Mortgage Company Settles Information Security Charges: FTC

Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security for sensitive customer data and falsely claiming that it encrypted data submitted online, the FTC announced yesterday.

The settlement bars future deceptive claims and requires the company to establish data security procedures that will be reviewed by independent third-party auditors for 10 years, according to the FTC.

“The FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires financial institutions, including lenders like Superior, to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information,” the FTC said in a statement.

According to the FTC, Superior maintained customers’ Social Security numbers, credit histories, and credit card numbers, among other sensitive information. The FTC complaint alleges that Superior violated the Safeguards Rule because it, failed to assess risks to its customer information until more than a year after the Safeguards Rule took effect; failed to implement appropriate password policies to limit access to company systems and documents containing sensitive customer information; did not encrypt or otherwise protect sensitive customer information before sending it by e-mail; and failed to ensure that its service providers were providing appropriate security for customer information and addressing known security risks in a timely manner.

The FTC also alleged that despite Superior’s claims that sensitive personal information collected at its www.supmort.com Web site was encrypted using secure socket layer technology, the information was only encrypted while it was being transmitted between a visitor’s web browser and the Web site’s server. Once the information was received at the Web site, it was decrypted and e-mailed to Superior’s headquarters and branch offices in clear, readable text, the FTC said. The commission alleged that these claims were deceptive and violated the FTC Act.

The settlement bars Superior from misrepresenting the extent to which it maintains and protects the privacy, confidentiality, or security of any personal information collected from or about consumers, and prohibits violations of the Safeguards Rule, the FTC said. The settlement also requires that Superior hire an independent, third-party auditor to assess its security procedures every two years for the next 10 years, and to certify that these procedures meet or exceed the protections required by the Safeguards Rule. The settlement also contains certain record keeping requirements to allow the FTC to monitor compliance, the commission said.

Superior Mortgage Corp. is based in Tuckerton, New Jersey. It has offices in New Jersey, Pennsylvania, Florida, Virginia, Maryland, North Carolina, Connecticut, Indiana, and Delaware.