Federal Trade Commission
April 13, 2005
PREPARED STATEMENT OF THE
FEDERAL TRADE COMMISSION
COMMITTEE ON THE JUDICIARY
SECURING ELECTRONIC PERSONAL DATA:
STRIKING A BALANCE BETWEEN PRIVACY AND
COMMERCIAL AND GOVERNMENTAL USE
April 13, 2005
Mr. Chairman, I am Deborah Platt Majoras, Chairman of the Federal Trade Commission. I appreciate the opportunity to appear before you today to discuss the laws currently applicable to resellers of consumer information, commonly known as "data brokers."
Data brokers provide information services to a wide variety of business and government entities. The information they provide may help credit card companies detect fraudulent transactions or assist law enforcement agencies in locating potential witnesses. Despite these benefits, however, there are concerns about the aggregation of sensitive consumer information and whether this information is protected adequately from misuse and unauthorized disclosure. In particular, recent security breaches have raised questions about whether sensitive consumer information collected by data brokers may be falling into the wrong hands, leading to increased identity theft and other frauds. In this testimony, I will briefly describe what types of information data brokers collect, how the information is used, and some of the current federal laws that may apply to these entities, depending on the nature of the information they possess.
All of this discussion takes place against the background of the threat of identity theft, a pernicious crime that harms both consumers and financial institutions. A 2003 FTC survey showed that over a one-year period nearly 10 million people - or 4.6 percent of the adult population - had discovered that they were victims of some form of identity theft. As described in this testimony, the FTC has a substantial ongoing program both to assist the victims of identity theft and to collect data to assist criminal law enforcement agencies in prosecuting the perpetrators of identity theft.
II. THE COLLECTION AND USE OF CONSUMER INFORMATION
The information industry is large and complex and includes companies of all sizes. Some collect information from original sources, others resell data collected by others, and many do both. Some provide information only to government agencies or large companies, while others sell information to small companies or the general public.
A. Sources of Consumer Information
Data brokers obtain their information from a wide variety of sources and provide it for many different purposes. The amount and scope of information that they collect varies from company to company, and many offer a range of products tailored to different markets and uses. Some data brokers, such as consumer reporting agencies, store collected information in a database and allow access to various customers. Some data brokers may collect information for one-time use by a single customer. For example, a data broker may collect information for an employee background check and provide that information to one employer.
There are three broad categories of information that data brokers collect and sell: public record information, publicly-available information, and non-public information.
1. Public Record Information
Public records are a primary source of information about consumers. This information is obtained from public entities and includes birth and death records, property records, tax lien records, voter registrations, licensing records, and court records (including criminal records, bankruptcy filings, civil case files, and judgments). Although these records generally are available to anyone directly from the public agency where they are on file, data brokers, often through a network of subcontractors, are able to collect and organize large amounts of this information, providing access to their customers on a regional or national basis. The nature and amount of personal information on these records varies with the type of records and agency that created them.
2. Publicly-Available Information
A second type of information collected is information that is not from public records but is publicly available. This information is available from telephone directories, print publications, Internet sites, and other sources accessible to the general public. As is true with public record information, the ability of data brokers to amass a large volume of publicly-available information allows their customers to obtain information from an otherwise disparate array of sources.
3. Non-Public Information
Data brokers may also obtain personal information that is not generally available to members of the public. Types of non-public information include:
? Identifying or contact information submitted to businesses by consumers to obtain products or services (such as name, address, phone number, email address, and Social Security number);
? Information about the transactions consumers conduct with businesses (such as credit card numbers, products purchased, magazine subscriptions, travel records, types of accounts, claims filed, or fraudulent transactions);
? Information from applications submitted by consumers to obtain credit, employment, insurance, or other services (such as information about employment history or assets); and
? Information submitted by consumers for contests, website registrations, warranty registrations, and the like.
