Real Estate Services Company Settles Privacy and Security Charge

May 10, 2006

Company Tossed Consumers' Confidential Information in Dumpster; Company Computers Were Hacked

A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.

NHC, based in Kansas City, Kansas, is a privately held holding company that provides real estate services in 44 states. Its subsidiary, NTA, provides a variety of services in connection with financing home purchases and refinancing existing home mortgages. Likens is the president and sole owner of NHC and its subsidiaries.

"Careless handling of consumers’ sensitive financial information is an open invitation to identity thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Enforcing the laws designed to protect consumers’ sensitive financial data is a priority at the FTC. This is the thirteenth case challenging faulty data security practices, and we will bring more cases if companies continue to fail consumers."

According to the FTC’s complaint, NHC, NTA, and Likens routinely obtain sensitive consumer information from banks, real estate brokers, consumers, and public records that include such things as consumer names, Social Security numbers, bank and credit card account numbers, and credit histories. The FTC alleges that they engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to protect the information. Specifically, the FTC charges that they failed to:

  • assess risks to the information they collected and stored, both online and offline;

  • implement reasonable policies and procedures in key areas such as employee screening and training and the collection, handling, and disposal of personal information;

  • implement simple, low-cost, readily available defenses to common Web site attacks or implement reasonable measures to prevent hackers from gaining access to their computer network;

  • employ reasonable measures to detect and respond to unauthorized access to the data or to conduct security investigations; and

  • provide reasonable oversight for the handling of personal information by service providers, such as third parties employed to process the information and assist in real estate closings.


According to the complaint, a hacker exploited these failures by using a common Web site attack to gain access to NHC’s computer network. In addition, a Kansas City television station found documents containing sensitive consumer information discarded in NHC’s and NTA’s unsecured dumpster.

The FTC alleged that NHC, NTA and Likens made security claims in their privacy policies. For example, NTA’s privacy policy claimed: “NTA, at all times, strives to maintain the confidentiality and integrity of the personal information in its possession and has instituted measures to guard against its unauthorized access. We maintain physical, electronic and procedural safeguards in compliance with federal standards to protect the information.”

The FTC charged that the failure to provide reasonable and appropriate security to protect the information violates the FTC’s Safeguards Rule, which requires financial institutions to take appropriate measures to protect customer information. The complaint also alleges that NTA’s privacy policy claims are deceptive because of these failures, in violation of the FTC’s Privacy Rule and the FTC Act. The Privacy Rule, among other things, requires financial institutions to disclose accurately the manner in which they safeguard customer information. The FTC Act prohibits unfair or deceptive practices.

The proposed settlement bars misrepresentations about the extent to which NHC, NTA, and Likens protect the privacy, confidentiality, or integrity of any personal information collected from or about consumers. It requires that they establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms that their security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions. Finally, the settlement bars future violations of the Safeguards Rule and Privacy Rule, as well as the FTC’s Disposal Rule. The Disposal Rule, which took effect on June 1, 2005, requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner.

Source: FTC


Contact ALTA at 202-296-3671 or communications@alta.org.