Cracking Down: FTC Fines Credit Research Firm $500,000 For Lax Security, Obtains Court Order Requiring Company to Develop "Comprehensive Information Security Program"

Posted on April 17, 2009 by Gabriel M. Helmer

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC's claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users.  According to the FTC, the the faults in RSS's security amounted to "unfair acts or practices" in violation of the FTC Act.  RRS and Mikkelson were fined $500,000, but the fine was suspended in light of the company's present financial condition. Also, in a move that echos the FTC's past enforcement of information security standards under the FTC Act and foreshadows future enforcement of Red Flags regulations, the terms of the FTC's court order require RRS to develop a "comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers" and submit itself to independent security audits every 2 years until 2029. 

Especially in view of the upcoming May 1, 2009 deadline for compliance with federal Red Flags regulations, this case may be a good example of what we can expect to see from federal and state regulators in enforcing existing and future information security standards, especially with respect to consumer data providers.  Below I will summarize the case and identify the key elements of the information security program that the FTC required.

RRS is a Minnesota company that sells residential tenant screening reports that contain consumers' names, Social Security numbers, dates of birth, financial account numbers and a range of credit reporting information. Landlords use these screening reports to determine whether to rent to individual tenants.

According to the FTC complaint filed in federal court in Minnesota, RRS and Mr. Mikkelson sold 318 screening reports directly to identity thieves posing as legitimate businesspeople. The FTC alleged that RRS required landlord applicants to identify the name of their businesses and provide contact information, but also that RRS did not have a consistent standard for authenticating that the applicant was who they said they were.  RRS allegedly would sometimes provide consumer screening reports without requiring any documentation or performing any investigation of its users.  The FTC asserted that RRS's conduct constituted an "unfair act or practice" in violation of Section 5(a) of the FTC Act (15 U.S.C. § 45(a)).  RRS has posted a press release indicating that, like the affected consumers, it fell victim to "experienced, technically sophisticated identity thieves" that had access to the affected consumer names, Social Security numbers and dates of birth prior to using RRS's service. RRS and the FTC negotiated a resolution to the FTC's claims and the terms of their agreement was entered as a Stipulated Final Judgment and Order in the federal district court. 

There are several important lessons to be learned from this case.  First and foremost, businesses should be managing information security broadly, not attempting to satisfy only specific rules governing limited categories of information. The FTC has been enforcing information security for over 10 years now as "unfair or deceptive acts or practices" under the Section 5 of the FTC Act.  Any business that believes it is immune to the Red Flags Rules, state identity theft regulations or the larger framework of specific privacy and information security rules, may still need to adopt an information security program to meet this general standard.  Because "unfair" acts are those characterized by "substantial injury," many kinds of information that may not fall squarely into state identity theft statutes could be covered by the FTC Act if they create or contribute to identity theft or cause some other kind of damage.  A business that ignores the general need for information security is exposing itself to significant liability, not only in the event that the FTC steps in, but also because state consumer protection laws, such as Mass. Gen. Laws ch. 93A, also prohibit "unfair or deceptive acts or practices" and permit citizens to bring private causes of action for treble damages and attorneys fees.

Second, companies need to keep in mind that the "reasonable" security measures include being prepared to deal with sophisticated criminals. Here, RRS appears to have relied on the fact that its users already had access to consumers' personal information to ensure that its service was being used for legitimate purposes. The FTC's clear view was that businesses need better authentication procedures if they are going to be providing their customers with access to sensitive personal information -- identity thieves, after all, typically obtain personal information and use it to commit fraudulent transactions. 

Third, the $500,000 fine is a reminder from the FTC that it is willing to set a high monetary value on lapses in information security.  The fact that the FTC suspended the $500,000 fine based upon the defendants' financial condition also suggests that, at this stage, the FTC may be willing to forego severe punitive measures in the current economic climate if it will commit to taking immediate action to improve security measures.  Companies should expect less of a reprieve from the FTC when the security issue is more eggregious. 

