Inman

Real estate lender settles data security charges

Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security for sensitive customer data and falsely claiming that it encrypted data submitted online, the FTC announced Wednesday.

The FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires financial institutions, including lenders like Superior, to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information. Superior maintained customers’ Social Security numbers, credit histories and credit card numbers, among other sensitive information. The FTC complaint alleges that Superior violated the Safeguards Rule because it:

  • Failed to assess risks to its customer information until more than a year after the Safeguards Rule took effect;
  • Failed to implement appropriate password policies to limit access to company systems and documents containing sensitive customer information;
  • Did not encrypt or otherwise protect sensitive customer information before sending it by e-mail; and
  • Failed to ensure that its service providers were providing appropriate security for customer information and addressing known security risks in a timely manner.

The FTC also alleged that despite Superior’s claims that sensitive personal information collected at its www.supmort.com Web site was encrypted using secure socket layer technology, the information was only encrypted while it was being transmitted between a visitor’s Web browser and the Web site’s server. Once the information was received at the Web site, it was allegedly decrypted and e-mailed to Superior’s headquarters and branch offices in clear, readable text. The agency alleged that these claims were deceptive and violated the FTC Act.

The settlement bars Superior from misrepresenting the extent to which it maintains and protects the privacy, confidentiality or security of any personal information collected from or about consumers, and prohibits violations of the Safeguards Rule. The settlement also requires that Superior hire an independent, third-party auditor to assess its security procedures every two years for the next 10 years, and to certify that these procedures meet or exceed the protections required by the Safeguards Rule. The settlement also contains certain record-keeping requirements to allow the FTC to monitor compliance.

Superior Mortgage Corp. is based in Tuckerton, N.J. It has offices in New Jersey, Pennsylvania, Florida, Virginia, Maryland, North Carolina, Connecticut, Indiana and Delaware.

***

What’s your opinion? Send your Letter to the Editor to opinion@inman.com.