Equifax, one of the top three consumer reporting agencies in America, settled Federal Trade Commission (FTC) charges that Equifax made money from improperly selling information about millions of consumers who made late mortgage payments. Yes, you read that correctly. Equifax compiled and sold private consumer data; actions contrary to what Equifax says they stand for.
FTC’s issued a press release on October 10th saying:
“Equifax sold more than 17,000 prescreened lists of consumers to companies including Direct Lending Source, Inc., which subsequently resold some lists to third parties, who used their data to pitch loan modification and debt relief services to people in financial distress.”
Unsettling news. The FTC also noted:
The FTC alleged that between January 2008 and early 2010, Equifax sold Direct Lending and its affiliates lists of people who met selected criteria – known as prescreened lists. According to the agency’s complaint, the lists contained information about millions of consumers, including sensitive information such as credit scores and whether they were 30, 60, or 90 days late on their mortgage payments.
According to the FTC, neither Direct Lending nor its affiliates, Bailey & Associates Advertising, Inc. and Virtual Lending Source, LLC, had a legally permissible purpose to obtain the prescreened lists. Under the FCRA, the only permissible purpose for obtaining a prescreened list is to make “firm offers of credit or insurance” – which are offers that will be honored if consumers meet pre-selected criteria. Using a prescreened list for general marketing purposes is not allowed. The FTC charged that Direct Lending sold the information to third parties that then used it to market products to consumers in financial distress, including companies that have been the subject of law enforcement investigations.
The FTC alleged that, in addition to providing the lists to entities without a permissible purpose and having inadequate procedures to prevent this from happening, Equifax failed to properly investigate when it learned Direct Lending was violating Equifax’s internal policies on prescreening. The FTC also alleged that Equifax knew or should have known that in many cases Direct Lending resold the lists without telling Equifax who would end up using the information. Despite these failures, the FTC alleged Equifax continued selling prescreened lists to Direct Lending. The FTC alleged that Equifax’s failure to employ appropriate measures to control access to sensitive consumer information was unfair, in violation of Section 5 of the FTC Act.
The FTC says Equifax must forfeit all monies earned from selling 17,000 + prescreened lists to Direct Lending Source who resold the list to other companies. FTC’s website says “Equifax will pay $393,000 to resolve allegations that its inadequate procedures led to the sale of lists of consumer information to firms that should not have received them”. Direct Lending Source must pay a $1.2 million civil penalty. Both, Equifax & Direct Lending (and those that resold these lists) violated the FTC Act and the Fair Credit Reporting Act (FCRA).
Equifax.com says it “empowers businesses and consumers with information they can trust. With a strong heritage of innovation and leadership, we leverage our unique data, advanced analytics and proprietary technology to enrich the performance of businesses and the lives of consumers.” According to the supporting documents on Federal Trade Commission’s website, Equifax betrayed public trust by selling private consumer information and by not have proper management procedures in place.
It’s terribly ironic that one of the companies consumers turn to when their privacy has been breached due to identity theft, actively took part in inappropriate and illegal acts which creates consumer privacy problems. Keeping consumer information private is something every organization that has access to it must take seriously – at all times- from top to bottom. Allowing gaps in procedures to exist, or questionable management decisions to occur, creates an environment where inappropriate and illegal things can happen. This was no small failure. Equifax failed here – with a capital F… and the consumers’ data that remains in circulation continues to put consumers at risk for future crimes.
When an individual or entity fails to keep their word, the nature of the relationships changes. Equifax says they have been trusted for over 100 years to deliver innovative solutions with the highest integrity and reliability, however, Equifax failed to keep sensitive consumer personal data out of the hands of entities that have been subject to law enforcement in the past, which changes the way consumers view Equifax and its leadership. This was no small data breach. Equifax’s reputation is at stake now.
The FTC will accept comments on the Equifax settlement until Friday, November 9, 2012.
What do you think about Equifax? Did Equifax betray consumers trust?