Mortgage company settles privacy violation charges

March 7, 2005

FTC alleged Nationwide didn't safeguard customer names, SSNs


Inman News

Nationwide Mortgage Group has settled Federal Trade Commission charges that the company failed to adequately protect customers' personal and financial information.

In late 2004, the FTC filed an action against Nationwide, charging the Fairfax, Va.-based company with violating the agency's Gramm-Leach-Bliley Safeguards Rule by not having reasonable protections for customers' sensitive information.

Nationwide was charged with failing to protect customers' names, Social Security numbers, credit histories, bank account numbers, income tax returns, and other sensitive financial information. This and another 2004 case is the FTC's first case enforcing the Safeguards Rule.

The settlement with Nationwide bars Nationwide and its president, John D. Eubank, from violating the Safeguards Rule or the Privacy Rule in the future. The company must retain an independent professional to certify its security program meets the order's standards listed in the order within 180 days, and then once every other year for 10 years. The order also requires the company to distribute a copy of the order to all of its employees.

Clearwater, Fla.-based Sunbelt Lending Services, a subsidiary of Cendant Mortgage Corp., agreed to settle similar charges in late 2004.

Chris Cope, president of Sunbelt Lending Services, said at the time that the FTC complaint stemmed primarily from a seldom-accessed lead generation program that was formerly available through the company's Web site, but not addressed by the company prior to the May 23, 2003, implementation date of the Safeguards Act.

"Sunbelt is currently in full compliance with the FTC's Safeguards Act for privacy policy and security safeguards," Cope said.

The Safeguards Rule, which implements the security requirements of the GLB Act, requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information. The Rule requires financial institutions to implement a written information security program that is appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its program, each financial institution must also: (1) assign one or more employees to oversee the program; (2) conduct a risk assessment; (3) put safeguards in place to control the risks identified in the assessment and regularly test and monitor them; (4) require service providers, by written contract, to protect customers' personal information; and (5) periodically update its security program.

Nationwide did not return calls asking for comment by press time.

Copyright 2005 Inman News


Contact ALTA at 202-296-3671 or communications@alta.org.