FTC and Mortgage Broker Reach Settlement Over Personal Information Disclosures in Yelp Review Responses | Practical Law

FTC and Mortgage Broker Reach Settlement Over Personal Information Disclosures in Yelp Review Responses | Practical Law

The FTC has settled claims arising from a mortgage broker's disclosure of customers' nonpublic personal information in its responses to negative consumer reviews.

FTC and Mortgage Broker Reach Settlement Over Personal Information Disclosures in Yelp Review Responses

by Practical Law Data Privacy Advisor
Published on 09 Jan 2020USA (National/Federal)
The FTC has settled claims arising from a mortgage broker's disclosure of customers' nonpublic personal information in its responses to negative consumer reviews.
On January 9, 2020, the FTC announced a settlement with mortgage broker Mortgage Solutions FCS, Inc. and its owner, Ramon Walker, resolving allegations over their unlawful disclosure of customers' personal information on the internet.
The FTC's complaint alleged that Mortgage Solutions' and Walker's responses to negative online reviews on the consumer review website Yelp.com contained personal information about the customers who posted the reviews, including their income sources, credit histories, family relationships, health, and first and last names. The FTC alleged that Mortgage Solutions and Walker violated:
  • The Fair Credit Reporting Act (FCRA) (15 U.S.C. §§ 1681 to 1681x) by publicly disclosing information obtained through customer credit reports without a legitimate or permissible purpose.
  • The Privacy Rule of the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C. §§ 6801 to 6809) by:
    • disclosing information that its privacy policy stated would not be shared; and
    • not providing customers an opportunity to opt out of disclosing their personal information in response to negative reviews.
  • The GLBA's Safeguards Rule by failing to timely implement an information security program and, once implemented, failing to regularly test or assess the program's effectiveness.
  • The FTC Act's prohibitions of unfair or deceptive trade practices (15 U.S.C. § 45(a)(1)) by depriving customers of the opportunity to control the dissemination of their personal information.
The settlement requires Mortgage Solutions and Walker to pay a $120,000 civil penalty and to:
  • Use consumer reports only for the purposes FCRA permits.
  • Refrain from misrepresenting their privacy practices.
  • Provide a privacy notice to customers.
  • Refrain from disclosing customers' personal information unless they have:
    • clearly disclosed to the customer the categories of personal information to be disclosed and the identities or categories of recipients, in a separate document from a privacy policy; and
    • obtained the customer's express consent.
  • Implement and maintain a comprehensive written information security program that includes:
    • annual assessments and effectiveness testing; and
    • safeguards against internal and external security and confidentiality risks.
  • Obtain an independent third-party assessment of their information security program every two years using an FTC-approved assessor.
  • Provide an annual management certification to the FTC regarding the information security program.
  • Promptly notify the FTC of any data breaches that require notification to other authorities.