50,000 in civil penalties.

Specifically the FTC said the American United Mortgage Company violated the Disposal, Safeguards, and Privacy rules by failing to properly dispose of credit reports or information taken from credit reports, failing to develop or implement reasonable safeguards to protect customer information, and not providing customers with privacy notices. The Disposal Rule requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner, according to the FTC. The Safeguards Rule requires financial institutions to take appropriate measures to protect customer information.

The complaint also alleges the company failed to provide its customers with a privacy notice describing its information collection and sharing practices with respect to affiliated and non-affiliated third parties, as required by the FTC’s Privacy Rule.

The agreement gave the FTC its first victory in a Disposal Rule case and  its 15th case challenging faulty data security practices by companies that handle sensitive consumer information, the FTC said in a statement.

According to the FTC’s complaint, American United collects personal information about consumers, including Social Security numbers, bank and credit card account numbers, income and credit histories, and consumer reports. Since at least December 2005, the company engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for consumers’ personal information, the FTC said.

Among other things, the company allegedly failed to implement reasonable policies and procedures requiring the proper disposal of consumers’ personal information, including consumer reports; to take reasonable actions in disposing of such information; and to identify reasonably foreseeable internal and external risks to consumer information. The company also allegedly failed to develop, implement, or maintain a comprehensive written information security program, the FTC said.

As a result of the company’s failures, the complaint alleges, on multiple occasions American United documents containing consumers’ personal information were found in and around a dumpster, near its office, that was unsecured and easily accessible to the public. In February 2006, for example, hundreds of such documents were found, many in open trash bags, including consumer reports for 36 consumers.

The violation settlement again points up the need for companies to enforce security and privacy statutes.  A recent survey of 827 security and privacy professionals in North America found that 66% said they were aware of six to 20 “privacy incidents” in their organizations during the past year where personally identifiable information was mishandled or exposed.

 In addition, 85% of the respondents said there was at least one significant data breach that required notification in the last 12 months. That's according to the “Enterprise@Risk: 2007 Privacy and Data Protection Survey,” which was conducted by Deloitte & Touche and Ponemon Institute. The sheer volume of incidents large and small has resulted in security and privacy professionals complaining they spend too much of their time in incident-response activities such as notification and remediation rather than on root-cause analysis and employee training.  

Layer 8 in a box

Check these out: 

FTC nails Adultfriendfinder.com 

How to really bury a mainframe 

NASA taps MIT to map moon 

IBM plays Santa, alters debt-deal worth millions 

10 Crazy USB stocking stuffers 

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.