The Federal Trade Commission reached a proposed settlement with three credit report resellers over what the agency said were lax security practices, resulting in hackers accessing the credit reports of more than 1,800 people.

Under the terms of the proposed settlement, all three companies must create a comprehensive security program and undergo independent audits every other year for 20 years. SettlementOne Credit Corporation (and its parent company, Sackett National Holdings, Inc.), ACRAnet Inc., and Fajilan and Associates Inc. (and its owner, Robert Fajilan) were all charged by the FTC with violating the Fair Credit Reporting Act, the FTC Act, and the Gramm-Leach-Bliley Safeguards Rule, the FTC said.

The FTC alleged the companies purchased credit reports from Equifax, Experian, and TransUnion and combined them into “trimerge reports” that they then sold to parties interested in determining a consumer’s eligibility for credit (like mortgage brokers).

But due to a lack of information about security policies and procedures – like failing to require that end-user clients submit documentation to demonstrate their systems were virus-free or otherwise properly protected – the companies allowed clients to access reports without even basic security measures, according to the complaint.

According to the FTC, those individuals lacking firewalls or updated antivirus software made it possible for hackers to access more than 1,800 credit reports without authorization between October 2006 and June 2008, and even after learning of the security breaches, the three companies did not make reasonable efforts to improve their security.

Under the proposed settlement, the resellers agreed to establish comprehensive information security programs intended to protect consumers’ personal information and to establish procedures to ensure that credit reports are given only to those with a “permissible purpose,” pursuant to the FCRA. The companies would also be subject to independent audits every other year for 20 years, and must designate an employee to administer the security program. Public comment on the proposed settlement will be open for 30 days, ending March 7, 2011.

To read the complaint against SettlementOne, click here.

To read the proposed settlement, click here.

To read Commissioner Brill’s statement, click here.

Why it matters: The FTC said this was the agency’s first action against credit report resellers for data security failures, and part of the agency’s ongoing campaign to protect consumers’ personal information. In a statement accompanying the Commission’s unanimous vote to accept the proposed settlement agreement, Commissioner Julie Brill (joined by Chairman Jon Leibowitz and Commissioners J. Thomas Rosch and Edith Ramirez) said that “in the future we will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports, as required by the Fair Credit Reporting Act. . . . Looking forward, the actions we announce today should put resellers – indeed, all of those in the chain of handling consumer data – on notice of the seriousness with which we view their legal obligations to proactively protect consumers’ data.”