PCL obtains consumer reports from a consumer reporting agency via an online portal, which each authorized PCL employee logs into using personalized credentials. In March 2006, PCL activated a consumer reporting agency login for the principal of a seller of manufactured homes (the “seller”) based elsewhere in the state. The FTC alleged that PCL failed to (1) assess the risks of allowing a third party to access consumer reports through PCL’s account; (2) reasonably address these risks, by evaluating the security of the third party’s computer network and ensuring that appropriate data security measures were taken; (3) conduct reasonable reviews of consumer report requests made on the third party’s account for signs of unauthorized activity; and (4) assess the scope of consumer report information stored and accessible through the third party’s account.
In or around July 2006, someone hacked into the seller’s computer and obtained his PCL-issued consumer reporting agency login. This gave the hacker access to numerous credit reports of unsuspecting consumers.
The proposed consent order contains a series of requirements including establishing and maintaining a comprehensive information security program; obtaining a biennial report from a qualified third party about PCL’s information security program; and reporting and compliance provisions.
This is not a case where the FTC has pursued a cutting-edge theory based on esoteric information security practices or technologies or on novel legal approaches. Rather, the FTC’s action represents another chapter in its continuing efforts to require businesses that collect, process, and maintain consumers’ personal information, or that make such information available to their business partners, to take reasonable measures to protect the security of this information, and to state their privacy practices accurately. Companies that take information security seriously and reasonably assess and respond to risks to the security of consumers’ personal information should be far less concerned about the FTC’s action than companies that keep their heads in the sand and assume either that the risks are too minimal to deal with, that they are the responsibility of another company, or that they can be addressed on a one-time rather than a continuous basis as threats, risks, and business models evolve.
The Commission provides businesses with information regarding how to comply with the privacy of consumer information rule of the GLB Act as well as the financial privacy requirements of the GLB Act on its website.