B. Uses of Consumer Information
Business, government, and non-profit entities use information provided by data brokers for a wide variety of purposes. For example, the commercial or non-profit sectors may use the information to:
? Authenticate potential customers and to prevent fraud by ensuring that the customer is who he or she purports to be;
$ Evaluate the risk of providing services to a particular consumer, for example to decide whether to extend credit, insurance, rental, or leasing services and on what terms;
$ Ensure compliance with government regulations, such as customer verification requirements under anti-money laundering statutes;
$ Perform background checks on prospective employees;
$ Locate persons for a variety of reasons, including to collect child support or other debts; to find estate beneficiaries or holders of dormant accounts; to find potential organ donors; to find potential contributors; or in connection with private legal actions, such as to locate potential witnesses or defendants;
$ Conduct marketing and market research; and
$ Conduct academic research.
Government may use information collected by data brokers for:
$ General law enforcement, including to investigate targets and locate witnesses;
$ Homeland security, including to detect and track individuals with links to terrorist groups; and
$ Public health and safety activities, such as locating people who may have been exposed to a certain virus or other pathogen.
These are just some examples of how these entities use information collected by data brokers.
It is important to understand that the business of data brokers could cover a wide spectrum of activities, everything from telephone directory information services, to fraud data bases, to sophisticated data aggregations.
III. LAWS CURRENTLY APPLICABLE TO DATA BROKERS
There is no single federal law that governs all uses or disclosures of consumer information. Rather, specific statutes and regulations may restrict disclosure of consumer information in certain contexts and require entities that maintain this information to take reasonable steps to ensure the security and integrity of that data. The FTC's efforts in this area have been based on three statutes: the Fair Credit Reporting Act ("FCRA"), Title V of the Gramm-Leach-Bliley Act ("GLBA"), and Section 5 of the Federal Trade Commission Act ("FTC Act"). Although the FCRA is one of the oldest private sector data protection laws, it was significantly expanded in 1996 and in the last Congress. The Commission is engaged in a number of rulemakings to implement the new provisions of the FCRA, many of which are directly targeted to the problem of ID Theft. The GLBA is a relatively recent law, and its implementing rule on consumer information privacy became effective in 2001. Other laws, such as the Driver's Privacy Protection Act and the Health Insurance Portability and Accountability Act also restrict the disclosure of certain types of information, but are not enforced by the Commission. Although these laws all relate in some way to the privacy and security of consumer information, they vary in scope, focus, and remedies. Determining which - if any - of these laws apply to a given data broker requires an examination of the source and use of the information at issue.
A. The Fair Credit Reporting Act
Although much of the FCRA focuses on maintaining the accuracy and efficiency of the credit reporting system, it also plays a role in ensuring consumer privacy. The FCRA primarily prohibits the distribution of "consumer reports" by "consumer reporting agencies" ("CRAs") except for specified "permissible purposes," and requires CRAs to employ procedures to ensure that they provide consumer reports to recipients only for such purposes.
In common parlance, the FCRA applies to consumer data that is gathered and sold to businesses in order to make decisions about consumers. In statutory terms, it applies to "consumer report" information, provided by a CRA, limiting such provision for a "permissible purpose." Although the most common example of a "consumer report" is a credit report and the most common CRA is a credit bureau, the scope of the FCRA is much broader. For example, there exist many CRAs that provide reports in specialized areas, such as tenant screening services (that report to landlords on consumers who have applied to rent apartments) and employment screening services (that report to employers to assist them in evaluating job applicants).
CRAs other than credit bureaus provide many different types of consumer reports. They may report information they have compiled themselves, purchased from another CRA, or both. For example, a tenant screening service may report only the information in its files that it has received from landlords, only a consumer report obtained from another CRA, or a combination of both its own information and resold CRA data, depending on the needs of the business and the information available. Data brokers are subject to the requirements of the FCRA only to the extent that they are providing "consumer reports."
2. "Permissible Purposes" For Disclosure of Consumer Reports
The FCRA limits distribution of consumer reports to those with specific, statutorily-defined "permissible purposes." Generally, reports may be provided for the purposes of making decisions involving credit, insurance, or employment. Consumer reporting agencies may also provide reports to persons who have a "legitimate business need" for the information in connection with a consumer-initiated transaction. Target marketing - making unsolicited mailings or telephone calls to consumers based on information from a consumer report - is generally not a permissible purpose.
