The Federal Trade Commission recently announced that it reached a settlement with three consumer credit report resellers whose information security practices and procedures were not sufficient to prevent hackers to obtain more than 1,800 consumer credit reports without authorization. The settlement resolves allegations that the resellers violated the Fair Credit Reporting Act, the FTC Act and the Gramm Leach Bliley Safeguards Rule by failing to take appropriate precautions to protect credit reports and the personal information such reports contain. According to the FTC, the resellers’ information security deficiencies included (1) not having comprehensive information security policies or procedures in place; (2) releasing consumer reports to clients who lacked basic security measures, such as firewalls and updated antivirus software; (3) failing to protect their own internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose for having them; and (4) not making reasonable efforts to protect against future breaches even after becoming aware of the hackers’ illegitimate activities.
The FTC’s proposed consent order prohibits further violations of the Safeguards Rule and also requires the resellers to do the following:
o implement comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients;
o obtain independent audits of their security programs, every other year for 20 years;
o furnish credit reports only to those with a permissible purpose; and
o maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.
FTC Commissioner Julie Brill used the settlement as an opportunity to emphasize the gravity of the resellers’ offenses and the FTC’s commitment to protecting consumers and their personal information. In connection with the settlement, Commissioner Brill announced that “in the future we will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports, as required by the Fair Credit Reporting Act.”