Lax Security Can Lead to Audits

Nations Holding, a real estate company operating in 44 states, must improve its information security practices and submit to biennial security audits for the next 20 years under a settlement with the Federal Trade Commission.

The FTC charged that the company had allowed a common Web attack to compromise customer data, and that its Nations Title Agency (NTA) subsidiary had disposed of home-loan applications containing customers’ personal data in a public Dumpster.

The resolution is similar to those of several cases the FTC has settled in the past couple of years, including cases against DSW, a footwear retailer, and BJ’s Wholesale Club, in which customer data was compromised. Data broker ChoicePoint received an even stiffer penalty in January—a $15 million fine—partly because it failed to tighten its procedures after law enforcement alerted the company to fraudulent activity.

“Data security has been surprisingly lax at a number of companies,” said FTC Chairwoman Deborah Platt Majoras in a recent speech, adding that the agency looks for “reasonableness, not perfection” in company security practices. “The cases we’re bringing have not been close calls,” she said.

Nations Holding and NTA obtain personal consumer information, including names, Social Security numbers and credit histories to provide home purchasing services such as appraisals and title insurance.

Among the company’s security lapses, the FTC said, were the failure to implement “simple, low-cost, readily available” defenses to common website attacks and the failure to implement “reasonable” policies in key areas such as employee screening and training or the handling of personal data.

The FTC said that in April 2004, a hacker used a common Web attack to gain access to Nations Holding’s computer network. The agency did not specify the type of attack. In addition, the FTC said, in February 2005, a Kansas City TV station found paperwork containing customers’ personal information in a Dumpster ¿outside the building.