FTC Says Mortgage Broker Broke Data Security Laws: Dumpster Wrong Place for Consumers’ Personal Information
The Federal Trade Commission has charged a mortgage broker with discarding consumers’ tax returns, credit reports, and other sensitive personal and financial information in an unsecured dumpster, in violation of federal law.
According to the FTC, in December 2006, approximately 40 boxes containing consumer records were found in a publicly-accessible dumpster. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and at least 230 credit reports. The FTC alleges that the defendant, who has owned numerous companies that handle sensitive consumer information, kept the documents in an insecure manner in his garage before improperly disposing of them.
As charged in the FTC’s complaint, the defendant has failed to implement and monitor policies and procedures requiring secure disposal of credit reports; ensure that employees or third parties assigned to transport such documents for disposal are qualified to do so and have received appropriate guidance or training; alert employees or third parties to such documents’ sensitive nature or instruct them to take precautions; and oversee the transport of such documents for disposal, or otherwise confirm that the documents are disposed of in a way that ensures that they cannot practicably be read or reconstructed.
The complaint also alleges that the defendant provided customers of two mortgage brokerage companies that he owned – First Interstate Mortgage Corporation (FIM) and Nevada One Corporation (Nevada One) – with a written statement claiming that the companies maintained “physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.” The statement also claimed that the companies contractually required third-party service providers to safeguard consumer information and use it only to provide services for FIM and Nevada One. According to the FTC, however, the defendant failed to implement reasonable data security measures in key areas at the companies, including the physical and electronic security of sensitive consumer information; the proper collection, handling, and disposal of such information; and employee training. The defendant also failed to provide reasonable oversight of the handling of the information by service providers, including by contractually requiring them to maintain appropriate safeguards for the information.
Gregory Navone of Las Vegas is charged with violating the Fair Credit Reporting Act and the rule regarding Disposal of Consumer Report Information and Records (Disposal Rule) by failing to take reasonable measures to protect consumer information derived from consumer reports against unauthorized access in connection with its disposal. He is also charged with violating the FTC Act by falsely representing that FIM and Nevada One implemented reasonable and appropriate measures to protect sensitive consumer information from unauthorized access, and that the companies contractually required service providers to safeguard customers’ information and use it only to provide services for FIM and Nevada One.
By a 4-0 vote, the Commission authorized staff to file the complaint in the U.S. District Court for the District of Nevada. The complaint was filed on December 30, 2008.
NOTE: The Commission issues a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public[…]
interest. The complaint is not a finding or ruling that the defendant has actually violated the law.
Source – FTC Press Release
Related – Complaint [pdf]