Fourth, there is no substitute for a comprehensive information security program.  It was critical to the resolution in the RSS case that the FTC required RRS to "establish and implement, and thereafter maintain a comprehensive information security program that is designed to protect the security, confidentiality and integrity of personal information collected from or about consumers."  In particular, the court's order specifies that an appropriate information security program must:

  1. be in writing;
     
  2. contain "administrative, technical, and physical safeguards appropriate to the entity's size and complexity, the nature and scope of the entity's activities, and the sensitivity of the personal information collected from or about consumers;"
     
  3. designate personnel "to coordinate and be accountable for the information security program;"
     
  4. expressly identify risks to the security, confidentiality and integrity of personal information;
     
  5. assess risks present in "(1) employee training and management; (2) information systems . . . ; and (3) prevention, detection, and response to attacks, intrusions, or other system failures."
     
  6. include regular testing and monitoring; and
     
  7. contain a procedure for selecting and retaining "service providers capable of appropriately safeguarding personal information."

In addition, the FTC also took the position that the best way to ensure future compliance is to require independent security experts to evaluate the performance of a company's information security program.  The RRS order expressly requires RRS to submit to onerous biennial security audits for the next 20 years. 

Ultimately, we should expect to see the FTC pursuing similar terms when it begins enforcement of the Red Flags regulations in May: (1) stiff fines that may be suspended depending on economic condition and seriousness of the breach; (2) information security programs that contain a standard set of basic elements; and (3) independent security assessments to be submitted to the FTC over extended periods of time.  We should also expect state regulatory agencies around the country to be looking to this case and other FTC enforcement actions as a precedent for their own efforts.  Given the parallels between the information security program ordered in this case and state identity theft regulations, it seems highly likely that state regulatory agencies will be seeking similar orders, or more onerous ones, in their own enforcement efforts. 

Links:

 
Tags: , , , , , , , ,

Do The Red Flags Regulations Apply to Me? -- Understanding Whether You Are A "Creditor" Under Federal Law

Posted on January 21, 2009 by Gabriel M. Helmer

If you are confused about whether you, your company or your clients are subject to federal identity theft regulations, you are not alone. When the Federal Trade Commission (FTC) announced on October 22, 2008 that they were delaying enforcement of the new Red Flags regulations by six months, until May 1, 2009 (which we reported here and here), the FTC admitted that the primary reason for the delay was that many businesses, even whole industries, were “confused” about whether they are governed by the new regulations. (See the FTC’s October 2008 release and Enforcement Policy statement.)

For some industries, this is less a point of confusion and more of a fundamental difference in opinion over whether the federal regulations apply to them at all. For many traditional financial institutions, like banks and credit card companies, there is no dispute because there are specific Red Flags regulations directed at them. See, e.g., 12 C.F.R. Pars 334 & 364. For most other industries, the legal issue at the heart of the matter is whether one can be considered a “creditor” under the general purpose Red Flags regulations, 16 C.F.R. Part 681, and the operative federal statute, the Fair and Accurate Credit Transaction Act of 2003 (FACT Act or FACTA). 

The FTC claims that the term “creditor” applies to any business or entity that allows customers to pay for goods or services after they have been delivered and is has made clear that it intends to enforce the regulations broadly. For example, see the FTC’s October 2008 Enforcement Policy. According to the FTC, virtually anyone that bills its customers is a “creditor” subject to the Red Flags regulations. This means utility companies are covered entities (see the comments to the November 2007 Final Rules [.pdf]), but also consultants, lawyers, doctors, dentists and everyone who gets a check in the mail. The FTC’s construction is so broad, it seems to encompass someone selling an autographed baseball card on eBay who only gets paid after delivery, as well as an employee who receives a paycheck every two weeks in exchange for services rendered.  I'll wager that most of us who receive paychecks did not know that somewhere along the line we have become creditors subject to the Red Flags regulations as well as the federal laws governing lending practices.

