Credit report resellers settle with US FTC after data losses

THREE CREDIT REPORT RESELLERS have reached a settlement with the US Federal Trade Commission (FTC) after failing to protect customers' personal data.

The FTC charged three credit report resellers after hackers had been able to view customer data due to inadequate data protection procedures. Settlementone Credit Corporation and its parent company, Sackett National Holdings Inc, ACRAnet Inc, Fajilan and Associates Inc - also known as Statewide Credit Services - and Robert Fajilan were charged with violating the Fair Credit Reporting Act by failing to protect their websites. The FTC also alleged the firms violated the Gramm-Leach-Bliley Safeguards Rule by not putting in place adequate safeguards on customers' information.

Due to the firms' shoddy data protection procedures, the FTC claimed hackers accessed more than 1,800 credit reports without authorisation. What's worse was that even after the firms were made aware of unauthorised access to customer data, they did nothing about it.

As part of the settlement with the FTC, the firms have promised to strengthen their data security procedures and submit to audits for the next 20 years. David Vladeck, director of the FTC's Bureau of Consumer Protection hailed the settlement saying, "These cases should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it."

Although this FTC case involved firms that resold reports from credit rating agencies such as Experian, its decision to insist upon adequate data handling procedures should serve as a wake-up call for all US websites dealing with personal data. The real shame is that while the FTC might be taking a hard line, different countries have different data protection laws, meaning that the FTC's stance in the US will have little effect on firms that store data in Britain, a fact cited by Jonathan Martin, VP and general manager of HP's Information Management Group.

While talking with The INQUIRER about cloud security, Martin mentioned the problems faced by companies in trying to adhere to data protection laws for storing customer and employee records. "Regulation of data is country specific," said Martin, who mentioned that HP like many other firms has to deal with the issue in its various offices around the World.

Martin's point might come from the view of service providers, but it highlights an important fact for web users, that the location of information might well determine what privacy safeguards are in place to protect personal data. Martin's desire for harmonisation of data protection laws would not only help firms but users as well.

One hopes that the FTC's stance will manage to bring other US companies into line. After all, Internet users should be able to expect that failures to meet data privacy standards will lead to serious repercussions. µ