The Federal Trade Commission (“FTC”) has settled a complaint against consumer debt broker Bayview Solutions, LLC, as well as its principal, Aron Tomko, based on allegations that they had publicly disclosed the personal financial information of over 28,000 consumers. The suit, filed October 31, 2014 in the U.S. District Court for the District of Columbia, had sought preliminary and permanent injunctions, rescission of applicable contracts as well as equitable monetary remedies.
The FTC’s complaint alleged that Bayview is a debt broker dealing in charged-off consumer debt portfolios for sale to third-party debt collectors. Because the value of consumer debt is a function of its perceived collectability, brokers and buyers alike place a premium on verified information concerning the underlying debts. Although this information typically is redacted prior to sale to remove individual identifiers, the FTC alleged that the defendants listed portfolios on third-party websites in the form of unencrypted, unprotected spreadsheets that included consumers’ first names, dates of birth, email addresses, bank account information, driver’s license information and other sensitive information. The FTC further alleged that this and other information was made available to any visitor to the third-party website, whether or not the visitor had registered for an account with the website.
The settlement takes the form of a stipulated preliminary injunction, which requires among other things that the settling defendants cease for thirty days to benefit from the personal information they disclosed and notify affected consumers of the disclosure of their information.
The FTC’s complaint alleged that these actions violated Section 5(a) of the Federal Trade Commission Act, which forbids “unfair or deceptive acts or practices in or affecting commerce.” This enforcement action is the latest in which FTC acts in furtherance of what it sees as its broad statutory authority against those it alleges are responsible for consumer data breaches online. The FTC’s complaint noted that the defendants could have avoided the enforcement action by redacting, encrypting, or privately and securely transmitting the data rather than posting it publicly.