The Federal Trade Commission has charged two mortgage companies with violating the agency’s Gramm-Leach-Bliley (GLB) Safeguards Rule by not having reasonable protections for customers’ sensitive personal and financial information.

The FTC filed an administrative action against Nationwide Mortgage Group Inc. (Nationwide) and its president John D. Eubank, alleging that the Fairfax, Va.-based mortgage broker failed to implement safeguards to protect its customers’ names, social security numbers, credit histories, bank account numbers, income tax returns, and other sensitive financial information.

Clearwater, Fla.-based Sunbelt Lending Services, a subsidiary of Cendant Mortgage Corp., has agreed to settle similar charges, according to the FTC.

Chris Cope, president of Sunbelt Lending Services, said the FTC complaint stems primarily from a seldom-accessed lead generation program that was formerly available through the company’s Web site, but not addressed by the company prior to the May 23, 2003 implementation date of the Safeguards Act. 

“Sunbelt is currently in full compliance with the FTC’s Safeguards Act for privacy policy and security safeguards,” Cope said. “To date, neither Sunbelt nor the FTC has any evidence that any customer information was compromised in any way.”

 

The settlement with Sunbelt will bar future violations of the Safeguards Rule and require biannual audits of Sunbelt’s information security program by a qualified, independent professional for 10 years. These are the FTC’s first cases enforcing the Safeguards Rule.  

The Safeguards Rule, which implements the security requirements of the GLB Act, requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information. The Rule requires financial institutions to implement a written information security program that is appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its program, each financial institution must also: (1) assign one or more employees to oversee the program; (2) conduct a risk assessment; (3) put safeguards in place to control the risks identified in the assessment and regularly test and monitor them; (4) require service providers, by written contract, to protect customers’ personal information; and (5) periodically update its security program.

The FTC targeted Nationwide and Sunbelt as part of a nationwide sweep of automobile dealers and mortgage companies to assess compliance with the Rule. Although the sweep showed compliance by many of the companies targeted, it also showed significant failures to comply by Nationwide and Sunbelt.

According to the FTC’s complaints, both companies allegedly failed to comply with the Rule’s basic requirements, including that they assess the risks to sensitive customer information and implement safeguards to control these risks. In addition, Nationwide allegedly failed to train its employees on information security issues; oversee its loan officers’ handling of customer information; and monitor its computer network for vulnerabilities. Sunbelt also allegedly failed to oversee the security practices of its service providers and of its loan officers working from remote locations throughout the state of Florida.

Finally, the complaint alleges that both companies violated the GLB Privacy Rule, which requires financial institutions to provide consumers with privacy notices describing how they use and disclose consumers’ personal information. According to the complaints, Nationwide allegedly did not provide the privacy notices to its customers, and Sunbelt allegedly did not provide the notices to its online customers.

In addition, the company must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within six months and every other year thereafter for 10 years. The order also contains standard recordkeeping provisions to allow the FTC to monitor Sunbelt’s compliance.

***

What’s your opinion? Send your Letter to the Editor to opinion@inman.com.

Show Comments Hide Comments
Sign up for Inman’s Morning Headlines
What you need to know to start your day with all the latest industry developments
By submitting your email address, you agree to receive marketing emails from Inman.
Success!
Thank you for subscribing to Morning Headlines.
Back to top
Only 3 days left to register for Inman Connect Las Vegas before prices go up! Don't miss the premier event for real estate pros.Register Now ×
Limited Time Offer: Get 1 year of Inman Select for $199SUBSCRIBE×
Log in
If you created your account with Google or Facebook
Don't have an account?
Forgot your password?
No Problem

Simply enter the email address you used to create your account and click "Reset Password". You will receive additional instructions via email.

Forgot your username? If so please contact customer support at (510) 658-9252

Password Reset Confirmation

Password Reset Instructions have been sent to

Subscribe to The Weekender
Get the week's leading headlines delivered straight to your inbox.
Top headlines from around the real estate industry. Breaking news as it happens.
15 stories covering tech, special reports, video and opinion.
Unique features from hacker profiles to portal watch and video interviews.
Unique features from hacker profiles to portal watch and video interviews.
It looks like you’re already a Select Member!
To subscribe to exclusive newsletters, visit your email preferences in the account settings.
Up-to-the-minute news and interviews in your inbox, ticket discounts for Inman events and more
1-Step CheckoutPay with a credit card
By continuing, you agree to Inman’s Terms of Use and Privacy Policy.

You will be charged . Your subscription will automatically renew for on . For more details on our payment terms and how to cancel, click here.

Interested in a group subscription?
Finish setting up your subscription
×