Credit Report Resellers Exposed Consumers to Identity Theft: FTC

FTC Cracks Down on Credit Report Resellers Credit Report Resellers That Exposed Consumers to Identity TheftThree credit report resellers whose lax security procedures allowed hackers to steal the credit reports of nearly 2,000 consumers have agreed to settle Federal Trade Commission charges that they failed to take reasonable steps to protect consumers' personal information against identity theft.

In the first FTC crackdown against credit report resellers for their clients' data security failures, the settlements require the companies to strengthen their data security procedures and submit to regular security audits for 20 years.The credit report resellers are SettlementOne Credit Corp. and its parent company, Sackett National Holdings Inc.; ACRAnet Inc.; and Fajilan and Associates Inc., doing business as Statewide Credit Services; and Robert Fajilan.

"These cases should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it," David Vladeck, Director of the FTC's Bureau of Consumer Protection, said in a statement.

"Had these three companies taken adequate steps to ensure the use of basic computer security measures, they might have foiled the hackers who wound up gaining access to extensive personal information in the consumer reporting system," Vladeck said.

According to FTC complaints against the three companies, SettlementOne Credit Corporation, ACRAnet Inc. and Statewide Credit Services, these resellers buy credit reports from the three nationwide consumer reporting agencies (Equifax, Experian, and TransUnion) and combine them into special reports they sell to mortgage brokers and others to determine consumers' eligibility for credit.

Thanks to their lack of information security policies and procedures, the FTC said, the companies allowed clients lacking even the most basic security precautions, such as firewalls and updated antivirus software, to access their reports.

As a result, hackers stole more than 1,800 credit reports via the clients' computer networks, exposing the victims to identity theft. Once the companies became aware of the data breaches, they still failed to beef up their security procedures to safeguard against future breaches.

The resellers are charged with violating the Fair Credit Reporting Act by failing to protect their Internet portals from hackers, failing to maintain reasonable procedures to protect credit reports from data breaches, and furnishing credit reports when they had reasonable grounds for believing the reports would be used for unauthorized purposes. Their failure to protect consumers' personal information also violated the FTC Act.

In addition, the resellers also violated the Gramm-Leach-Bliley Act's Safeguards Rule by failing to design and implement information safeguards to protect consumer information; to regularly test or monitor the effectiveness of their controls and procedures; to evaluate and adjust their information security programs despite known or identified risks; and to have comprehensive information security programs in place.

The proposed consent orders bar the respondents from violating the Safeguards Rule and require them to:
  • Implement comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers' personal information, including information accessible to clients.
  • Obtain independent audits of their security programs, every other year for 20 years.
  • Furnish credit reports only to those with a permissible purpose.
  • Maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.
The settlements also include record-keeping provisions that will allow the FTC to monitor their compliance.

Commissioner Julie Brill, joined by Chairman Jon Leibowitz and Commissioners J. Thomas Rosch and Edith Ramirez, issued a statement emphasizing that "in the future we will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports, as required by the Fair Credit Reporting Act."

The settlements will be subject to public comment for 30 days, beginning today and continuing through March 7, when the Commission will decide whether to make the proposed consent orders final. Interested parties can comment electronically on each agreement via the following links: SettlementOne Credit Corp., ACRAnet Inc. and Statewide Credit Services.

Click here for FTC information on what you can do if your personal information has been compromised, and here for tips for protecting your personal information.

Become a fan of Consumer Ally on Facebook.

Increase your money and finance knowledge from home

Introduction to Retirement Funds

Target date funds help you maintain a long term portfolio.

View Course »

Timing Your Spending

How to pay less by changing when you purchase.

View Course »

Add a Comment

*0 / 3000 Character Maximum