Information Security: FTC Action

Banks and thrifts are not alone when it comes to requirements to maintain security for customer information. One of the first enforcement actions under information security requirements has been taken by the Federal Trade Commission. While the entities regulated by the FTC have different, usually less complex information security issues, the practices and concerns raised by the FTC are instructive.

FTC filed a complaint against Nationwide Mortgage Group, Inc., and John D. Eubank individually and as president of Nationwide Mortgage Group. The enforcement order was issued on December 9, 2004. The company, a mortgage bank, is located in Fairfax, Virginia, part of the Washington metro area.The complaint alleges violations of the Information Safeguards Rule and the Privacy Rule, both issued by the FTC for entities that it regulates. The complaint outlines the safeguards rule requirements and then itemizes the ways in which Nationwide failed to comply.

The Safeguards Rule was issued by the FTC in May 2002 to implement information security provisions of the G-L-B Act. For institutions subject to the authority of the FTC, the rule requires the institution to designate one or more employees to coordinate the information security program, identify reasonably foreseeable internal and external risks to information security, design and implement safeguards to control the risks, oversee service providers and require service provider compliance through contracts, and evaluate and adjust the program as necessary based on audit and monitoring findings.

The FTC's Privacy Rule requires annual notices to customers that explain the company's privacy policy and practices.

The complaint alleges that Nationwide has collected sensitive customer information, such as Social Security numbers and bank account numbers, without implementing "reasonable policies and procedures" to ensure the security of the information.

The complaint provides several examples of how information was not secure which are actually examples of information security risk. According to FTC findings, Nationwide stored customer information on its computer network. The network and the data on it was available to all employees. It was also connected to the Internet.

Another deficiency in Nationwide's information security program was that it failed to monitor its network for vulnerabilities. With sensitive customer information, valuable to identity thieves, on the network, this failure presents a very real threat to information security.

FTC also found that Nationwide had not assessed its information security risks as required by the FTC regulation. Moreover, Nationwide did not have policies and procedures for information security and had not trained its employees on information security issues.

As an additional finding, FTC concluded that Nationwide had not overseen the collection and handling of customer information by its loan officers. This allegation raises an affirmative obligation to manage and oversee the information security process.

The allegations of Privacy Rule violations included Nationwide's failure to provide their customers with the required privacy notice. While this could seem like a technical violation, the Commission's complaint includes the claim that a violation of the Privacy Rule constitutes an unfair or deceptive trade practice. Thus, the failure to provide notices violated not only G-L-B, but also the FTC Act. The same analysis applies to the violations of the Safeguards Rule. Both compliance violations become unfair or deceptive trade practices.

The Commission also issued a consent order against Sunbelt Lending Services, Inc. of Clearwater, Florida. The allegations and concerns are strikingly similar to those raised in the Nationwide case, involving both the Security Rule and the Privacy Rule.

In the Sunbelt complaint, the Commission identified additional customer information that was not properly safeguarded, including credit reports and income tax returns. Sunbelt had failed to assess risks to customer information and did not have reasonable policies and procedures for information protection.

Sunbelt had also failed to train employees and oversee information security practices of loan officers working throughout the state.

While the rules affecting banks and thrifts are issued by different agencies, the concerns and compliance issues are similar. The program elements are basically the same. You need a risk assessment, policies and procedures to protect information, training, ongoing monitoring of sensitive systems, oversight of employees who handle customer information, oversight of service providers, and regular evaluations through audits and monitoring.

Information security is a high priority for 2005. Your institution will be in good shape if you have a strong information security program. Perfection is not yet required. But a good program is.

ACTION STEPS

Review staff access to data bases and to the Internet.
Check on the status of the network vulnerability monitoring program.
If it hasn't been done already, arrange for an information security risk assessment. If it has been done, schedule the next one. This must be an ongoing process.
Review your institution's record of sending initial and annual privacy act notice. Be sure that notices for 2005 are on the schedule.
Do a laptop inventory. Determine who has a laptop, what information is on it (including sensitive customer information) and where that laptop goes.