Home



FTC Consent Decree Alleges Mortgage Lender Failed to Ensure the Protection of Consumer Information Provided to a Third Party
Mortgage Banking & Consumer Credit Alert
by David A. Tallman . January 15, 2009


On December 16, 2008, the Federal Trade Commission (the “FTC”) issued a final consent decree against a mortgage lender, alleging that the lender failed to adequately protect non-public personal financial information provided to a third party.  The FTC claimed that by permitting a strategic partner to access consumer credit reports without verifying the third party’s data security policies and procedures, Premier Capital Lending, Inc. (“Premier” or the “Company”) failed to comply with the FTC’s Safeguards Rule, 16 C.F.R. Part 314.  The FTC also alleged that Premier committed a deceptive act in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), because boilerplate language in its privacy policy contained “false or misleading” statements regarding its information security practices. 

In the current market environment, mortgage companies are increasingly permitting third parties to access borrower information in order to provide loss mitigation services, offer refinancing opportunities to distressed borrowers, track loan portfolio performance, or explore new business opportunities.  In light of the aggressive enforcement activity by the FTC, every mortgage company should understand how it and its strategic partners collect, use, and protect non-public personal information.  Mortgage companies should also closely examine their privacy disclosures and other public statements to ensure that the disclosures accurately describe their actual policies and procedures and that they are able to meet their public financial privacy and data security commitments.

Discussion
Premier finances the acquisition of manufactured homes.  The Company obtains consumer reports on prospective borrowers/purchasers from a consumer reporting agency using an online portal available to authorized Premier employees.   In March 2006, Premier permitted the principal of a manufactured home seller to use a Company log-in to obtain consumer reports for prospective home purchasers that could be referred to the Company for mortgage financing.  The manufactured home seller obtained credit reports on eighty-three consumers using the Premier log-in credentials.

According to the FTC, in July 2006, an unauthorized person hacked into the manufactured home seller’s computer and obtained the Premier credentials.  The hacker then allegedly used the credentials to obtain over three hundred new consumer reports on individuals who were not customers of either Premier or the manufactured home seller.  The hacker was also able to access all of the eighty-three consumer reports that the seller had legitimately obtained.  While Premier promptly notified the three hundred non-customers of the data security breach, it allegedly did not realize that the hacker had accessed the eighty-three additional consumer reports until more than a year later.  These customers were not notified of the breach until September 2007.

According to the FTC, Premier failed to maintain reasonable and appropriate information security procedures. Among other allegations, the FTC claimed that Premier never visited the seller’s workplace, performed a security audit on the seller’s computer network, or assessed the seller’s data security policies.  Further, the FTC alleged that Premier never reviewed its own account for obvious signs of unauthorized activity, such as an unusual number of consumer report requests or blatant irregularities in the information used to make the requests.  The FTC also claimed that after the breach occurred, Premier failed to maintain adequate procedures to assess the full scope and nature of the data security breach.

Finally, the FTC asserted that Premier’s privacy disclosure did not accurately inform consumers of the Company’s actual privacy policies and practices.  Specifically, the privacy policy stated:

We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. Our control policies, for example, authorize access to customer information only by individuals who need access to do their work.

According to the FTC, this boilerplate language was false and misleading, in violation of Section 5(a) of the FTC Act, because it implied that Premier maintained reasonable and appropriate measures to protect personal information from unauthorized access, when it had not done so.

The consent decree does not impose any monetary fines or penalties on Premier.  However, the consent decree submits the Company to enhanced scrutiny by the FTC for at least the next twenty years and requires the Company to reform its data security practices.  Among other requirements, the Company must establish and maintain a comprehensive program to protect the security, confidentiality, and integrity of consumers’ personal information.  Premier must also obtain initial and biennial third-party assessments regarding its data security practices and compliance with the consent decree.

The information security program required by the consent decree must be documented in writing and contain administrative, technical, and physical safeguards appropriate to Premier’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers, including:

  1. The designation of an employee or employees to coordinate and be accountable for the information security program;
  2. The identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks;
  3. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
  4. The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondents and requiring service providers by contract to implement and maintain appropriate safeguards; and
  5. The evaluation and adjustment of the information security program in light of the results of the required testing and monitoring, any material changes to the Company’s operations or business arrangements, or any other circumstances that the Company knows or has reason to know may have a material impact on the effectiveness of its information security program.

Conclusion
The increased importance of sensitive non-public financial information in a troubled marketplace demands careful consideration of the acquisition, use, and protection of that information.  Although Premier did not make any admission of liability in connection with the settlement, the charges against Premier suggest that the FTC might aggressively enforce the financial privacy protections contained in Title V of the Gramm-Leach-Bliley Act against lenders and other financial institutions.  Mortgage lenders and servicers should consider developing and implementing information security programs that include robust auditing and oversight, both internally and with respect to strategic partners and third-party service providers.  Each statement made in consumer disclosures or other public statements with respect to financial privacy or information security should accurately reflect the financial institution’s actual policies and procedures. 

This client alert is for informational purposes only and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting with a lawyer.

If you have any questions about the Premier consent order, please contact David Tallman, Melanie Brody, or any other member of K&L Gates’ Mortgage Banking and Consumer Finance Group.

Contacts:
David A. Tallman, +1.202.778.9046, david.tallman@klgates.com
Melanie H. Brody, +1.202.778.9203, melanie.brody@klgates.com

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer.

Related Practices / Industries
Mortgage Banking & Consumer Financial Products
Newsletter Registration
Printable Version
Newsstand via RSS



Terms and Conditions of UsePrivacy PolicyCopyright and Trademark NoticeUse of CookiesRSS 
©1996-2010 K&L Gates LLP. All Rights Reserved.

K&L Gates is comprised of multiple affiliated entities: a limited liability partnership with the full name K&L Gates LLP qualified in Delaware and maintaining offices throughout the United States, in Berlin and Frankfurt, Germany, in Beijing (K&L Gates LLP Beijing Representative Office), in Dubai, U.A.E., in Shanghai (K&L Gates LLP Shanghai Representative Office), in Tokyo, and in Singapore; a limited liability partnership (also named K&L Gates LLP) incorporated in England and maintaining offices in London and Paris; a Taiwan general partnership (K&L Gates) maintaining an office in Taipei; a Hong Kong general partnership (K&L Gates, Solicitors) maintaining an office in Hong Kong; a Polish limited partnership (K&L Gates Jamka sp. k.) maintaining an office in Warsaw; and a Delaware limited liability company (K&L Gates Holdings, LLC) maintaining an office in Moscow. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners or members in each entity is available for inspection at any K&L Gates office.

Portions of this Web site may contain Attorney Advertising under the rules of some states. Prior results do not guarantee a similar outcome.