The FTC settled charges with the resellers, who the agency said did not take “reasonable steps” to protect consumers’ data, which allowed hackers to access their data, according to an agency release. These are the first FTC cases against credit report resellers for their data security failures.
In addition, the settlement requires the companies to furnish credit reports only to those with a permissible purpose and maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.
According to the FTC complaint, because of lax security regarding client access, hackers were able to get access to more than 1,800 credit reports collected by the three resellers, which aggregate credit reports from the three major consumer reporting agencies and sell them to mortgage brokers. Even after becoming aware of the data breaches, the resellers did not take “reasonable” measures to protect against future breaches, the complaint alleges.
The resellers named in the complaint are SettlementOne Credit Corp. and its parent company, Sackett National Holdings; ACRAnet; and Fajilan and Associates, doing business as Statewide Credit Services, and Robert Fajilan.
“These cases should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it,” said David Vladeck, director of the FTC’s Bureau of Consumer Protection. “Had these three companies taken adequate steps to ensure the use of basic computer security measures, they might have foiled the hackers who wound up gaining access to extensive personal information in the consumer reporting system.”
The settlement also contains record-keeping provisions to allow the FTC to monitor the resellers’ compliance.