The real problem with the FTC's interpretation is that it does not seem to bear legal scrutiny.  If everyone is a "creditor", then everyone is subject a host of legal requirements that are primarily enforced against traditional lending institutions. Because of this FTC's broad interpretation of “creditor” would severely expand federal lending laws, it is unlikely to find much support among federal courts. Two courts of appeals issued key decisions in 1990 and 2002 indicating that the term "creditor" was not intended to apply to everyone, but only to entities that we might consider lenders by trade or practice. These cases discredit the FTC’s underlying legal position and suggest, as industry groups throughout the country have urged, that the Red Flags regulations only apply to more traditional financial institutions and commercial lenders. 

Below, Ramzi Ajami and I explain in greater detail the underlying legal differences in these positions and discuss why the FTC may find itself unable enforce the new regulations as broadly as it has announced.

The FTC's Bright-Line Rule: A “Creditor” Is Any Business That Receives Payment After Delivery of Goods or Services 

The FTC has made it clear that it broadly interprets the term “creditor” to apply to any business or entity that allows customers to defer payment for goods or services until after they have been provided to the customer. This would include doctors, lawyers and a broad range of for-profit and non-profit businesses and organizations. The FTC has presented this interpretation in a number of public statements:

  • In the commentary to the November 2007 Final Rules, the FTC and other federal rulemakers indicated that the term “creditor” includes traditional lenders “such as banks, finance companies,” but also automobile dealers, mortgage brokers, utility companies, and telecommunications companies. 
     
  • In June 2008 guidance, the FTC indicated “[w]here non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.” 
     
  • On a July 22, 2008 conference call with municipal and state utilities organizations, FTC representatives apparently indicated that the Red Flag requirements apply to all business “operations which provide services before they bill the customer.” [For an industry report on that call see this link (.pdf).]
  • During a conference call with members from the healthcare industry, FTC staff attorneys apparently stated that physicians and hospitals are “creditors” subject to Red Flags regulation “if they do not require full payment up front at the time they see patients, but rather bill patients after the physician’s services are rendered.” The American Medical Association and several other healthcare groups objected to this broad interpretation in a September 30, 2008 letter (.pdf) to the FTC chairman.>
     
  • In its October 2008 Enforcement Policy (.pdf) statement, the FTC affirmed this broad interpretation when it affirmed that “any person that provides a product or service for which the consumer pays after delivery is a creditor.” 
  • The FTC’s Chief Privacy Officer Mark Groman reiterated that a “creditor” is any business, including law firms, that “defers payment” in exchange for goods and services during a January 2009 presentation at the Boston Bar Association. [See our piece on that event here.] 

From these public statements, it is clear that the FTC has adopted a bright line test: anyone that accepts payment after he/she/it provides goods or services is a “creditor” subject to the Red Flags regulations. In the FTC’s view, the regulations apparently apply equally to doctors who bill their patients after an office visit, to lawyers and consultants who present their clients with bills for past services on a periodic basis, as it does to banks and credit card companies.  Any business that does not demand up-front payment before it provides goods or services to its customers would apparently be a “creditor under the FTC’s current interpretation and, according to the FTC, should be developing a compliant identity theft prevention program (and, by the way, complying with federal lending laws). 

Federal Courts of Appeals: No Bright-Line Rule, Businesses That Accept Payment After Delivery May Not Be A “Creditor”

Notwithstanding the FTC’s statements on this issue, federal court of appeals decisions interpreting who is a “creditor” under federal law have construed the term somewhat narrowly. Importantly, the federal appeals courts have pointedly refused to adopt a bright line standard like the one announced by the FTC. 

Neither the Red Flags regulations nor the FACT Act define the term “creditor.” Instead, they incorporate the definition of “creditor” from a parallel federal statute, the Equal Credit Opportunity Act (ECOA). Under the ECOA, “creditor” is defined as “any person who regulatory extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation off credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” “Credit,” in turn, is defined in turn as the “right granted by a creditor to a debtor” to: (1) “defer payment of debt right granted by a creditor”; (2) “incur debts and defer its payment”; or, most broadly of all, (3) “purchase property and services and defer payment therefore.” As a result, the legal question for many businesses is whether they become a “creditor” simply by accepting payment for their services after they have been completed.

