Today the FTC issued a consent order against mortgage lender James B. Nutter & Company for GLBA Privacy Rule and Safeguards Rule violations resulting from having an inadequte information security program and safeguards. The requirements will result in, among other actions, 20 years of ongoing activities by James B. Nutter & Company; much more costly than it would have been to have established appropriate information security safeguards to begin with…
See the press release about this at: http://www.ftc.gov/opa/2009/06/p2pnutter.shtm
See the complaint at: http://www.ftc.gov/opa/2009/06/p2pnutter.shtm
You can see the consent order at: http://www.ftc.gov/os/caselist/0723108/090616nutterdo.pdf
Of particular note:
6. Since at least September 1, 2004 until at least November 2008, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information. In particular, respondent:
(1) did not develop, implement, and maintain a comprehensive written information security program;
(2) did not implement reasonable policies and procedures in areas such as employee training in safeguarding personal information;
(3) stored personal information in clear readable text on its computer network, creating an unnecessary risk to the information;
(4) did not employ sufficient measures to prevent or detect unauthorized access to personal information on its computer network or to conduct security investigations, such as monitoring and controlling connections between the network and the internet or regularly reviewing activity on the network;
(5) did not assess risks to the personal information it collected and stored on its computer network and in paper files; and
(6) provided back-up tapes containing personal information in clear readable text to a third-party service provider but did not require the service provider by contract to protect the security and confidentiality of the information.
As a result, an intruder was able to direct respondent’s computer network to send millions of outgoing spam emails without its knowledge, and could have accessed personal information without authorization.
7. Respondent began providing privacy notices to customers in 2004. The notices it provided: (1) did not set out respondent’s security practices; (2) did not accurately inform customers that respondent disclosed customer information to third parties, such as credit reporting agencies; and (3) informed customers that they had 30 days in which to exercise their opt-out rights, even though the Privacy Rule provides that they can opt out at any time during the course of their loans.
A comprehensive information security program, based upon each organization’s unique risks addressed through applicable compliance requirements and any other essential additional safeguards, is absolutely necessary to preserve the privacy of personally identifiable information (PII). Cutting back on information security costs to try and save money will end up costing much more in the long run from resulting information security incidents, privacy breaches and non-compliance sanctions.
It is critical that the privacy compliance and legal areas work with the information security and IT areas to ensure an effective and comprehensive information security program is in place.
This case is a good one to show to executives to demonstrate long-term consequences of not implementing a strong information security program.
This particular sanction is also good to use as a case study in your information security and privacy training.
Tags: awareness and training, GLBA, Gramm Leach Bliley Act, Information Security, IT compliance, IT training, policies and procedures, privacy rule, privacy training, risk management, Safeguards Rule, security training