|April 15, 1997
Writer's Direct Dial Number
By Hand Delivery
Re: Data Base Study -- Comment, P974806
Dear Mr. Secretary:
This comment letter is submitted on behalf of MasterCard International Incorporated ("MasterCard")(1) and VISA U.S.A. Inc. ("VISA")(2) in response to the proposed Federal Trade Commission ("FTC") study of computerized data bases containing sensitive consumer identifying information ("FTC Study"). VISA and MasterCard thank the FTC for the opportunity to comment on the FTC Study.
Genesis of the FTC Study
The genesis of the FTC Study was a letter to the FTC from Senator Bryan, Senator Hollings, and then-Senator Pressler, which requested the FTC to conduct a study of "possible violations of consumer privacy rights by companies that operate computer data bases."(3)
More specifically, the letter requested that the FTC investigate the "compilation, sale, and usage of electronically transmitted data bases that include identifiable personal information of private citizens without their knowledge."(4)
The Senators' request arose in the context of the public focus on the LEXIS "P-Trak" "look-up" service, which was spawned by a spate of Internet messages and national news media stories about the types of consumer information that were then available on the P-Trak service. In addition to giving rise to the request for the FTC Study, the public focus also caused LEXIS to limit the types of consumer information available through P-Trak.
Congress, as a whole, responded to the P-Trak issue by including a provision in the Economic Growth and Regulatory Paperwork Reduction Act of 1996 that directed the Federal Reserve Board ("FRB"), in consultation with the FTC and other federal banking agencies, to conduct a study assessing the undue potential for fraud and risk of loss to insured depository institutions from the activities of companies engaged in the business of making "sensitive consumer identification information" available to the general public ("FRB Study").(5)
Under this provision, "sensitive consumer identification information" included social security numbers, mothers' maiden names, prior addresses, and dates of birth. Importantly, in enacting this provision, Congress exempted from the FRB Study entities that are subject to the Fair Credit Reporting Act ("FCRA")(6) as consumer reporting agencies.
Scope and Purpose of the FTC Study
The Supplementary Information to the FTC Study states that the FTC Study will include consideration of the collection, compilation, sale and use of computerized data bases that contain what consumers may perceive to be sensitive identifying information.(7)
Given the context in which the Senators' request for the FTC Study arose -- as well as the clear statement of Congressional intent embodied in the limitation of the scope and purpose of the FRB Study -- it is appropriate that the FTC has limited the study to so-called "look-up services." In order to maximize public benefit and efficiency, we urge that the focus of the FTC Study be further narrowed to specifically assess whether there are companies that disseminate sensitive consumer identifying information in a manner that could create opportunities for fraud. It is the use of such information for fraud purposes that raises the greatest concern and, as a result, was the focus of Congressional legislative action. Activities that may involve consumer information but do not give rise to fraud risks should be excluded from the scope of the FTC Study. For example, the FTC Study should explicitly exclude companies using consumer identifying information to communicate data between one another, such as those in which entities within a corporate family use consumer identifying information to share information on their customers. This approach is consistent with the Supplementary Information which indicates that the FTC Study will not address data bases used primarily for direct marketing purposes, medical and student records, or the use of consumer credit reports for employment purposes.(8)
It is also appropriate because Congress recently addressed affiliate sharing of information in the same legislation that requested the FRB Study.
Definition of Sensitive Consumer Identifying Information
The Supplementary Information to the FTC Study states that sensitive consumer identifying information may include some or all of the following: social security numbers, mothers' maiden names, prior addresses, and dates of birth.(9)
For purposes of the FTC Study, VISA and MasterCard believe that this definition of sensitive consumer identifying information is appropriate and need not be expanded. In this regard, it is our understanding that financial institutions principally rely on social security numbers, dates of birth, mothers' maiden names and prior addresses when ascertaining and verifying the identity of consumers or providing consumers with access to their records.
The FTC also requested comment on information that might be used in the future to identify consumers. MasterCard and VISA urge the FTC to adopt a definition of sensitive consumer identifying information that is based on current practices and not on predictions of future practices. New consumer identification methods such as those utilizing finger minutiae, voice analysis, iris scan and other biometric systems are in various stages of development, testing and evaluation by financial institutions and other private and public organizations. While it is expected that one or more of these new technologies may be used in the future to further refine consumer identification procedures, these technologies are not yet commonly used. VISA and MasterCard caution that if the FTC Study or its related recommendations are overly broad, they could have a counterproductive, chilling effect on the development of these or other consumer identification technologies that might otherwise enhance risk management and financial privacy in the future.
Dissemination of Sensitive Consumer Identifying Information
MasterCard and VISA have long been concerned about, and have worked diligently to address, the risks presented by credit card fraud and similar types of financial fraud. In our experience, where consumer information has been used to commit financial fraud, the information is generally obtained illegally -- by stealing U.S. Mail or a wallet or purse, improperly removing information from consumer files and, more recently, through illegal access to computer files. Additional restrictions on the flow of information would be unlikely to address these issues. Much greater benefits would be derived from increased resources for law enforcement in this area.
Structure of the Public Workshop
Finally, MasterCard and VISA commend the FTC for separately addressing issues associated with computerized data bases containing sensitive consumer identifying information from issues associated with consumer online privacy and the Bureau of Consumer Protection's June 1996 Public Workshop on Consumer Privacy on the Global Information Infrastructure. In particular, we support the FTC's proposed structure for the Public Workshop, in which Session One addresses computerized data bases and Sessions Two and Three address consumer online privacy issues. Such a structure more efficiently facilitates substantive discussion of these important topics. We urge the FTC to continue addressing these issues separately.
* * * * *
Once again, VISA and MasterCard appreciate the opportunity to comment on the FTC Study, and we hope that these comments are helpful. If you have any questions concerning these comments, or if we can otherwise be of assistance in connection with this matter, please do not hesitate to contact me at the number indicated above, Michael F. McEneney, at (202) 887-1568, or Clarke D. Camper, at (202) 887-8793.
L. Richard Fischer
Enclosure: Comment Letter in the Microsoft Word 6.0 format on 3 1/2 inch diskette
1. MasterCard is a membership organization comprised of financial institutions which are licensed to use the MasterCard service marks in connection with payment systems, including credit, debit and stored-value cards.
2. VISA is a membership association comprised of financial institutions in the United States which are licensed to use the VISA service marks in connection with payments systems, including credit, debit and stored-value cards.
3. Letter from Senator Bryan, Senator Hollings, and Senator Pressler to the FTC (Oct. 8, 1996).
5. Pub. Law No. 104-208, § 2422 (1996).
6. 15 U.S.C. § 1681 et seq.
7. 62 Fed. Reg. 10,272 (1997).