Punishing Sloppy Security
The Federal Trade Commission released information yesterday on a settlement it reached recently in a case involving a fairly large mortgage company that falsely claimed to be protecting the personal and financial details of its customers. Reading the details of the case, I'm starting to wonder just how pervasive these kinds of atrocious security practices really are.
The company was Tuckerton, N.J.-based Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites. The FTC sued Superior for violating federal safeguard rules on data privacy, alleging the company routinely transmitted customers' Social Security numbers, credit histories, credit card numbers and other sensitive information via unencrypted e-mail.
From the FTC news release (my links and emphasis added):
"....despite Superior's claims that sensitive personal information collected at its www.supmort.com Web site was encrypted using secure socket layer technology, the information was only encrypted while it was being transmitted between a visitor's web browser and the Web site's server. Once the information was received at the Web site, it was decrypted and e-mailed to Superior's headquarters and branch offices in clear, readable text. The agency alleged that these claims were deceptive and violated the FTC Act."
Under the terms of the settlement, the company has to stop making claims that it is protecting its customers' privacy, and it has to hire a third-party auditor to check on and certify its security procedures every two years for the next decade.
In my opinion, given how much sloppy security like this contributes to identity theft and identity fraud (the fastest-growing forms of white-collar crime in the nation, according to the FTC), companies such as Superior should face fines and criminal charges when they fail to protect the information they have sworn to safeguard. Granted, the FTC can only bring civil charges, but I hope consumers will vote with their wallet (and their identity) and not reward this kind of behavior.
Posted by: Adam S | September 29, 2005 10:26 AM | Report abuse
Posted by: Michael | September 29, 2005 1:48 PM | Report abuse
Posted by: Switch providers? | September 29, 2005 3:21 PM | Report abuse
Posted by: Kim Z | September 30, 2005 2:20 PM | Report abuse
Posted by: als | October 4, 2005 8:56 PM | Report abuse
The comments to this entry are closed.