FTC settles data security case

Nations Holding Co. (NHC), a real-estate firm operating in 44 U.S. states, has settled a data security case after the U.S. Federal Trade Commission (FTC) accused it of allowing a common Web attack to compromise customer data, the FTC announced Wednesday.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

The FTC also accused NHC and its Nations Title Agency (NTA) subsidiary of disposing of home-loan applications containing customers' personal data by throwing them into a public dumpster.

NHC, a privately held company in Kansas City, Kansas, must improve its information security practices and submit to biennial audits of its security practices for the next 20 years under the FTC settlement, FTC chairwoman Deborah Platt Majoras said. The settlement bars the company and owner Christopher Likens of making deceptive claims about privacy and security policies.

Majoras called NHC's data-handling practices "careless" during a speech at a Washington, D.C., data security conference sponsored by the Progress & Freedom Foundation, a free-market think tank.

"Data security has been surprisingly lax at a number of companies," she said. "The cases we're bringing have not been close calls."

NHC and NTA routinely obtain personal consumer information, including names, Social Security numbers, credit histories, and bank and credit card numbers, from banks, real-estate brokers and customers, the FTC said.

NHC and NTA made claims about its privacy and security policies that it did not honor, the FTC said.

Since 2003, the companies failed to deploy several data-protection measures, the FTC said:

-- They failed to assess risks to the information they collected and stored, both online and offline.

-- They did not implement "simple, low-cost, readily available" defenses to common Web site attacks.

-- They failed to implement "reasonable" polices in key areas such as employee screening and training, as well as the handling of personal data.

-- They did not employ reasonable measures to detect and respond to authorized access to data and did not conduct security investigations.

A hacker in April 2004 used a common Web attack to gain access to NHC's computer network, said the FTC, which did not specify the type of attack. In February 2005, a Kansas City television station found intact paperwork containing NHC customers' personal information in a dumpster outside the company's building, the FTC said.

The FTC looks for reasonable security measures, and in some data breach cases, the agency does not file a complaint against the company that lost the data, Majoras said. The agency has concluded in several cases that the breached company was employing reasonable security practices and should not be charged for unfair or deceptive trade practices, she said.

"I emphasize the standard is reasonableness, not perfection," she said.