Real Estate Services Company Settles Privacy and Security Charge
FTC Press Release - May 10, 2006
A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.
The Chapell View
According to the FTC's release on the case, the financial services company National Holding Company (NHC) and its subsidiaries violated consumer protection laws in two significant ways. First, they failed to appropriately safeguard the data they collected - leaving it on easily accessible computer networks and even trashing it in open dumpsters. Second, they made false representations about the protections they claimed to (but didn't) afford to consumers' information.
Where this case is most demonstrative, I think, is in the reasons listed by the FTC as to why NHC had "failed to provide reasonable and appropriate security." These included failing to use appropriate website security and fraud detection methods. But just as importantly, the FTC cited a failure to "implement...employee screening and training and the collection, handling, and disposal of personal information," "assess risks to the information they collected and stored," and "provide reasonable oversight for the handling of personal information by service providers, such as third parties."
These three factors - employee training, risk assessment, and third-party oversight - are key elements of any privacy protection program. Unfortunately, as businesses - and especially online businesses - focus more and more on technology, companies can sometimes overlook these factors. Providing real protection, however, requires doing more than developing technology or building a secure network. There's some irony here: the technology of collecting and storing data is rapidly improving, and yet this may lead to an increase in possible security threats. Why? Many of these improvements involve storing data on third party servers (as desktop search applications, for example, do). How big these risks will be remain to be seen, but it's doubtful that technology alone with alleviate them.
The other part of the story is the FTC's increased willingness to go after companies that aren't addressing security issues. And businesses, I think, have reason to take note of this, whatever the final consequence. After all, without real risk assessment, it's hard to determine where possible threats are; without third-party oversight, and without employee training, even the best privacy practices can get lost in the shuffle (or dumpster). Third-party oversight is especially important. In recent months, businesses have been held responsible for acts they authorized third-parties to take on their behalf. Even if a business has put the proper privacy and security measures in place, they're going to want to make sure that anyone using their data is following the same guidelines and procedures.
Not all of this has to do with avoiding legal repurcussions, and it goes to the heart of why companies should respect consumer privacy for business reasons. Consumers want these protections, and are more likely to trust - and patronize - a business that enacts them. Chapell & Associates has often argued that privacy isn't just about technology - it's also about what businesses do with technology. The FTC, it seems, agrees, and is acting accordingly.
A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.
The Chapell View
According to the FTC's release on the case, the financial services company National Holding Company (NHC) and its subsidiaries violated consumer protection laws in two significant ways. First, they failed to appropriately safeguard the data they collected - leaving it on easily accessible computer networks and even trashing it in open dumpsters. Second, they made false representations about the protections they claimed to (but didn't) afford to consumers' information.
Where this case is most demonstrative, I think, is in the reasons listed by the FTC as to why NHC had "failed to provide reasonable and appropriate security." These included failing to use appropriate website security and fraud detection methods. But just as importantly, the FTC cited a failure to "implement...employee screening and training and the collection, handling, and disposal of personal information," "assess risks to the information they collected and stored," and "provide reasonable oversight for the handling of personal information by service providers, such as third parties."
These three factors - employee training, risk assessment, and third-party oversight - are key elements of any privacy protection program. Unfortunately, as businesses - and especially online businesses - focus more and more on technology, companies can sometimes overlook these factors. Providing real protection, however, requires doing more than developing technology or building a secure network. There's some irony here: the technology of collecting and storing data is rapidly improving, and yet this may lead to an increase in possible security threats. Why? Many of these improvements involve storing data on third party servers (as desktop search applications, for example, do). How big these risks will be remain to be seen, but it's doubtful that technology alone with alleviate them.
The other part of the story is the FTC's increased willingness to go after companies that aren't addressing security issues. And businesses, I think, have reason to take note of this, whatever the final consequence. After all, without real risk assessment, it's hard to determine where possible threats are; without third-party oversight, and without employee training, even the best privacy practices can get lost in the shuffle (or dumpster). Third-party oversight is especially important. In recent months, businesses have been held responsible for acts they authorized third-parties to take on their behalf. Even if a business has put the proper privacy and security measures in place, they're going to want to make sure that anyone using their data is following the same guidelines and procedures.
Not all of this has to do with avoiding legal repurcussions, and it goes to the heart of why companies should respect consumer privacy for business reasons. Consumers want these protections, and are more likely to trust - and patronize - a business that enacts them. Chapell & Associates has often argued that privacy isn't just about technology - it's also about what businesses do with technology. The FTC, it seems, agrees, and is acting accordingly.

