The FTC announced the settlement on February 3rd, 2011.
Credit score resellers have been a thorny issue for the government for years. In most cases, such firms buy up consumer credit data from the “Big Three” credit bureaus (Experian, Equifax, and TransUnion). The credit score resellers then bundle the reports together and sell them to smaller creditors like mortgage brokers and other financial firms.
But according to the FTC, credit resellers don’t even erect the bare minimum security barriers, neglecting to establish firewalls, anti-virus software, security encryption, and other basic anti-theft tolls on their reports (usually delivered online).
That turned out to be a big problem. In the case of the three credit score resellers, the FTC reports that internet hackers broke in and accessed approximately 1,800 consumer credit reports without proper authorization.
As a result of the settlement, the three firms; SettlementOne Credit Corporation, ACRAnet Inc., and Statewide Credit Services, must implement “comprehensive” information security programs that protect consumer financial data–under terms laid out under the Fair Credit Reporting Act, and under the Gramm-Leach-Bliley Safeguards Rule.
In addition, the three firms must open up their security programs to government audits “every other year for 20 years,” and only provide access to consumer credit reports “to those with a permissible purpose.”
“These cases should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it,” says David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Had these three companies taken adequate steps to ensure the use of basic computer security measures, they might have foiled the hackers who wound up gaining access to extensive personal information in the consumer reporting system.”
While the damage is already done to consumers impacted by the 1,800 credit reports that were breached, the FTC says it’s ready to tighten the screws on all firms that play fast and loose with consumers’ personal financial data.
“The FTC will take action against companies that cross the line with consumer data and violate consumers’ privacy – especially when children and teens are involved,” says FTC Chairman Jon Leibowitz, in the FTC Staff Privacy Report, released on December 1, 2010. “I think you’ll see more privacy cases in the coming weeks and months.”
By TalkMediaNews, via Flickr