In Shaumyan v. Sidetex Co., 900 F.2d 16 (2d Cir. 1990), the Second Circuit Court of Appeals found that a contractor was not a “creditor” when it allowed a client to make incremental payments for home improvements that included installing siding and replacing doors and windows. In that case, the plaintiffs agreed to make a series of payments over time after work was completed, including an initial deposit, a payment when the work commenced, a payment after the project was half complete, a payment when the siding was installed and a final payment when the project after the windows and doors had been completed. Shaumyan, 900 F.2d at 17. The Second Circuit considered and rejected the argument this arrangement made the contractor a creditor under the ECOA merely because payment was not made before work begun or “instantaneously” when the services were provided. The Court reasoned that “[i]f this proposition were strictly applied . . . countless transactions in which compensation for services is not instantaneous would be characterized as credit transactions. Such indiscriminate application of the ECOA is not appropriate.” Shaumyan, 900 F.2d at 18-19 (internal citation omitted). Instead, the Second Circuit held that the contractor was not a “creditor” because payment was made “substantially contemporaneous” with the work that was performed. Shaumyan, 900 F.2d at 19 (“Since the … payment obligation was substantially contemporaneous with [the contractor’s] performance, the contract was not a credit transaction.”). 

More recently, in Riethman v. Berry, 287 F.3d 274 (3d Cir. 2002), the Third Circuit Court of Appeals flatly rejected the FTC’s current interpretation of “creditor.” There, the Third Circuit considered whether a law firm could be considered a creditor because it entered into an attorney fee arrangement that permitted the client to make payments after services were rendered, and allowed for late payments. The Court rejected the plaintiff’s argument that any “post-service billing” (or billing for services or goods already rendered) transformed the law firm into a “creditor” and suggested that the term “creditor” must be limited to more traditional financial institutions. Otherwise “in addition to attorneys' fees, [plaintiff’s] interpretation of the ECOA would embrace doctors' fees, dentists' fees, accountants' fees, psychologists' fees and virtually all other professional fees. In view of the statutory purpose underlying the ECOA, it seems implausible that Congress intended to cover not only banks and other such financial institutions but also all professions.” Riethman, 287 F.3d at 278. 

The Shaumyan and Riethman decisions appear to reject the FTC’s broad interpretation of “creditor” under the ECOA and, not surprisingly, industry groups such as the American Medical Association, brought these cases to the FTC’s attention in their September 2008 letter (.pdf). While other cases interpreting the ECOA may offer less support to industry groups resisting the FTC’s broad interpretation, they make clear that the federal courts that have examined issues have not adopted any bright line tests like the one announced by the FTC.   

In particular, the issue of who is a “creditor” under the ECOA has been hotly contested in the context of residential and commercial leases. This led to a number of decisions from federal circuit courts and the Federal Reserve Board, the agency empowered to issue interpretive guidance on the ECOA, has weighed in on the issue with a non-binding interpretation asserting that “Congress did not intend the ECOA . . . to cover lease transactions” and warning that enforcing the ECOA against lessors “could impose significant burdens for certain segments of the industry — such as furniture and appliance leasing.” 50 Fed. Reg. 48018, 48019-20 (1985). Key court decisions on this issue include the following cases:

