December 18, 2007
A mortgage company that left loan documents with consumers’ sensitive personal and financial information in and around an unsecured dumpster has agreed to settle Federal Trade Commission charges that it violated federal regulations. The FTC’s complaint alleges that Northbrook, Illinois-based American United Mortgage Company violated the Disposal, Safeguards, and Privacy rules by failing to properly dispose of credit reports or information taken from credit reports, failing to develop or implement reasonable safeguards to protect customer information, and not providing customers with privacy notices.
“Every business, whether large or small, must take reasonable and appropriate measures to protect sensitive consumer information, from acquisition to disposal,” FTC Chairman Deborah Platt Majoras said. “This agency will continue to prosecute companies that fail to fulfill their legal responsibility to protect consumers’ personal information.”
According to the FTC’s complaint, American United collects personal information about consumers, including Social Security numbers, bank and credit card account numbers, income and credit histories, and consumer reports. Since at least December 2005, the company engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for consumers’ personal information. Among other things, the company allegedly failed to implement reasonable policies and procedures requiring the proper disposal of consumers’ personal information, including consumer reports; to take reasonable actions in disposing of such information; and to identify reasonably foreseeable internal and external risks to consumer information. The company also allegedly failed to develop, implement, or maintain a comprehensive written information security program.
As a result of the company’s failures, the complaint alleges, on multiple occasions American United documents containing consumers’ personal information were found in and around a dumpster, near its office, that was unsecured and easily accessible to the public. In February 2006, for example, hundreds of such documents were found, many in open trash bags, including consumer reports for 36 consumers. In March 2006, FTC staff notified the company in writing about this situation, and on at least two occasions afterward, more such documents were found in and around the same dumpster.
The complaint charges American United Mortgage Company with violating the FTC’s Disposal Rule, which requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner, and the FTC’s Safeguards Rule, which requires financial institutions to take appropriate measures to protect customer information. The complaint also alleges that from July 1, 2001 until March 2006, the company failed to provide its customers with a privacy notice describing its information collection and sharing practices with respect to affiliated and non-affiliated third parties, as required by the FTC’s Privacy Rule.
The stipulated judgment and final order requires American United to pay a $50,000 civil penalty for violations of the Disposal Rule and prohibits the company from further violations of the Disposal, Safeguards, and Privacy rules. The settlement also requires American United to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.
This is the FTC’s first Disposal Rule case and its 15th case challenging faulty data security practices by companies that handle sensitive consumer information.