There is no general "law enforcement" permissible purpose for government agencies. With few exceptions, government agencies are treated like other parties - that is, they must have a permissible purpose to obtain a consumer report. There are only two limited areas in which the FCRA makes any special allowance for governmental entities. First, the law has always allowed such entities to obtain limited identifying information (name, address, employer) from CRAs without a "permissible purpose." Second, the FCRA was amended to add express provisions permitting government use of consumer reports for counterintelligence and counter-terrorism.
3. "Reasonable Procedures" to Identify Recipients of Consumer Reports
The FCRA also requires that CRAs employ "reasonable procedures" to ensure that they supply consumer reports only to those with an FCRA-sanctioned "permissible purpose." Specifically, Section 607(a) provides that CRAs must make "reasonable efforts" to verify the identity of prospective recipients of consumer reports and that they have a permissible purpose to use the report.
The Commission has implemented the general and specific requirements of this provision in a number of enforcement actions that resulted in consent orders with the major nationwide CRAs and with resellers of consumer reports (businesses that purchase consumer reports from the major bureaus and resell them). For example, in the early 1990s, the FTC charged that resellers of consumer report information violated Section 607(a) of the FCRA when they provided consumer report information without adequately ensuring that their customers had a permissible purpose for obtaining the data. In settling these charges, the resellers agreed to employ additional verification procedures, including verifying the identities and business of current and prospective subscribers, conducting periodic, unannounced audits of subscribers, and obtaining written certifications from subscribers as to the permissible purposes for which they seek to obtain consumer reports. In 1996, Congress amended the FCRA to impose specific duties on resellers of consumer reports.
In addition to the reasonable procedures requirement of Section 607(a), the FCRA also imposes civil liability on users of consumer report information who do not have a permissible purpose and criminal liability on persons who obtain such information under false pretenses.
B. The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act imposes privacy and security obligations on "financial institutions." Financial institutions are defined as businesses that are engaged in certain "financial activities" described in Section 4(k) of the Bank Holding Company Act of 1956 and its accompanying regulations. These activities include traditional banking, lending, and insurance functions, as well as other activities such as brokering loans, credit reporting, and real estate settlement services. To the extent that data brokers fall within the definition of financial institutions, they would be subject to the Act.
1. Privacy of Consumer Financial Information
In general, financial institutions are prohibited by Title V of GLBA and its implementing privacy rule from disclosing nonpublic personal information to non-affiliated third parties without first providing consumers with notice and the opportunity to opt out of the disclosure. However, GLBA provides a number of statutory exceptions under which disclosure is permitted without specific notice to the consumer. These exceptions include consumer reporting (pursuant to the FCRA), fraud prevention, law enforcement and regulatory or self-regulatory purposes, compliance with judicial process, and public safety investigations. Entities that receive information under an exception to GLBA are subject to the reuse and redisclosure restrictions under the GLBA Privacy Rule, even if those entities are not themselves financial institutions. In particular, the recipients may only use and disclose the information "in the ordinary course of business to carry out the activity covered by the exception under which . . . the information [was received]."
Data brokers may receive some of their information from CRAs, particularly in the form of identifying information (sometimes referred to as "credit header" data) that includes name, address, and Social Security number. Because credit header data is typically derived from information originally provided by financial institutions, data brokers who receive this information are limited by GLBA's reuse and redisclosure provision. For example, if a data broker obtains credit header information from a financial institution pursuant to the GLBA exception "to protect against or prevent actual or potential fraud," then that data broker may not reuse and redisclose that information for marketing purposes.
2. Required Safeguards for Customer Information
GLBA also requires financial institutions to implement appropriate physical, technical, and procedural safeguards to protect the security and integrity of the information they receive from customers directly or from other financial institutions. The FTC's Safeguards Rule, which implements these requirements for entities under FTC jurisdiction, requires financial institutions to develop a written information security plan that describes their programs to protect customer information. Given the wide variety of entities covered, the Safeguards Rule requires a plan that accounts for each entity's particular circumstances - its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. It also requires covered entities to take certain procedural steps (for example, designating appropriate personnel to oversee the security plan, conducting a risk assessment, and overseeing service providers) in implementing their plans. Since the GLBA Safeguards Rule became effective in May 2003, the Commission has brought two law enforcement actions against companies that violated the Rule by not having reasonable protections for customers' personal information.