  • In Laramore v. Ritchie Realty Mgt. Co., 397 F.3d 544 (7th Cir. 2005), the Seventh Circuit Court of Appeals held that a residential landlord was not a “creditor” under the ECOA. The Court reasoned that “typical” rental payments are better seen as credits for future services, rather than a deferral of debt for the underlying lease obligation. Laramore, 397 F.3d at 547. However, the Court explicitly left the door open for the ECOA to cover a non-typical residential lease that requires payment at the end of the month for the preceding month’s rent. “For the purposes of this case, we are concerned only with leases that provide for the lease of residential property for a term and roughly equal rental payments are due to the landlord at the beginning of each month during that term.” Laramore, 397 F.3d at 547 n.2.
  • The Court of Appeals for the D.C. Circuit held in Micks at Pa. Ave., Inc. v. BOD, Inc., 389 F.3d 1284, 1289 (D.C. Cir. 2004) that a residential sublease did not transform the sublessor into a “creditor” under the ECOA. The Court was skeptical that merely collecting monthly rental payments constitutes an ECOA “credit transaction” and also justified its holding based on the fact that the ECOA requires that a “credit transaction” be in the “regular” course of business, but the sublessor at issue in the case was a restaurant who did not “regularly” extend subleases. Micks, 389 F.3d at 1289. This decision suggests that the D.C. Circuit, much like the Third Circuit in the Riethman case, may be reluctant to identify “creditors” without also considering the types of goods and services purchased.
  • In a break with other courts, the Ninth Circuit Court of Appeals held that an automobile lease transformer the lessor into a “creditor” under the ECOA. In Brothers v. First Leasing, 724 F.2d 789 (9th Cir. 1984), the Ninth Circuit held that the lessor was a “creditor” because an automobile lease requires a lessee to defer payment of the debt. Brothers, 724 F.2d at 798 n.8.

This much is clear: federal courts of appeals have not adopted the FTC’s bright-line test for what businesses are “creditors.” Instead, the federal courts have applied the ECOA on a case-by-case basis and exhibited a clear reluctance to define “creditor” so broadly that it includes all businesses that bill their customers for past services. In particular, several federal appeals courts and the Federal Reserve Board have indicated that the ECOA was not intended to apply the term “creditor” to industries beyond traditional lending institutions. 

Beyond legal formalities and abstractions, the concern expressed by these courts is grounded in common sense. If the FTC’s broad interpretation is not narrowed, who isn't a "creditor"?  Having announced no practical limitations on who is covered by the new rules, the FTC appears ready to push scope of the Red Flags regulations to new limits.  While many individuals and companies may have well-founded legal arguments that they are not subject to Red Flags regulations, anyone that ignores the new rules does so at their peril, given the FTC’s clear intention to enforce the regulations against virtually everyone.

Links:

  • The FTC's website
  •  The Federal Register publication of the final Red Flags Regulations are available here (.pdf), or directly from the FTC's website here (.pdf)
  • The FTC's Business Alert from June 2008 is available here (.pdf) and this guidance is available directly from the FTC's website here.
  • The Oklahoma Municipal League's Municipal Policy Review, which reported on FTC public statements is available here (.pdf), or from the Oklahoma Municipal League's website here (.pdf).
  • The September 30, 2008 letter sent by a long list of medical organizations to the FTC chairman is avaialble here (.pdf) or from the AMA's website here (.pdf).
  • The FTC's October 2008 Enforcement Policy Statement may be found here (.pdf) or on the FTC's website here (.pdf).
  • Reithman v. Berry, 287 F.3d 274 (3d Cir. 2002) (.pdf) or directly from the Court of Appeals website (.pdf)
Tags: , , , , , , , , ,

FTC Chief Privacy Officer Mark Groman Presents At The Boston Bar Association

Posted on January 15, 2009 by Gabriel M. Helmer

On Wednesday, January 14, 2009, the Boston Bar Association’s Privacy Law Committee hosted FTC Chief Privacy Officer Mark Groman for a brown bag lunch presentation entitled “The View from the Federal Trade Commission’s Chief Privacy Officer.” Here are a couple of highlights from the presentation:

