Three Credit Report Resellers Settle FTC Charges for Not Protecting Personal Information of Consumers

By Lester Rosen, Employment Screening Resources (ESR) President & Thomas Ahearn, ESR News Editor

In the Federal Trade Commission’s (FTC) first cases against credit report resellers for the data security failures of their clients, three companies that resell credit reports of consumers have agreed to settle FTC charges that they did not take reasonable steps to protect personal information of consumers and allowed computer hackers to access that personal information, according to a recent news release from the FTC.

Administrative complaints issued by the FTC showed the three credit report resellers bought credit reports from the three nationwide consumer reporting agencies – Equifax, Experian, and TransUnion – and added them to reports to sell to determine eligibility for credit of consumers. Because these three resellers allegedly allowed clients to access these reports without basic security measures such as firewalls and updated antivirus software, hackers accessed more than 1,800 credit reports without authorization through the computer networks of clients. The three credit report resellers also allegedly did not make reasonable efforts to protect against future security even after becoming aware of these data breaches.

The three credit report resellers are charged with violating the Fair Credit Reporting Act (FCRA) by:

  • Failing to protect their internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose to have them,
  • Failing to maintain reasonable procedures to limit the furnishing of credit reports for such purposes, and
  • Furnishing credit reports when they had reasonable grounds for believing the reports would not be used for a permissible purpose.

The failure of the three credit report resellers to protect personal information of consumers also allegedly violated the FCRA. In addition, the credit report resellers allegedly violated the Gramm-Leach-Bliley Safeguards Rule by failing to:

  • Design and implement information safeguards to control the risks to consumer information;
  • Regularly test or monitor the effectiveness of their controls and procedures; to evaluate and adjust their information security programs in light of known or identified risks; and
  • Have comprehensive information security programs.

The proposed settlement, part of the ongoing campaign of the FTC to protect the personal information of consumers, would require the three credit report resellers to:

  • Have comprehensive information security programs designed to protect the security, confidentiality, and integrity of the personal information of consumers, including information accessible to clients;
  • Obtain independent audits of their security programs, every other year for 20 years;
  • Furnish credit reports only to those with a permissible purpose; and
  • Maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

These cases show that the FTC will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports as required by the FCRA. These cases also send a strong message that companies giving their clients online access to sensitive information of consumers must have reasonable procedures to secure that information.

Consumer protection through data security makes up a critical part of the National Association of Professional Background Screeners (NAPBS) accreditation process. Since its founding in 2003, the NAPBS has believed that there is a strong need for a singular cohesive industry standard and created the Background Screening Agency Accreditation Program (BSAAP). Governed by a strict professional standard composed of requirements and measurements, the BSAAP is becoming a widely recognized seal of approval that brings national recognition to background screening organizations – also referred to as Consumer Reporting Agencies (CRAs) – that will stand as the industry “seal” representing a background screening organization’s commitment to excellence, accountability, high professional standards, and continued improvement.

The NAPBS Background Screening Credentialing Council (BSCC) oversees the application process and is the governing accreditation body that will ensure the background screening organizations seeking accreditation meet or exceed a measurable standard of competence. To become accredited, a CRA must pass an onsite audit of its policies and procedures as they relate to six critical areas of the BSAAP:

  • ‘Section 1: Consumer Protection’ includes standards for: Information Security Policy; Data Security; Intrusion, Detection and Response; Stored Data Security; Password Protocol; Electronic Access Control; Physical Security; Consumer Information Privacy Policy; Unauthorized Browsing; Record Destruction; Consumer Disputes; Sensitive Data Masking; and Database Criminal Records.
  • ‘Section 2: Legal Compliance’ includes standards for: Designated Compliance Person(s); State Consumer Reporting Laws; Driver Privacy Protection Act (DPPA); State Implemented DPPA Compliance; Integrity; Prescribed Notices; and Certification from Client.
  • ‘Section 3: Client Education’ includes standards for: Client Legal Responsibilities; Client Required Documents; Truth in Advertising; Adverse Action; Legal Counsel; Understanding Consumer Reports; and Information Protection.
  • ‘Section 4: Product Standards’ includes standards for: Public Record Researcher Agreement; Vetting Requirement; Public Record Researcher Certification; Errors and Omissions Coverage; Information Security; Auditing Procedures; Identification Confirmation; and Jurisdictional Knowledge.
  • ‘Section 5: Service Standards’ includes standards for: Verification Accuracy; Current Employment; Diploma Mills; Procedural Disclosures; Verification Databases; Use of Stored Data; Documentation of Verification Attempts; Outsourced Verification Services; Conflicting Data; Professional Conduct; and Authorized Recipient.
  • ‘Section 6: General Business Practices’ includes standards for: Character; Insurance; Client Credentialing; Vendor Credentialing; Consumer Credentialing; Document Management; Employee Certification; Worker Training; Visitor Security; Employee Criminal History; Quality Assurance; and Certification.

Employment Screening Resources (ESR) is formally recognized as accredited by the National Association of Professional Background Screeners (NAPBS) Background Screening Credentialing Council (BSCC) for successfully proving compliance with the Background Screening Agency Accreditation Program (BSAAP). For more information, visit Employment Screening Resources (ESR) at http://www.ESRcheck.com

Source:
http://ftc.gov/opa/2011/02/settlement.shtm