• FTC Says Superior's Security Is Anything But
  • October 12, 2005
  • Law Firm: Manatt, Phelps & Phillips, LLP - Los Angeles Office
  • Superior Mortgage Corp. will implement data security procedures that will be reviewed by independent auditors for 10 years under a proposed Federal Trade Commission consent order.

    The FTC accused Superior of failing to provide reasonable security for sensitive customer data and falsely claiming to encrypt data submitted online, in violation of the FTC's Safeguards Rule adopted under the 1999 Gramm-Leach-Bliley Act. The rule requires financial institutions such as Superior, a lender with 40 branch offices in 10 states and multiple Web sites, to have in place reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information. Superior kept sensitive information, including customers' Social Security numbers, credit histories, and credit card numbers. However, according to the FTC, the company took over a year after the rule became effective to assess risks to customer information. In its complaint, the FTC gave a laundry list of the company's security shortcomings, including:

    neglecting to install passwords limiting access to company systems;

  • failing to encrypt sensitive customer information sent by e-mail;
  • failing to ensure that its service providers met security standards; and
  • falsely claiming that personal information collected online was encrypted using secure socket layer technology, when in fact data was encrypted only while being transmitted between a visitor's Web browser and the Superior Web site's server. Once the information was received by Superior, it was decrypted and e-mailed to Superior's headquarters and branch offices in clear, readable text.

The proposed settlement requires Superior to hire an independent, third-party auditor to assess its security procedures every two years for the next 10 years and to certify that these procedures meet or exceed the protections required by the Safeguards Rule.

Significance: This is only the third published case enforcing the Gramm-Leach-Bliley Safeguards Rule (see the November 29, 2004, issue of [email protected] for a discussion of the first two cases). However, a year ago, the FTC announced that it was targeting automobile dealers and mortgage companies to assess compliance with the rule. Expect more announced enforcement actions on this front.