February 10, 2011
Authored by: Robert Klingler
On February 3, 2011, the Federal Trade Commission (“FTC”) announced a series of settlements with companies that sell credit reports to mortgage brokers for the purpose of determining consumers’ eligibility for credit. The FTC’s complaints allege that the clients of these businesses lacked “basic security measures . . . such as firewalls and updated antivirus software.” In 2008 and 2009, hackers exploited the vulnerabilities of these clients and gained access to the clients’ user names and passwords and, consequently, to consumers’ credit reports.
According to the FTC’s complaints, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the FTC Act impart a duty upon credit report resellers to implement reasonable security which includes “evaluating the security of end user’s computer networks,” and providing security “training” to end user clients. For instance, the FTC suggests that the credit report resellers could have “require[d] end user clients to submit . . . documentation demonstrating” that their “computer systems were virus free and otherwise properly protected.”
Although the Gramm-Leach-Bliley Act requires that financial institutions develop information security programs that safeguard information within the financial institution’s possession, and that financial institutions require that their service providers do the same, this is the first time that the FTC has attempted to hold a financial institution responsible for its customers’ computer systems, or to require that a financial institution provide security training to its customers. A statement issued by four of the FTC’s five commissioners indicated that the Commission may attempt to impart such a duty on all businesses (not just credit report resellers, or financial institutions) “in the chain of handling consumer data.” It is unclear whether the federal banking agencies, the Securities and Exchange Commission, or federal courts will adopt the FTC’s position.
If you would like further information on how to comply with the data privacy and security laws, or on the FTC’s recent enforcement actions, feel free to contact David Zetoony, John ReVeal, or Dan Schwartz in Washington D.C., at 202-508-6000, or Rebecca Nelson in St. Louis, at 314-259-2000. For a printable version of this summary, please click here.