To the extent that data brokers fall within GLBA's definition of "financial institution," they must maintain reasonable security for customer information. If they fail to do so, the Commission could find them in violation of the Rule. The Commission can obtain injunctive relief for such violations, as well as consumer redress or disgorgement in appropriate cases.
C. Section 5 of the FTC Act
In addition, Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." Under the FTC Act, the Commission has broad jurisdiction to prevent unfair or deceptive practices by a wide variety of entities and individuals operating in commerce.
Prohibited practices include deceptive claims that companies make about privacy, including claims about the security they provide for consumer information. To date, the Commission has brought five cases against companies for deceptive security claims, alleging that the companies made explicit or implicit promises to take reasonable steps to protect sensitive consumer information. Because they allegedly failed to take such steps, their claims were deceptive. The consent orders settling these cases have required the companies to implement rigorous information security programs generally conforming to the standards set forth in the GLBA Safeguards Rule.
In addition to deception, the FTC Act prohibits unfair practices. Practices are unfair if they cause or are likely to cause consumers substantial injury that is neither reasonably avoidable by consumers nor offset by countervailing benefits to consumers or competition. The Commission has used this authority to challenge a variety of injurious practices.
The Commission can obtain injunctive relief for violations of Section 5, as well as consumer redress or disgorgement in appropriate cases.
D. Other Laws
Other federal laws not enforced by the Commission regulate certain other specific classes of information. For example, the Driver's Privacy Protection Act ("DPPA") prohibits state motor vehicle departments from disclosing personal information in motor vehicle records, subject to fourteen "permissible uses," including law enforcement, motor vehicle safety, and insurance.
The privacy rule under the Health Information Portability and Accountability ("HIPAA") Act allows for the disclosure of medical information (including patient records and billing statements) between entities for routine treatment, insurance, and payment purposes. For non-routine disclosures, the individual must first give his or her consent. As with the DPPA, the HIPAA Privacy Rule provides a list of uses for which no consent is required before disclosure. Like the GLBA Safeguards Rule, the HIPAA Privacy Rule also requires entities under its jurisdiction to have in place "appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information."
IV. THE FEDERAL TRADE COMMISSION'S ROLE IN COMBATING IDENTITY THEFT
In addition to its regulatory and enforcement efforts, the Commission assists consumers with advice on the steps they can take to minimize their risk of becoming identity theft victims, supports criminal law enforcement efforts, and provides resources for companies that have experienced data breaches. The 1998 Identity Theft Assumption and Deterrence Act ("the Identity Theft Act" or "the Act") provides the FTC with a specific role in combating identity theft. To fulfill the Act's mandate, the Commission implemented a program that focuses on collecting complaints and providing victim assistance through a telephone hotline and a dedicated website; maintaining and promoting the Clearinghouse, a centralized database of victim complaints that serves as an investigative tool for law enforcement; and providing outreach and education to consumers, law enforcement, and industry.
A. Working with Consumers
The Commission hosts a toll-free hotline, 1-877-ID THEFT, and a secure online complaint form on its website, www.consumer.gov/idtheft. We receive about 15,000 to 20,000 contacts per week on the hotline, or via our website or mail from victims and consumers who want to learn about how to avoid becoming a victim. The callers to the hotline receive counseling from trained personnel who provide information on prevention of identity theft, and also inform victims of the steps to take to resolve the problems resulting from the misuse of their identities. Victims are advised to: (1) obtain copies of their credit reports and have a fraud alert placed on them; (2) contact each of the creditors or service providers where the identity thief has established or accessed an account, to request that the account be closed and to dispute any associated charges; and (3) report the identity theft to the police and, if possible, obtain a police report. A police report is helpful both in demonstrating to would-be creditors and debt collectors that the consumers are victims of identity theft, and also serves as an "identity theft report" that can be used for exercising various rights under the newly enacted Fair and Accurate Credit Transactions Act. The FTC's identity theft website, www.consumer.gov/idtheft, has an online complaint form where victims can enter their complaint into the Clearinghouse.
