Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« 3 Inspiring Examples For This Season of Holidays | Main | FTC Behavioral Advertising Privacy Principles: Give Them Your Feedback! »

FTC Fines Mortgage Co. For Tossing PII Into Dumpster: FACTA/FCRA, GLBA, & FTC Act Violations

On December 17 the U.S. Federal Trade Commission (FTC) fined and penalized American United Mortgage Company for throwing the personally identifiable information (PII) and financial information of its customers and consumers into an open, publicly-accessible dumpster.

Under the terms of the penalty, American United Mortgage Company must:

* Pay a $50,000 civil penalty

* Implement reasonable policies and procedures requiring the proper disposal of consumers' personal information, including consumer reports and information from them

* Take reasonable actions in disposing customer information (such as stated within the FACTA Disposal Rule: burning, pulverizing, or shredding consumer reports or information derived from them) so that it can not practicably be read or reconstructed

* Perform risk assessments to identify reasonably foreseeable internal and external risks to consumer information

* Develop, implement, and maintain a comprehensive written information security program

* For a five-year period, maintain and make available to the FTC certain documents related to compliance with the order

* Every two years for the next 10 years obtain an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order

It's likely all the actions for creating a comprehensive information security plan that meets with the FTC requirements, along with the 10 years of monitoring and auditing, will cost the company much more than the $50,000 penalty.

By throwing away customer PII within a dumpster without properly shredding, or otherwise irreversibly destroying the information, the ruling indicated American United Mortgage Company violated:

* The Disposal Rule portion of FACTA (an amendment to FCRA)

* The Privacy Rule portion of GLBA

* The FTC Act

According to the court documents related to the case, "intact American United documents containing consumers' personal information were found on multiple occasions in and around a dumpster, near its office, that was unsecured and easily accessible to the public."

In February 2006, hundreds of intact documents were found in open trash bags. Consumer reports for 36 consumers were among the documents found.

Even though the FTC said it notified the company in writing about the situation in March 2006 and on at least two occasions afterward, American United Mortgage continued these unsecure types of disposal methods.

It's interesting that the mortgage company denied throwing the customer PII into the dumpster, even though the information was found within the dumpster and used as evidence.

It sounds like if the mortgage company did have policies and procedures in place that they were not well communicated, not enforced, and that there was no training or ongoing awareness about them.

Do you know how your organization is disposing of customer, consumer and employee PII? Do you have reasonable and enforced policies and procedures in place for information disposal?

Tags:                                    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on December 26, 2007 2:41 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/612

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.