On May 5, 2009, the Federal Trade Commission (FTC) announced that it had entered into an agreement containing a consent order with James B. Nutter & Company (JBN) to settle allegations that the company failed to protect its mortgage loan customers’ personal information. The FTC’s complaint alleged that the company violated the FTC Safeguards Rule and the FTC Privacy Rule, both of which were issued pursuant to the Gramm-Leach-Bliley Act.
Under the Safeguards Rule, financial institutions have an obligation to employ a “comprehensive information security program” with reasonable and appropriate “administrative, technical, and physical safeguards” to protect customer information.
The FTC alleged that JBN failed to:
- develop, implement, and maintain any comprehensive information security program;
- engage in privacy and security risk assessment;
- design and implement safeguards as part of its risk management;
- react to known or identified risks, such as storing customer personal information in clear readable text; and
- contractually require third parties to safeguard customer information.
Under the Privacy Rule, financial institutions must provide their customers with an annual privacy notice that, among other elements, describes the institution’s disclosures, security practices, and customers’ opt-out rights. The FTC alleged that JBN’s privacy notice failed to:
- identify its security practices;
- accurately describe the company’s disclosures to third parties; and
- inform customers of their opt-out rights under law. The Privacy Rule provides individuals the right to opt out at any time, whereas the company’s privacy notice indicated customers had only 30 days in which to opt out.
The complaint alleged minimal consumer harm, referring only to JBN’s use of its network to send spam e-mail and a risk of unauthorized access to customers’ personal information.
In settling, JBN accepted the FTC’s jurisdiction and waived any rights to contest the consent order, but did not admit to any wrongdoing. The company agreed to remedy the shortcomings alleged in the FTC’s complaint through measures such as:
- establishing a comprehensive information security program;
- undergoing independent biennial audits for the next 10 years; and
- complying with the Safeguards Rule and Privacy Rule in the future.
The settlement did not include any fine. The proposed consent order is open to public comment until June 8, 2009, before it can be finalized.
Mortgage Company Settles with FTC for GLB and Section 5 Violations Privacy Briefing, Issue 6 (November 2008)