On December 17 the U.S. Federal Trade Commission (FTC) fined and penalized American United Mortgage Company for throwing the personally identifiable information (PII) and financial information of its customers and consumers into an open, publicly-accessible dumpster.
Under the terms of the penalty, American United Mortgage Company must:
* Pay a $50,000 civil penalty
* Implement reasonable policies and procedures requiring the proper disposal of consumers’ personal information, including consumer reports and information from them
* Take reasonable actions in disposing customer information (such as stated within the FACTA Disposal Rule: burning, pulverizing, or shredding consumer reports or information derived from them) so that it can not practicably be read or reconstructed
* Perform risk assessments to identify reasonably foreseeable internal and external risks to consumer information
* Develop, implement, and maintain a comprehensive written information security program
* For a five-year period, maintain and make available to the FTC certain documents related to compliance with the order
* Every two years for the next 10 years obtain an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order
It’s likely all the actions for creating a comprehensive information security plan that meets with the FTC requirements, along with the 10 years of monitoring and auditing, will cost the company much more than the $50,000 penalty.
By throwing away customer PII within a dumpster without properly shredding, or otherwise irreversibly destroying the information, the ruling indicated American United Mortgage Company violated:
* The Disposal Rule portion of FACTA (an amendment to FCRA)
* The Privacy Rule portion of GLBA
* The FTC Act
According to the court documents related to the case, “intact American United documents containing consumers’ personal information were found on multiple occasions in and around a dumpster, near its office, that was unsecured and easily accessible to the public.”
In February 2006, hundreds of intact documents were found in open trash bags. Consumer reports for 36 consumers were among the documents found.
Even though the FTC said it notified the company in writing about the situation in March 2006 and on at least two occasions afterward, American United Mortgage continued these unsecure types of disposal methods.
It’s interesting that the mortgage company denied throwing the customer PII into the dumpster, even though the information was found within the dumpster and used as evidence.
It sounds like if the mortgage company did have policies and procedures in place that they were not well communicated, not enforced, and that there was no training or ongoing awareness about them.
Do you know how your organization is disposing of customer, consumer and employee PII? Do you have reasonable and enforced policies and procedures in place for information disposal?
Tags: American United Mortgage Company, awareness and training, disposal rule, FACTA, FCRA, FTC, FTC Act, GLBA, Information Security, IT compliance, policies and procedures, privacy, privacy incident, privacy policy, privacy rule, risk management, security awareness, security training