Sensitive Consumer Information Sent Without Being Encrypted

Superior Mortgage Corp. wasn’t so superior in protecting consumers’ information online.

The New Jersey company agreed to a consent order with the Federal Trade Commission (FTC) for alleged violations of the agency’s Standards for Safeguarding Customer Information Rule and security misrepresentations regarding the mortgage lender’s online practices. Superior conducts business through 40 branches in 10 states and six websites, including www.supmort.com.

As part of the loan application process, the websites collected personal information via an online application form including names, addresses, date of birth, Social Security number, credit history and bank and credit card account numbers. The website proclaimed that “all information submitted is handled by SSL encryption.”

However, the encryption was only while the information was being transmitted between a visitor’s web browser and the website’s server, the FTC said in its complaint. “[O]nce the information reached the server, it was decrypted and emailed to respondent’s headquarters and branch offices in clear, readable text.” As a result, the FTC said the website’s statement was misleading.

The settlement bars the company from misrepresenting how it protects privacy, confidentiality or security of any personal information collected about its customers. It also requires Superior to hire an independent third party to audit its security procedures every two years for the next 10 years. The Safeguard rules were adopted by the FTC under the Gramm-Leach-Bliley Act that requires financial institutions to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information.

In the Matter of Superior Mortgage Corp., Federal Trade Commission File No. 0523136, September 28, 2005.