  •  Mr. Groman views law firms as businesses subject to FTC Red Flags regulations (“we regulate you, too”), so law firms should be developing identity theft prevention programs to comply with the regulations by the May 1, 2009 deadline.
  •  To comply with FTC’s Red Flags regulations, companies need to use a “risk-based process” to evaluate potential threats and take reasonable and appropriate steps to mitigate them. Every business needs to adopt a written plan, but the FTC will not be talking to us “about particular technology” because there is a consensus that technology moves too quickly for regulators to approve or disapprove of any particular technology or counter-measures. 
  • The FTC has brought 23 cases relating to information security issues. If you need guidance on what security measures the FTC believes must be implemented to meet federal regulations in specific circumstance, Mr. Groman suggested that we review the decisions in those cases. In particular, Mr. Groman specifically suggested that everyone should be taking what he views as simple and inexpensive measures to protect against the SQL injection exploit, in which an individual attempts to insert computer code into a company’s database using the company’s website. (The FTC website refers to this exploit as one of many “commonly known and reasonably foreseeable attacks” that can be protected against by implementing “simple, free or low-cost, and readily available security defenses.”)
  • The primary questions businesses should to be asking themselves when they are drafting an identity theft prevention program are: (1) what have you done to date to protect against existing threats?; (2) what is “the technology of the day” used to address those threats?; and (3) “how much does it cost?”
  • Mr. Groman confirmed that there is no one-size-fits-all solution to adopting an identity theft prevention program, and the FTC does not have a model plan to provide affected companies. “Privacy plans are like pants; they have to be tailored.” 
  • The fact that there has been a data breach incident does not mean that a company’s information security program is necessarily at fault. The FTC has investigated “plenty of breaches where the [company’s] security was reasonable” and has also investigated companies that have not had any incidents where the security was insufficient. 
  • The FTC recognizes that businesses, lawyers and whole industries are confused by what the new Red Flags regulations require. The FTC is likely to issue additional guidance on this topic soon.
Tags: , , , , , , , , , ,

FTC Issues Guidance to Businesses on How To Handle Social Security Numbers

Posted on January 15, 2009 by Gabriel M. Helmer

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers - SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations. 

 The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:

FTC Recommendation 1 - Businesses should improve their methods of authenticating the identity of consumers

By this, the FTC means that businesses should reduce or eliminate altogether the use of SSNs to authenticate a person’s identity. The FTC explains that SSNs themselves are not useful tools to confirm a person’s identity because SSNs are widely used as “identifiers” — information that, like your name and address, are commonly supplied to a range of merchants, employers, government agencies and financial institutions — rather than as “authenticators” — information like a password or personal information which remains secret. In short, because your SSN is generally no secret to your boss, your doctor, your bank, the IRS and a number of other entities, knowledge of your SSN is insufficient to prove that you are who you say you are. 

The FTC Report does identify some appropriate ways that SSNs may be used during the authentication process which might safely avoid some of the risks associated with using a SSN as an authenticator:

  • using the SSN “to access databases containing information about an individual that can be used to formulate challenge questions that only the true individual should be able to answer (for example, the amount of her mortgage payment each month)”; [Report at 5]
  • using the SSN to check an individual’s identity against a fraud database, for example, checking to see that the SSN matches the Social Security Administration’s listing for a living individual or whether the SSN is listed on industry databases of SSNs used to commit fraud; and
  • using the SSN “as one element in their quantitative fraud prediction models, which are designed to flag suspect patterns of use of identifying information that might indicate that an application or proposed transaction is fraudulent” [Report at 5] — for example, a check to see whether there have been an unusually large number of credit applications or other suspicious activity using a particular SSN.  

While these examples can be found in the FTC Report, the FTC has made clear that they are not taking a stance on whether any specific techniques would ensure compliance with new federal regulations. In calling for rulemaking on this issue, the FTC indicates, as they have with respect to recent Red Flags regulation, “the standard should be one of reasonableness and not perfection, acknowledging that there is no fool-proof method of authenticating consumers and no likelihood that one will be developed in the foreseeable future.” [Report at 7] Nevertheless, given the FTC’s conclusion that use of SSNs to authenticate a person’s identity presents a risk of identity theft, it seems clear that businesses that rely on SSNs as an authenticator do so at their peril.

