On June 16, 2009, the Federal Trade Commission (FTC) announced that it had approved a final consent order resolving allegations that James B. Nutter & Company (JBN) failed to provide reasonable security for consumers' sensitive personal information pursuant to the FTC's GLB Safeguards Rule. JBN, based in Kansas City, Missouri, is one of the largest privately-held lenders in the United States, and this case is the twenty-sixth enforcement action that the FTC has brought, since 2001, against a company that allegedly failed to maintain reasonable procedures to protect consumers' personal information.
One notable aspect of this case is that the Commission's complaint focuses, in part, on the company's failure to have appropriate contractual requirements in place with a vendor to whom it supplied computer tapes containing sensitive personal information.
JBN makes and services single-family residential mortgage loans throughout the United States and, in the course of its business, routinely collects sensitive personal information from or about its consumers, such as their names, street and e-mail addresses, telephone numbers, Social Security numbers, driver's license numbers, dates of birth, bank and credit card account numbers, mortgage information, and income, debt, employment, and credit histories. In the complaint, the FTC alleges that JBN: (1) failed to develop a comprehensive, written security program; (2) failed to regularly review the security of its computer network; (3) stored unencrypted personal information on its computer network; (4) provided back-up tapes containing unencrypted personal information to its third-party service providers; and (5) failed to contractually require its third-party service providers to protect the security and confidentiality of that information, thereby failing to provide reasonable security for customers' personal information. As a result of this failure, an unauthorized person was able to access JBN's computer network and send millions of outgoing spam e-mails without the company's knowledge. Through that network access, the unauthorized person could have potentially accessed customers' personal information.
Additionally, the FTC alleges that the company's privacy notices, which it began sending to consumers in 2004, were in violation of the GLB Safeguards Rule and Privacy Rule because they: (1) did not specify the company's security practices; (2) did not accurately inform customers that the company disclosed customer information to third parties; and (3) misleadingly informed customers that they only had 30 days to exercise their opt-out rights, when the GLB Privacy Rule provides that they may do so at any time during the course of their loan.
Under the terms of the consent order, JBN is required to establish and maintain a comprehensive data security program. Additionally, the order requires JBN to hire an independent auditor to assess the company's security procedures every two years for ten years and to certify that the security procedures comply with the order. The order also bars the company from violating the GLB Safeguards Rule or Privacy Rule.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security practice
is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this Client Advisory, please contact: