FTC Consent Decree Alleges Mortgage Lender Failed to Ensure the Protection of Consumer Information Provided to a Third Party
By: David A. Tallman
A recent Federal Trade Commission (“FTC”) action highlights the need for renewed focus, particularly by mortgage lenders, on the protection of borrowers’ personal financial information, including information made available to strategic partners. On December 16, 2008, the FTC issued a final consent decree against a mortgage lender, Premier Capital Lending, Inc., alleging that the lender failed to adequately protect the non-public personal financial information of borrowers that it had provided to a third party. The FTC claimed that by permitting a strategic partner to access consumer credit reports without verifying the third party's data security policies and procedures, the lender failed to comply with the FTC's Safeguards Rule. The FTC also alleged that the lender committed a deceptive act in violation of the FTC Act, because boilerplate language in its privacy policy contained "false or misleading" statements regarding its information security practices.
The consent decree concerned a company that finances the acquisition of manufactured homes. In March 2006, the lender permitted the principal of a manufactured home seller to use a company log-in to obtain consumer reports for prospective home purchasers that could be referred to the company for mortgage financing. The manufactured home seller obtained credit reports on eighty-three consumers using these credentials. In July 2006, an unauthorized person hacked into the manufactured home seller’s computer. The hacker used the log-in credentials to obtain over three hundred new consumer reports on individuals who were not customers of either the lender or the manufactured home seller. The hacker was also able to access all of the eighty-three consumer reports that the seller had legitimately obtained. While the lender promptly notified the three hundred non-customers of the data security breach, it allegedly did not realize that the hacker had accessed the eighty-three additional consumer reports until more than a year later. These customers were not notified of the breach until September 2007.
According to the FTC, the lender failed to maintain reasonable and appropriate information security procedures. Among other allegations, the FTC claimed that the lender never visited the seller’s workplace, performed a security audit on the seller’s computer network, or assessed the seller’s data security policies. Further, the FTC alleged that the lender never reviewed its own account for obvious signs of unauthorized activity, such as an unusual number of consumer report requests or blatant irregularities in the information used to make the requests. The FTC also claimed that after the breach occurred, the lender failed to maintain adequate procedures to assess the full scope and nature of the data security breach.
In the current market environment, financial institutions are increasingly permitting third parties to access borrower information in order to provide loss mitigation services, offer refinancing opportunities to distressed borrowers, track loan portfolio performance, or explore new business opportunities. The settlement suggests that the FTC may continue to aggressively enforce the financial privacy protections contained in Title V of the Gramm-Leach-Bliley Act against lenders and other financial institutions. Mortgage lenders and servicers should consider developing and implementing information security programs that include robust auditing and oversight, both internally and with respect to strategic partners and third-party service providers.
For more information, please see: http://www.klgates.com/newsstand/Detail.aspx?publication=5226. Copies of the consent decree and related documents are available from the FTC at: http://www.ftc.gov/os/caselist/0723004/index.shtm.
