Mortgage Co. Slapped by FTC, Affiliates to Follow?
- By: John Andrews [privmsg - website] On 30th Sep 2005 In
Mortgage Company Settles Information Security Charges
Will it be long before mortgage lead generators (affiliate marketers) will have to submit to security audits and/or get "certified" ?
Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security for sensitive customer data and falsely claiming that it encrypted data submitted online, the FTC announced yesterday.
They were pursued under the FTC’s Safeguards Rule, stemming from the Gramm-Leach-Bliley Act. Among the claims was
did not encrypt or otherwise protect sensitive customer information before sending it by e-mail
But this was more than just unencrypted data on websites. They reportedly properly used SSL for user submissions of social security numbers and such, but their backoffice operations then emailed that info (let's call them "leads", shall we?) between offices. It was that behind the scenes sloppiness that got the Feds to pursue the mortgage company for deceptive practices.
The FTC also alleged that despite Superior’s claims that sensitive personal information collected at its ... web site was encrypted using secure socket layer technology, the information was only encrypted while it was being transmitted between a visitor’s web browser and the Web site’s server. Once the information was received at the Web site, it was decrypted and e-mailed to Superior’s headquarters and branch offices in clear, readable text, the FTC said. The commission alleged that these claims were deceptive and violated the FTC Act.
The settlement imposed security audit requirements for the future as well.
Will mortgage lead generators (a.k.a. affiliate marketers) be required to submit to security audits and get certification in the future? I don't see how a financial company can collaborate with leads brokers without it, based on this action (?).
Quite right too. We realised
Quite right too.
We realised we had this problem 2 years ago and put all sensitive info into our secure database to eliminate the need to mail it.
Now in our upgrade we are encrypting it internally so even if someone steals the database they still won't have the information.
And we are a piddly travel company, so banks should know better.
See your point
Interesting case. Maybe the affiliates that collect the consumer data themselves, but most affiliates are just sending a click through a banner and the customer info is on the moertage site, so affiliates would not have any personal info.
Why would affiliates follow?
I don't see the connection. How did you come to that conclusion based on this case? Do you, as an affiliate, collect sesitive personal information? I've never done that doing many kinds of affiliate work ...
You might if you use XML or
You might if you use XML or if you just keep the data from the forms.
>Do you, as an affiliate,
Do you, as an affiliate, collect
Mikkel, while I've not done it (nor understand all of the process), I know of some affs who said they worked deals far beyond the white label stuff in pharm and, yes, mortgages. In this type of setup, they were in charge of the form data and the merchant was just a recipient.
That said, I don't think the Safeguard Rule applies to affiliates per se, but to financial institutions --could be wrong, though.
if I were a "financial institution"
the term "financial institution" was broadened with Patriot Act. it can be stretched to unbelievable inclusions.
Anyway, if I were an institution responsible to regulation, and I had a deal in place to purchase leads from marketers, where they have websites collecting name/emal/intent or desire to engage/IP address , would I want some written assurance of info security from them, or indemnity?
If I had no such assurance, and they got in trouble for loose protections, would I be pulled into the legal tangle?
If I was audited, would my contracts with those affiliates be scrutinized for security efforts?
Perhaps it is helpful to look at CANSPAM and the impact it had on business relationships between list brokers and buyers. You could sell a list pretty easily before CANSPAM if you merely claimed it was opt-in (with no real definition of opt-in). After CANSPAM, those lists were significantly de-valued (worthless?) without proof of opt-in or double-opt-in status, along with strict definitons etc. Of course it's changed since then, but immediately after CANSPAM things got hectic.
Transparency seems to be the future. Given that, how can we afford transparency with all of the abuse that goes on?
Smart PHARM & DEBT
Smart PHARM & DEBT affiliates collect the data on their own form and pass it on.
The only way to keep the PHARM & DEBT merchants from skimming.