Below is a good example of why organizations need to do third party (vendor, outsourcers, business partners, etc.) information security and privacy program reviews. A very important sentence to show your business leaders who don’t think they need to ensure third party security is, “The lender made the data vulnerable, the complaint alleges, by allowing a third-party home seller to access the data without taking reasonable steps to protect it.”
“Mortgage Company Settles Data Security Charges: Data Breach Compromised Privacy of Hundreds of Consumers”
“A Texas-based mortgage lender has settled Federal Trade Commission charges that it violated federal law by failing to provide reasonable security to protect sensitive customer data. The lender made the data vulnerable, the complaint alleges, by allowing a third-party home seller to access the data without taking reasonable steps to protect it. A hacker compromised the data by breaking into the home seller’s computer, obtaining the lender’s credentials, and using them to access hundreds of consumer reports.
According to the FTC’s complaint, Premier Capital Lending, Inc. (Premier) violated the FTC’s Safeguards and Privacy Rules, as well as Section 5 of the FTC Act. The proposed settlement bars deceptive claims about privacy and security, and requires the company to establish a comprehensive information security program and hire an independent third-party security professional to review the program every other year for 20 years.
The FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires financial institutions, including lenders like Premier, to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information. Premier routinely obtains credit reports from consumer reporting agencies that contain sensitive personal information about customers and potential customers. The FTC complaint alleges that Premier violated the Safeguards Rule because it:
- allowed a home seller to use its account for accessing credit reports in order to refer purchasers for financing without taking reasonable steps to verify the seller’s procedures to handle, store, or dispose of sensitive personal information;
- failed to assess the risks of allowing a third party to access credit reports through its account;
- failed to conduct reasonable reviews of credit report requests made on its account by using readily available information (such as management reports and invoices) to detect signs of unauthorized activity; and
- failed to assess the full scope of credit report information stored and accessible
- through its account and thus compromised by the hacker.
- According to the FTC, a hacker exploited Premier’s failures by breaching the seller’s computer, obtaining Premier’s user name and password, and using these credentials to obtain at least 400 credit reports through Premier’s account.
The FTC complaint also alleges that Premier violated Section 5 of the FTC Act and the Privacy Rule by failing to live up to its own privacy policy, which claimed: “We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. Our control policies, for example, authorize access to customer information only by individuals who need access to do their work.”
The complaint against the Arlington, Texas-based Premier – which specializes in loans for consumers to purchase manufactured homes and the lots they occupy – also names Premier co-owner Debra Stiles as a respondent in this case. She has agreed to the terms of the proposed settlement.
The Commission vote to accept the proposed consent agreement was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through December 5, 2008, after which the Commission will decide whether to make it final.
Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.”
Tags: awareness and training, FTC, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, third party security