On November 12, 2014, the Federal Trade Commission announced that the District Court for the District of Columbia had entered preliminary injunctions against two debt sellers which, together, had improperly posted personal information of over 70,000 consumers online. The FTC filed complaints seeking permanent injunctions and other equitable relief against Cornerstone and Co., LLC, and Bayview Solutions, LLC, in August and October of this year, respectively. Ultimately, in each of these cases, the court entered injunctions prohibiting the companies from improperly publishing consumers’ personal information and requiring that the companies take steps to provide redress to those consumers harmed by their actions.
Cornerstone and Bayview are debt brokers which engaged in a common practice of publishing information about debt portfolios for sale on websites targeted at the debt-collection industry. Debt brokers commonly use certain websites as marketplaces or clearing houses to advertise portfolios of debt that are for sale by publishing summary information about the debt to be purchased. Usually, the information posted is fairly general, such as the type of debt, the number of individual debts in the portfolio, the total face value of the debt, and the number of collection agencies that have previously attempted collection. Additionally, some sellers post sample portions of the portfolios, making sure to mask or redact consumers’ personal information. While these websites are targeted at the debt collection industry, both Cornerstone and Bayview utilized websites that enabled visitors to view the debt portfolios for sale, including the samples provided by sellers, without having to register or sign in to the site. Therefore, the websites were widely open to the public at large.
The FTC alleges that Cornerstone and Bayview engaged in the practice of providing samples of portfolios that were for sale, but failed to properly protect consumers’ information in that process. Cornerstone and Bayview were charged with posting unencrypted, unprotected Excel spreadsheets to websites that were publically accessible. These spreadsheets contained specific information about individual consumers’ debt, and further included information such as consumers’ names, dates of birth, email addresses, the name(s) of their employer(s), full bank account numbers and bank routing numbers, and driver’s license information The website traffic counters show that these samples have been accessed hundreds of times by visitors and the FTC argues that affected consumers had no reasonable ability to protect themselves from resulting harm because they likely had no knowledge that Cornerstone and Bayview held their personal information, let alone were publishing it.
The preliminary injunctions issued by the court in these instances enjoined Cornerstone and Bayview from disclosing or using protected consumer information without reasonable safeguards in place. Cornerstone and Bayview, and any persons in active concert with them, are further prohibited from disclosing or profiting from any protected consumer information that had been disclosed prior to the order without proper safeguards, and must disable public Internet access to this information while simultaneously preserving it. Additionally, Cornerstone and Bayview are required under the terms of the injunctions to provide notification to each individual consumer whose information had been improperly disclosed (which, again, totals over 70,000 consumers between the two companies).
With respect to Bayview, the injunction was entered in the form of a stipulation, which disclaimed any admission of wrongdoing or violation of law and recognized that there was no finding of fact or law by the court beyond a notice of the FTC’s assertions and that the preliminary injunction is in the public interest. With respect to Cornerstone, however, no such stipulation was entered, and the court issued the injunction, noting that it is in the public interest, based upon the equities and the FTC’s likelihood of success on the merits.
These injunctions highlight the FTC’s continued focus on consumer debt collection and the information shared and utilized in that debt collection process. However, the importance of these injunctions is not limited to debt brokers and collectors. Any company attempting to buy or sell debt should take notice of these recent decisions, and recognize that the FTC is carefully monitoring this area.
Another mistake that Cornerstone and Bayview made is quite common and involves failing to utilize a secure web portal when handling consumers’ information. Agencies have identified this practice as problematic and have initiated actions to curtail it. For example, in October, the Federal Communications Commission announced plans to pursue $10 million in fines against two telecommunications companies charged with failure to protect consumers’ personal information which was stored on a third party’s server and was publicly accessible from the Internet (more information available here). Additionally, the Department of Health and Human Services entered into resolution agreements totaling $4.8 million over a similar issue (more information available here). If companies currently participating in similar practices fail to course correct, they can expect further such actions to be initiated.
Therefore, when buying, selling, storing or otherwise handling consumers’ personal information via web portals, companies must take steps to secure those portals from being searched, or generally seen, on the Internet without restriction. A company failing to take these steps might find itself in the FTC’s crosshairs.