From the FTC:
… Using its authority under these laws, the testimony noted, the Commission has brought 26 law enforcement actions since 2001 against companies that allegedly failed to maintain reasonable procedures to protect consumers’ personal information, including a case the agency has just settled against James B. Nutter & Company. The company is based in Missouri and makes and services residential mortgage loans around the country. It collects information from loan applicants, including their Social Security numbers, financial information, and employment and credit histories. The Commission’s complaint alleges that, beginning in 2004, JBN engaged in a number of practices that taken together failed to provide reasonable and appropriate security for sensitive consumer information, in violation of the FTC’s Safeguards Rule. In addition, the complaint alleges that the company violated the FTC’s Privacy Rule by failing to provide privacy notices and, later, providing notices that were inaccurate. To settle these charges, JBN has agreed to a proposed order that would require it to establish and maintain a comprehensive data security program covering consumers’ personal information, and to hire an independent auditor to assess its security procedures every two years for 10 years, and to certify that these procedures comply with the proposed order. The proposed order also bars JBN from violating the agency’s Safeguards and Privacy Rules.
Full Press Release
The complaint (pdf) details the security and privacy issues leading to the FTC action.
Agreement with Consent Order (pdf)
Update of June 16: the final consent order was approved.