FTC Recommendation 2 - Businesses should abolish the public display and transmission of Social Security numbers

Here, the FTC’s guidance is abundantly clear: stop displaying and transmitting SSNs in unnecessary and potentially risky ways. While the FTC calls on regulatory agencies that oversee the use of SSNs to adopt rules on this issue, the FTC makes a series of specific recommendations to businesses in advance of further regulation: 

  •  Stop using SSNs as employee or customer numbers;
  • Stop printing SSNs on identification cards that would be compromised every time a wallet is lost or stolen;
  • Stop printing SSNs on mailings, such as account statements or paychecks that can be lifted from a person’s mailbox or trashcan;
  • Stop displaying SSNs in emails or website pages, which can be observed over a person’s shoulder;
  • Encrypt SSNs when they must be transmitted over the Internet.

[Report at 8-9]

In addition, the FTC appears to take the view that displaying only a truncated portion of a person’s SSN provides little protection because the other digits can often be collected from other sources or fabricated based on other personal information. [Report at 8]

Given the level of confusion that plagues many businesses’ efforts to develop identity theft prevention programs, the FTC’s clarity on this issue should not be ignored, especially since many, if not all, of these steps are simple and inexpensive to implement.

Other FTC Recommendations

Perhaps not surprisingly given the confusion generated by new federal and state identity theft regulations, the FTC’s remaining recommendations call on Congress, other regulatory agencies and the FTC itself to develop national standards and provide guidance and leadership to dispel the widespread confusion on what we can do to reduce the threat of identity theft. The FTC outlines some specific guidance to businesses, such as:

  • Collect SSNs only when necessary;
  • Retain SSNs only as long as necessary;
  • Consider how to properly and securely dispose of records containing SSNs;
     
  • Secure and/or encrypt electronic transmissions containing SSNs;
  • Limit employee access to SSNs;
  • Conduct reasonable employee screening to avoid hiring identity thieves; and
  • Conduct reasonable employee training to prevent potential mistakes.

For those businesses working to comply with recent Massachusetts identity theft regulations (201 C.M.R. § 17.03) or similar state regulations, the FTC's guidance may seem eerily familiar because it parallels many of state requirements. For example, in Massachusetts, 201 C.M.R. § 17.03(g) requires businesses to limit the amount of “personal information” (which includes SSNs) collected, limit access to that information to those employees that require access, and limit “the time such information is retained to that reasonably necessary to accomplish such purpose.”  This is good news for businesses worried that they may face inconsistent federal and state requirement and bad news for those having difficulty meeting these state standards.

Links:   

  • The FTC Report - Security in Numbers - SSNs and ID Theft is available here (.pdf) or from the FTC here (.pdf)
  • The FTC’s Staff Summary of Comments and Information Received Regarding the Private Sector’s Use of Social Security Numbers is available here (.pdf) or from the FTC’s website here (.pdf)
  • The FTC’s website on the use of SSNs containing transcripts and webcast of public workshops, public comments, and press releases.
  • The President’s Identity Theft Task Force website
Tags: , , , , , , , , , ,

ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC "Red Flags" Regulations

Posted on October 23, 2008 by Gabriel M. Helmer

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.  This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action.

The “Red Flag” rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final “Red Flags” regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or “Red Flags” of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC’s latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the “Red Flags” regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers “financial institutions” and “creditors” maintaining “covered accounts,” the FTC has made clear that the “Red Flag” regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional “financial institutions”. In particular, the FTC maintains that the new regulations apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports. 

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make repeated payments or enter into regular financial transactions needs to assess whether they are subject to the new “Red Flags” regulations.

If your business is covered by the new “Red Flag” regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

  1. Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling “Red Flags” — such as discrepancies in customer information and suspicious account activity.
  2. Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
  3. Continually assess the identity theft risks to customers and update the company’s Identity Theft Prevention Plan as necessary.

In addition, the new Red Flag regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information. 

At present, it is still unclear what form the FTC’s enforcement of the “Red Flags” regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

Tags: , , , , , , , ,