Three companies that engage in the business of reselling consumers’ credit reports recently agreed to settle charges brought by the FTC alleging that they did not take reasonable steps to protect consumers’ personal information, which failures allegedly resulted in computer hackers accessing the consumers’ personal data. The FTC’s complaints allege that the companies allowed third parties which lacked basic security measures (such as firewalls and antivirus software) to access the companies’ credit reports. The FTC further alleged that because these third parties lacked such security measures, this helped allow hackers to gain access to more than 1,800 credit reports. The FTC also alleged that the companies did not make reasonable efforts to protect against future breaches. The complaint alleged that the companies’ failure to adequately protect consumer information constituted a violation of the Fair Credit Reporting Act, the FTC Act, and the Gramm-Leach-Bliley Safeguards Rule. The consent order requires the companies to have comprehensive information security programs designed to protect consumers’ personal information, including information accessible to clients, submit to audits every other year for 20 years, and maintain procedures to limit the furnishing of credit reports to those with a permissible purpose.
TIP: Ensure that your data security measures account not only for the internal use and storage of consumer information, but also for the third parties who may be permitted access to your website, servers, or files. Take steps to check that third parties’ security measures won’t put your data at risk.