Credit Suisse First Boston Mortgage Securities Corp. has paid $500,000 in penalties for disclosing the personal information of more than 1,000 borrowers in a public filing.
The investment banker agreed to the payment in civil penalties and costs and attorneys' fees for disclosing on the Internet the social security numbers and other personal information of mortgage borrowers on 1,224 California properties.
It also agreed on Wednesday to enhance its security procedures and its employee training programs to ensure the protection of its clients' nonpublic information, according to San Francisco District Attorney Kamala Harris.
"This settlement sends a clear message to business: if you fail to protect the privacy of your customers, you will be held accountable," she said.
The disclosures occurred around March 15, 2006, when it was "included in an exhibit attached to Defendant's 8-K filing with the Securities & Exchange Commission, which was thereafter posted by the SEC on its Website," according to Harris' June 27 filing in San Francisco Superior Court. "At no time did any of said property owners consent to the public disclosure of this information."
The penalties, which were paid on June 27, included $400,000 in civil penalties and $100,000 in costs and attorneys' fees.
The disclosure thus occurred "in violation of state and federal law," the complaint further states.
"The people, the customers who were affected in this case, have all been contacted," Assistant District Attorney June D. Cravett, who handled the business tort civil case against Credit Suisse, told MortgageDaily.com, and, she said, there was never any indication that the personal information had been used for criminal purposes.
Because the SEC merely posted the information to its Web site as part of the filing it had received, as it posts all filings it receives, Cravett said, "I don't think the SEC can be held accountable for the content of the filings. That would be an enormous burden to place on that agency."
A Credit Suisse agent unintentionally included the personal information in an exhibit that was attached to the SEC filing, she explained.
"Once Credit Suisse became aware of the situation they were quite diligent in taking the steps necessary to put into place procedures to make sure something like this didn't happen again," she said. "And they cooperatively worked with us to make sure the information that was disclosed was removed from every possible Internet link and database. That was of key importance."
While Credit Suisse did not respond to requests for statements, they did issue a statement saying, "We took immediate action once we learned of this inadvertent disclosure and we continue to strengthen our internal policies and procedures to protect the privacy of our customers and clients."
Credit Suisse is scheduled to be back in San Francisco Superior Court on November 30.