Privacy & Information Security Law Blog

On November 12, 2014, the Federal Trade Commission announced that in response to FTC complaints, a federal court has ordered two debt brokerage companies to notify over 70,000 consumers whose sensitive personal information was posted on a public website by the debt brokerage companies.

The two defendants are debt brokers that sell portfolios of consumer debt for eventual collection by third party debt collectors. The FTC alleged that the defendants attempted to sell their portfolios by posting them on a public online marketplace in the form of unencrypted, unprotected Excel spreadsheets. These spreadsheets allegedly contained sensitive personal information, including the indebted consumers’ bank account and credit card numbers, birth dates, contact information, employers’ names, and information about debts the consumers allegedly owed. Based on these allegations, the FTC charged these defendants in two separate complaints with violating Section 5 of the FTC Act by unfairly exposing consumers’ personal information without their knowledge or consent.

In separate decisions, the court found that there was good cause to believe that the defendants engaged in acts and practices that violated Section 5 of the FTC Act. Through the issuance of preliminary injunctions, the court required the defendants to provide notice to the consumers whose sensitive information had been posted. The court also ordered the defendants to notify the affected consumers of how they can protect themselves against identity theft and other fraud in light of the disclosures.

According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, “[d]ebt brokers and collectors who play fast and loose with people’s sensitive personal and financial information are causing tremendous harm.” Rich warned that “[c]ompanies must treat sensitive consumer information with appropriate care and security, and the FTC will take action when they fail to do so.”