On Tuesday, May 5, 2009, in a press release devoted largely to the FTC’s congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums. According to the FTC, the result of this alleged failure was that an intruder in the company’s systems sent "millions of outgoing spam emails" and "could have accessed personal information without authorization." In a consent order (.pdf) that parallels settlements in a number of prior FTC enforcement cases, the company has agreed to implement an information security program and subject itself to biennial security audits for 10 years.
In the FTC complaint (.pdf), federal regulators claimed, among other things, that the mortgage company "failed to provide reasonable and appropriate security for personal information," including by failing to implement a "comprehensive written information security program." Such a program is a requirement for financial institutions, including lenders and mortgage companies, under the FTC Safeguard’s Rule, a regulation promulated in 2002 to implement Section 501(b) of the Gramm Leach Bliley Act (GLBA). The complaint also alleged that Jame B. Nutter & Company failed to provide customers adequate notice of its security practices, as required by the FTC Privacy Rule. The Privacy Rule was promulgated in 2000 to implement Sections 501 through 509 of the GLBA.
Notably, the complaint makes few allegations of damage to consumers. The only alleged harm consisted of spam email and the possibility of unauthorized access to customer information. No doubt this is the reason why the settlement did not involve a substantial fine, as the FTC sought, at least nominally, in its last enforcement action in this area (see our posting on the FTC’s settlement with Rental Research Services). The case thus suggests that the FTC may be willing to undertake enforcement efforts when only consumer privacy interests are affected, even in the absence of concrete financial harm.
* Update: an attorney representing James B. Nutter & Company has contacted us to provide Security, Privacy and the Law with the company’s press release on this incident (.pdf) and to clarify that the company is obligated to submit to only 5 biennial security audits over 10 years.
- The FTC announcement
- The FTC complaint (.pdf), also available from the FTC website (.pdf)
- The parties’ agreement and consent order (.pdf), also available from the FTC website (.pdf)
- The James B. Nutter & Company website
- The company’s press release on the FTC settlement