Inman

Mortgage cos. accused of consumer privacy violations

The Federal Trade Commission has charged two mortgage companies with violating the agency’s Gramm-Leach-Bliley (GLB) Safeguards Rule by not having reasonable protections for customers’ sensitive personal and financial information.

The FTC filed an administrative action against Nationwide Mortgage Group Inc. (Nationwide) and its president John D. Eubank, alleging that the Fairfax, Va.-based mortgage broker failed to implement safeguards to protect its customers’ names, social security numbers, credit histories, bank account numbers, income tax returns, and other sensitive financial information.

Clearwater, Fla.-based Sunbelt Lending Services, a subsidiary of Cendant Mortgage Corp., has agreed to settle similar charges, according to the FTC.

Chris Cope, president of Sunbelt Lending Services, said the FTC complaint stems primarily from a seldom-accessed lead generation program that was formerly available through the company’s Web site, but not addressed by the company prior to the May 23, 2003 implementation date of the Safeguards Act. 

“Sunbelt is currently in full compliance with the FTC’s Safeguards Act for privacy policy and security safeguards,” Cope said. “To date, neither Sunbelt nor the FTC has any evidence that any customer information was compromised in any way.”

 

The settlement with Sunbelt will bar future violations of the Safeguards Rule and require biannual audits of Sunbelt’s information security program by a qualified, independent professional for 10 years. These are the FTC’s first cases enforcing the Safeguards Rule.  

The Safeguards Rule, which implements the security requirements of the GLB Act, requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information. The Rule requires financial institutions to implement a written information security program that is appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its program, each financial institution must also: (1) assign one or more employees to oversee the program; (2) conduct a risk assessment; (3) put safeguards in place to control the risks identified in the assessment and regularly test and monitor them; (4) require service providers, by written contract, to protect customers’ personal information; and (5) periodically update its security program.

The FTC targeted Nationwide and Sunbelt as part of a nationwide sweep of automobile dealers and mortgage companies to assess compliance with the Rule. Although the sweep showed compliance by many of the companies targeted, it also showed significant failures to comply by Nationwide and Sunbelt.

According to the FTC’s complaints, both companies allegedly failed to comply with the Rule’s basic requirements, including that they assess the risks to sensitive customer information and implement safeguards to control these risks. In addition, Nationwide allegedly failed to train its employees on information security issues; oversee its loan officers’ handling of customer information; and monitor its computer network for vulnerabilities. Sunbelt also allegedly failed to oversee the security practices of its service providers and of its loan officers working from remote locations throughout the state of Florida.

Finally, the complaint alleges that both companies violated the GLB Privacy Rule, which requires financial institutions to provide consumers with privacy notices describing how they use and disclose consumers’ personal information. According to the complaints, Nationwide allegedly did not provide the privacy notices to its customers, and Sunbelt allegedly did not provide the notices to its online customers.

In addition, the company must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within six months and every other year thereafter for 10 years. The order also contains standard recordkeeping provisions to allow the FTC to monitor Sunbelt’s compliance.

***

What’s your opinion? Send your Letter to the Editor to opinion@inman.com.