The Federal Trade Commission (FTC) recently settled two cases against two debt brokers, Cornerstone and Company, LLC and Bayview Solutions, LLC, for allegedly disclosing thousands of consumers’ sensitive personal information on a website where debt brokers buy and sell debt portfolios.
The complaints state that the defendants used websites to post information about their debt portfolios to prospective debt buyers. The websites are public and readily accessible to anyone with internet access, and users are able to mask or redact certain information from the portfolios. However, the defendants allegedly disclosed unencrypted, unmasked, and unprotected personal information, including consumers’ first or last name, date of birth, address, telephone numbers, employer name, consumers’ banks and bank account numbers, and routing numbers that belonged to over 28,000 consumers in Bayview’s case and over 40,600 consumers in Cornerstone’s case.
The FTC alleged that such disclosures violated Section 5(a) of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices. The FTC argued that the defendants could have redacted such information before posting the portfolios at virtually no cost to avoid such disclosures. The FTC further argued that such disclosures placed these consumers at risk of identity theft, fraud, invasion of privacy, and job losses.
The settlement, among other things, requires the defendants to establish an information security program that protects consumers’ personal information. The defendants must also within several months of the settlement and every two years for the next 20 years use an independent and certified third party to evaluate the security program.
TIP: These settlements are a reminder that the FTC will not hesitate to use Section 5 as a basis for finding companies responsible for data breach or data security violations. With this in mind, companies should ensure that they have taken appropriate steps to protect consumers’ personal information.