Lax Data Protection Charges on Credit Resellers Settled

Jay Decenella, IT audit expert
August 22, 2011 /

Three credit report resellers have settled the charges filed by the Federal Trade Commission (FTC) over data protection failures.

The FTC has approved final orders settling charges against SettlementOne Credit Corporation ACRAnet, Inc. and Fajilan and Associates, Inc., who allegedly failed to take reasonable measures to protect sensitive consumer credit information. The poor handling allegedly enabled hackers to access more than 1,800 credit reports. The orders require the companies to strengthen their data protection measures and submit to audits for 20 years.

“We…emphasize that in the future we will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports, as required by the Fair Credit Reporting Act,” said FTC Commissioner Julie Brill.

In a statement, the FTC said the resellers treated their legal obligations to protect consumer information as a “paper exercise.”

FTC’s complaint alleged that respondents provided only a “cursory review” of security measures and took no further action to ensure that their customers’ security measures adequately protected the information in the consumer reports.

Also, the resellers failed to provide training on security measures to end users.

“Even after discovering security breaches that should have alerted them to problems with the data security of some customers, respondents failed to implement measures to check the security practices of other clients,” the FTC said.

The FCRA requires respondents to take reasonable measures to ensure that consumer reports are given only to entities using the reports for purposes authorized by the statute.

The complaints added that, as a result of respondents’ failure to comply with the FCRA, nearly 2,000 credit reports were improperly accessed.

“There is no doubt that such unauthorized access can result in grave consumer harm through identity theft,” the FTC said.

The significant impact and cost of identity theft are well documented, according to FTC.

It added: “Although reports regarding the impact of identity theft do not always agree on specific figures, they do reveal tremendous economic and on-economic consequences for both consumers and the economy.”

The FTC itself issued reports in both 2003 and 2007.

In 2005 alone, the FTC reported 8.3 million consumers that fell victim to identity theft, 1.8 million of which had new accounts opened in their names.

One-quarter of the “new account victims” incurred more than $1,000 in out-of-pocket expenses and five percent spent 1,200 hours in dealing with the consequences of the theft. The report concluded that total losses from identity theft in 2006 totaled $15.6 billion.

“Beyond these financial impacts, we also identified non-economic harm to victims in many forms: denial of new credit or loans, harassment from collection agencies, the loss of the time involved in resolving the problems, and being subjected to criminal investigation,” the FTC said.

Brill said: “While we view the breaches in these cases with alarm, we are also cognizant of the fact that these are the first cases in which the Commission has held resellers responsible for downstream data protection failures.

“Looking forward, the actions we announce today should put resellers — indeed, all of those in the chain of handling consumer data — on notice of the seriousness with which we view their legal obligations to proactively protect consumers’ data.”

 

Share your opinion