A California-based mortgage broker will pay $120,000 to settle Federal Trade Commission allegations that it violated the Fair Credit Reporting Act and other laws by revealing personal information about consumers in response to negative reviews posted on the review website Yelp.
In a complaint filed by the Department of Justice on behalf of the Commission, the FTC alleges that Mortgage Solutions FCS, Inc. (doing business as Mount Diablo Lending) and its sole owner, Ramon Walker, responded to consumers who posted negative reviews on Yelp by revealing their credit histories, debt-to-income ratios, taxes, health, sources of income, family relationships, and other personal information. Several responses also revealed reviewers’ first and last names, according to the complaint.
For example, in response to one negative Yelp review, Walker wrote on behalf of the company: “Your credit report shows 4 late payments from the Capital One account, 1 late from Comenity Bank which is Pier 1, another late from Credit First Bank, 3 late payments from an account named SanMateo. Not to mention the mortgage lates. All of these late payments are having an enormous negative impact on your credit score.”
“Companies that use credit reports and scores have a legal obligation to keep that information confidential,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “They should not disclose that information to third parties without a legitimate reason to do so, and they certainly should not post that information on the Internet to embarrass or punish consumers, as happened here.”
The FTC alleges that Walker and Mount Diablo also violated the FTC Act and the Gramm-Leach-Bliley Act, including by failing to implement an information security program until September 2017 and by not subsequently testing the program.
As part of the settlement, Walker and Mount Diablo will pay a $120,000 penalty for violating the FCRA. In addition, they are prohibited from misrepresenting their privacy and data security practices, misusing credit reports, and improperly disclosing personal information to third parties.
Mount Diablo must also implement a comprehensive data security program designed to protect the personal information it collects and obtain third-party assessments of its information security program every two years. The company must designate a senior corporate manager responsible for overseeing the information security program to certify compliance with the order every year.
The Commission vote to authorize the staff to refer the complaint to the DOJ and to approve the stipulated final order was 5-0. The DOJ filed the complaint and stipulated order on behalf of the Commission in the U.S. District Court for the Northern District of California. NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.