Thursday, May 7, 2009

Ongoing Issues at the FTC

Here are some issues the FTC currently has on the table with regard to data security and privacy.

Posted Tuesday, May 05, 2009 - Staff infoZine1.

1. The Federal Trade Commission testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information.

2. In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations.“A critical element of privacy is data security. If companies do not protect the sensitive consumer information that they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace,” the testimony stated.

3. The Commission made two further recommendations regarding the data security legislation: It suggested that the legislation be extended to cover data stored on paper, as well as electronic data. It also recommended that certain provisions imposing obligations on information brokers – companies whose business is to collect and sell information about individuals who are not their customers – be targeted specifically to address harms consumers may face when brokers sell information about them, to the extent that such harms are not already addressed by federal law. These provisions should not displace existing legal protections.The FTC currently enforces several laws that restrict the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts: the Fair Credit Reporting Act restricts disclosure of consumer credit reports except for specified permissible purposes; the Gramm-Leach-Bliley Act imposes privacy and security obligations on financial institutions; and the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce.

4. Using its authority under these laws, the testimony noted, the Commission has brought 26 law enforcement actions since 2001 against companies that allegedly failed to maintain reasonable procedures to protect consumers’ personal information, including a case the agency has just settled against James B. Nutter & Company. The company is based in Missouri and makes and services residential mortgage loans around the country. It collects information from loan applicants, including their Social Security numbers, financial information, and employment and credit histories. The Commission’s complaint alleges that, beginning in 2004, JBN engaged in a number of practices that taken together failed to provide reasonable and appropriate security for sensitive consumer information, in violation of the FTC’s Safeguards Rule. In addition, the complaint alleges that the company violated the FTC’s Privacy Rule by failing to provide privacy notices and, later, providing notices that were inaccurate. To settle these charges, JBN has agreed to a proposed order that would require it to establish and maintain a comprehensive data security program covering consumers’ personal information, and to hire an independent auditor to assess its security procedures every two years for 10 years, and to certify that these procedures comply with the proposed order. The proposed order also bars JBN from violating the agency’s Safeguards and Privacy Rules.The Commission previously has filed data security cases against retailers TJX, CVS Caremark and DSW Shoe Warehouse, and the data brokers ChoicePoint and Reed Elsevier, Inc., which operates Lexis Nexis and Seisint, Inc. The FTC also promotes better data security practices through extensive consumer and business education, the testimony stated. On the policymaking front, the FTC recently proposed a rule that would require that consumers be notified when the security of their health information is breached. In addition, the FTC is examining privacy issues associated with behavioral advertising and the use of personal health records and cloud computing networks.

5. The testimony also details the Commission’s activities with regard to inadvertent file sharing on P2P networks. Although P2P technologies hold potential benefits for computer users and businesses, they also can raise the risk that sensitive information will be made available over P2P networks, either through inadvertent sharing or through malware. The testimony noted that the agency has brought cases related to P2P file sharing, has helped P2P software developers devise voluntary best practices to help consumers prevent inadvertent file sharing, and continues to monitor efforts by companies to comply with these practices. The Commission also has held a workshop on P2P, issued a report, and alerted consumers to the risk of inadvertent file sharing. The testimony stated that the Commission also is supportive of H.R.1319, the Informed P2P User Act, legislation that would set a minimum standard for P2P software companies to follow in notifying consumers about what files a P2P program will share, and in obtaining consent from consumers before the files are made available. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through June 8, 2009, after which the Commission will decide whether to make it final. To file a public comment, please click on the following hyperlink: and follow the instructions at that site.

We are seeing, among other things from the existing laws and the new bills being introduced by Congress, a new direction in privacy and data security legislation. The convergence of these discussions suggests that a common set of compliance and consumer notification regulations are nearer than previously thought. There are laws that focus on financial data, medical data, usage of Social Security numbers, credit cards and so forth. Until now each of these is based on a different set of data. As the new Red Flags Rule points out there is no real significance in the type of data as long as the data has a value to criminals and those who do not seek to protect but exploit the data. This kind of thinking is creating the unification of regulatory practices proposed by new bills such as HR. 2221.

Theft or loss of sensitive personal information, or the exploitation of sensitive information without regard to individual privacy cannot be tolerated in any form. Neither can failing to notify individuals who might be at increased risk. The responsibility to safeguard sensitive personal information is squarely on the shoulders of industry and government agencies that use and store the information. It is obvious that industry will not police itself as seems to also be true in our current economic crisis.
It is therefore inevitable given that reality that the regulating authority will step in and create a set of guidelines to compel industry to comply. I would urge every business and local government authority to pay close attention to these discussions above and realize that identity theft and data theft are with us, perhaps permanently, and will require diligence on everyones part, just as we do in other areas of modern life..

No comments: