The Federal Trade Commission is on the alert for companies that are violating the Gramm-Leach-Bliley Act's data-security provisions. The rules affect many direct marketing service providers, but may have slipped under the industry's privacy radar.
Gramm-Leach-Bliley's disclosure requirements have received the bulk of the DM industry's attention. Since July 1, 2001, the law has required financial institutions to issue annual privacy disclosures regarding the sharing of personal information and offer consumers the chance to opt out.
But another piece of the law known as the Safeguards Rule has broad implications for any company “significantly engaged” in financial services. It requires the implementation of electronic and physical security and disaster-recovery programs to protect personal financial data. Fines up to $11,000 per violation can be assessed.
The rule also affects outsourcers that provide services for these companies. Financial services companies can be held liable for violations of the rule by their vendors, so many demand compliance from outsourcers.
The Safeguards Rule took effect in May 2003. Yet even a year later, compliance has been mixed, according to the FTC. The agency has conducted no surveys of industry compliance with the rule, but has gathered information based on piecemeal investigations.
“Anecdotally, from our investigations and from what we hear, it is a very mixed situation,” said Jessica Rich, assistant director in the FTC's bureau of consumer protection. “Many companies are complying. We're concerned that many aren't.”
The FTC has moved to enforce the Safeguards Rule. It announced an agreement in November with Sunbelt Lending Services Inc., Clearwater, FL, a Cendant subsidiary, and Nationwide Mortgage Group Inc., Fairfax, VA. Both companies agreed to avoid future violations of the rule.
A call to Cendant was not returned. In November, Sunbelt president Chris Cope told Reuters that the FTC complaint involved a lead-generation program on Sunbelt's Web site.
John Eubank, president of Nationwide Mortgage Group, told DM News that he is considering closing his company because the cost of complying with the Safeguards Rule is too great. He estimated compliance would cost $70,000 annually, about one-third of his company's annual net income. A lawyer told him that fighting the FTC complaint would cost at least $250,000, with no guarantee of success.
“You really don't have a choice,” Eubank said. “If I fight, they could come after me, and I'd face tremendous fines. I don't want to take that chance.”
Other companies with the resources to comply are looking to use their security measures as a positive. Transcontinental Direct, Warminster, PA, has seen increased interest in security from its clients, said Don McKenzie, company president.
McKenzie, who has called for greater security measures in the printing industry, welcomes the increased stringency and expects security to play a greater role in vendor selection in the coming year.
“It's more a feeling than a fact,” he said. “But I think this is going to become more and more of a key issue over the next few months.”
In early fall, a Transcontinental Direct client — a major U.S. financial institution McKenzie declined to name — asked the firm to submit to a security audit. The client sent an audit team to gauge Transcontinental Direct's compliance with aspects of the Safeguards Rule, including building security, data protection and disaster-recovery readiness.
The auditors walked the perimeter of Transcontinental Direct's building to check physical security and sent an “ethical hacking team” to try to break the printer's data security system. They examined employee training, confidentiality agreements and background-check policies. They asked about the printer's adherence to best practices and about its supply chain regarding vendors working for Transcontinental Direct that could indirectly cause a liability problem for the client.
“This was one of the most thorough audits I've been through in five or six years,” McKenzie said. “It's all driven by Gramm-Leach-Bliley.”
Transcontinental Direct had put a security team in place in July, he said. It now has a full-time safety and compliance officer and continues to invest in security measures.
A greater worry for some companies that handle financial data would be a security audit by the FTC. The FTC declined to reveal how it decides which companies to audit, but said it often conducts sweeps of entire industries.
Eubank's company got caught in a sweep of the mortgage industry. The investigation started innocently enough when the FTC asked him to complete a “questionnaire” in December 2003, Eubank said. The questionnaire turned out to be a 40-page interrogatory document.
Furthermore, the FTC appeared to be mistaken about Nationwide Mortgage's business, he said. The FTC thought the company was a mortgage lender, but it really is a broker that arranges loan applications for lending companies. Eubank said he told the FTC it had him confused with a bigger company but was told to fill out the questionnaire anyway.
In January, the FTC asked to speak to Nationwide Mortgage's HR and IT people, but the company, with just five support staff and 15 loan officers, is mainly run by Eubank himself. He said he was too busy to meet with the FTC, but later received a subpoena.
After being questioned by FTC attorneys, Eubank believed the agency realized its mistake. Yet five months later, the FTC returned with a consent order, offering Eubank the choice of taking a deal or going to court. Eubank took the deal.
According to the FTC, the Safeguards Rule is scalable so that smaller companies dealing with less-sensitive information have a lower security standard to meet. But Eubank said his company financially couldn't meet some of the requirements, such as having a remote location — a second office — available in case of a disaster.
The FTC gave Eubank six months from mid-November to comply. He said he likely would close Nationwide Mortgage once that deadline arrives. Eubank thinks other companies are in danger of the same fate.
“I doubt there's a handful of companies doing it correctly,” Eubank said.
Scott Hovanyetz covers legal issues for DM News.com. To keep up with the latest legal news subscribe to our free e-mail newsletter DM News Daily by visiting //www.dmnews.com/cgi-bin/newslettersub.cgi