The Federal Trade Commission (FTC) released proposed administrative settlements with three credit report data aggregators on February 3, 2011. In a press release, the FTC alleges that the data aggregators allowed clients to access consumer’s credit reports without basic security measures, such as firewalls and updated antivirus software. The FTC further alleges that this lack of basic security measures allowed hackers to access more than 1,800 credit reports without authorization via the clients’ computer networks. After becoming aware of the breaches, the FTC alleges that the data aggregators did not take any steps to add security measures.
The proposed consent orders bar the respondents from violating the Safeguards Rule and require them to:
- have comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients;
- obtain independent audits of their security programs, every other year for 20 years;
- furnish credit reports only to those with a permissible purpose; and
- maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.
According to David Vladeck, Director of the FTC's Bureau of Consumer Protection, these cases should send other companies a message that adequate security measures must be taken in order to protect a consumer's information.