The FTC has also taken the lead in the development and dissemination of consumer education materials. To increase awareness for consumers and provide tips for minimizing the risk of identity theft, the FTC developed a primer on identity theft, ID Theft: What's It All About? Together with the victim recovery guide, Take Charge: Fighting Back Against Identity Theft, the two publications help to educate consumers. The FTC alone has distributed more than 1.4 million copies of the Take Charge booklet since its release in February 2000 and has recorded more than 1.8 million visits to the Web version. The FTC's consumer and business education campaign includes other materials, media mailings, and radio and television interviews. The FTC also maintains the identity theft website, www.consumer.gov/idtheft, which provides publications and links to testimony, reports, press releases, identity theft-related state laws, and other resources.
The Commission has also developed ways to simplify the recovery process. One example is the ID Theft Affidavit, which is included in the Take Charge booklet and on the website. The FTC worked with industry and consumer advocates to create a standard form for victims to use in resolving identity theft debts. To date, the FTC has distributed more than 293,000 print copies of the ID Theft Affidavit and has recorded more than 809,000 hits to the Web version.
B. Working with Law Enforcement
A primary purpose of the Identity Theft Act was to enable criminal law enforcement agencies to use a single database of victim complaints to support their investigations. To ensure that the database operates as a national clearinghouse for complaints, the FTC accepts complaints from state and federal agencies as well as from consumers.
With over 815,000 complaints, the Clearinghouse provides a picture of the nature, prevalence, and trends of the identity theft victims who submit complaints. The Commission publishes annual charts showing the prevalence of identity theft complaints by states and cities. Law enforcement and policy makers use these reports to better understand identity theft.
Since the inception of the Clearinghouse, more than 1,100 law enforcement agencies have signed up for the database. Individual investigators within those agencies can access the system from their desktop computers 24 hours a day, seven days a week.
The Commission also encourages even greater use of the Clearinghouse through training seminars offered to law enforcement. Beginning in 2002, the FTC, in cooperation with the Department of Justice, the U.S. Postal Inspection Service, and the U.S. Secret Service, initiated full day identity theft training seminars for state and local law enforcement officers. To date, this group has held 17 seminars across the country. More than 2,200 officers have attended these seminars, representing over 800 different agencies. Future seminars are being planned for additional cities.
The FTC staff also developed an identity theft case referral program. The staff creates preliminary investigative reports by examining patterns of identity theft activity in the Clearinghouse. The staff then refers the investigative reports to Financial Crimes Task Forces and other law enforcers for further investigation and potential prosecution.
C. Working with Industry
The private sector can help tackle the problem of identity theft in several ways. From prevention of identity theft through better security and authentication, to helping victims recover, businesses play a key role in addressing identity theft.
The FTC works with institutions that maintain personal information to identify ways to keep that information safe from identity theft. In 2002, the FTC invited representatives from financial institutions, credit issuers, universities, and retailers to a roundtable discussion of what steps entities can and do take to prevent identity theft and ensure the security of personal information in employee and customer records. This type of informal event provides an opportunity for the participants to share information and learn about the practices used by different entities to protect against identity theft.
The FTC also provides guidance to businesses about information security risks and the precautions they must take to protect or minimize risks to personal information. For example, the Commission has disseminated guidance for businesses on reducing risks to their computer systems, as well as guidance for complying with the GLBA Safeguards Rule. Our emphasis is on preventing breaches before they happen by encouraging businesses to make security part of their regular operations and corporate culture. The Commission has also published Information Compromise and the Risk of Identity Theft: Guidance for Your Business, which is a business education brochure on managing data compromises. This publication provides guidance on when it would be appropriate for an entity to notify law enforcement and consumers in the event of a breach of personal information.
Data brokers collect and distribute a wide assortment of consumer information and may therefore be subject to a variety of federal laws with regard to the privacy and security of consumers' personal information. Determining which laws apply depends on the type of information collected and its intended use. The Commission is committed to ensuring the continued safety of consumers' personal information and looks forward to working with you to explore this subject in more depth.