On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC’s claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. According to the FTC, the the faults in RSS’s security amounted to "unfair acts or practices" in violation of the FTC Act. RRS and Mikkelson were fined $500,000, but the fine was suspended in light of the company’s present financial condition. Also, in a move that echos the FTC’s past enforcement of information security standards under the FTC Act and foreshadows future enforcement of Red Flags regulations, the terms of the FTC’s court order require RRS to develop a "comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers" and submit itself to independent security audits every 2 years until 2029.
Especially in view of the upcoming May 1, 2009 deadline for compliance with federal Red Flags regulations, this case may be a good example of what we can expect to see from federal and state regulators in enforcing existing and future information security standards, especially with respect to consumer data providers. Below I will summarize the case and identify the key elements of the information security program that the FTC required.
RRS is a Minnesota company that sells residential tenant screening reports that contain consumers’ names, Social Security numbers, dates of birth, financial account numbers and a range of credit reporting information. Landlords use these screening reports to determine whether to rent to individual tenants.
According to the FTC complaint filed in federal court in Minnesota, RRS and Mr. Mikkelson sold 318 screening reports directly to identity thieves posing as legitimate businesspeople. The FTC alleged that RRS required landlord applicants to identify the name of their businesses and provide contact information, but also that RRS did not have a consistent standard for authenticating that the applicant was who they said they were. RRS allegedly would sometimes provide consumer screening reports without requiring any documentation or performing any investigation of its users. The FTC asserted that RRS’s conduct constituted an "unfair act or practice" in violation of Section 5(a) of the FTC Act (15 U.S.C. § 45(a)). RRS has posted a press release indicating that, like the affected consumers, it fell victim to "experienced, technically sophisticated identity thieves" that had access to the affected consumer names, Social Security numbers and dates of birth prior to using RRS’s service. RRS and the FTC negotiated a resolution to the FTC’s claims and the terms of their agreement was entered as a Stipulated Final Judgment and Order in the federal district court.
There are several important lessons to be learned from this case. First and foremost, businesses should be managing information security broadly, not attempting to satisfy only specific rules governing limited categories of information. The FTC has been enforcing information security for over 10 years now as "unfair or deceptive acts or practices" under the Section 5 of the FTC Act. Any business that believes it is immune to the Red Flags Rules, state identity theft regulations or the larger framework of specific privacy and information security rules, may still need to adopt an information security program to meet this general standard. Because "unfair" acts are those characterized by "substantial injury," many kinds of information that may not fall squarely into state identity theft statutes could be covered by the FTC Act if they create or contribute to identity theft or cause some other kind of damage. A business that ignores the general need for information security is exposing itself to significant liability, not only in the event that the FTC steps in, but also because state consumer protection laws, such as Mass. Gen. Laws ch. 93A, also prohibit "unfair or deceptive acts or practices" and permit citizens to bring private causes of action for treble damages and attorneys fees.
Second, companies need to keep in mind that the "reasonable" security measures include being prepared to deal with sophisticated criminals. Here, RRS appears to have relied on the fact that its users already had access to consumers’ personal information to ensure that its service was being used for legitimate purposes. The FTC’s clear view was that businesses need better authentication procedures if they are going to be providing their customers with access to sensitive personal information — identity thieves, after all, typically obtain personal information and use it to commit fraudulent transactions.
Third, the $500,000 fine is a reminder from the FTC that it is willing to set a high monetary value on lapses in information security. The fact that the FTC suspended the $500,000 fine based upon the defendants’ financial condition also suggests that, at this stage, the FTC may be willing to forego severe punitive measures in the current economic climate if it will commit to taking immediate action to improve security measures. Companies should expect less of a reprieve from the FTC when the security issue is more eggregious.
Fourth, there is no substitute for a comprehensive information security program. It was critical to the resolution in the RSS case that the FTC required RRS to "establish and implement, and thereafter maintain a comprehensive information security program that is designed to protect the security, confidentiality and integrity of personal information collected from or about consumers." In particular, the court’s order specifies that an appropriate information security program must:
- be in writing;
- contain "administrative, technical, and physical safeguards appropriate to the entity’s size and complexity, the nature and scope of the entity’s activities, and the sensitivity of the personal information collected from or about consumers;"
- designate personnel "to coordinate and be accountable for the information security program;"
- expressly identify risks to the security, confidentiality and integrity of personal information;
- assess risks present in "(1) employee training and management; (2) information systems . . . ; and (3) prevention, detection, and response to attacks, intrusions, or other system failures."
- include regular testing and monitoring; and
- contain a procedure for selecting and retaining "service providers capable of appropriately safeguarding personal information."
In addition, the FTC also took the position that the best way to ensure future compliance is to require independent security experts to evaluate the performance of a company’s information security program. The RRS order expressly requires RRS to submit to onerous biennial security audits for the next 20 years.
Ultimately, we should expect to see the FTC pursuing similar terms when it begins enforcement of the Red Flags regulations in May: (1) stiff fines that may be suspended depending on economic condition and seriousness of the breach; (2) information security programs that contain a standard set of basic elements; and (3) independent security assessments to be submitted to the FTC over extended periods of time. We should also expect state regulatory agencies around the country to be looking to this case and other FTC enforcement actions as a precedent for their own efforts. Given the parallels between the information security program ordered in this case and state identity theft regulations, it seems highly likely that state regulatory agencies will be seeking similar orders, or more onerous ones, in their own enforcement efforts.
- The FTC’s announcement
- RRS and Lee Mikkelson’s press release
- The FTC Complaint (.pdf), also available, in unexecuted form, from the FTC’s website here (.pdf)
- The Stipulated Final Judgment and Order (.pdf), also available, in unexecuted form, from the FTC’s website here (.pdf)