James B. Nutter & Co. has agreed to settle a complaint filed by the Federal Trade Commission that alleged the Kansas City, Mo.-based lender failed to safeguard customers’ personal information, which resulted in a hacker sending millions of spam emails from the company’s computer network.
The complaint alleged that JB Nutter, from at least September 2004 to at least November 2008, failed to provide reasonable and appropriate security for personal information.
“As a result, an intruder was able to direct respondent’s computer network to send millions of outgoing spam emails without its knowledge, and could have accessed personal information without authorization,” the complaint said.
The lender was also accused of customer privacy notices violations. The FTC said the allegations violated the commission’s rules pursuant to the Gramm-Leach-Bliley Act (GLBA).
Without admitting wrongdoing, JB Nutter has agreed to establish and implement a comprehensive information security program that will be audited every two years by an independent third party for 10 years, according to the consent agreement. This includes requiring service providers by contract to implement appropriate safeguards.
A statement from JB Nutter said there was an isolated incident five years ago when an outside user was able to send outgoing emails from one of the company’s personal computers. It said the problem was due to a flaw in industry-standard software the company purchased which has already been corrected.
“Last year, thanks to the efforts of the FTC, we were able to resolve some issues relating to data security that were raised by a GLBA audit,” stated President James B. Nutter Jr. “These issues were technical in nature and did not involve any incident where personal financial information was improperly obtained.”
The FTC announced the settlement on May 5 during testimony on data security before the House Energy and Commerce Committee’s Subcommittee on Commerce, Trade and Consumer Protection.
Complaint
