FTC Continues Education, Enforcement Efforts to Promote Information Security

Electronic information systems provide substantial benefits to consumers, businesses, and government, but they are exposed to significant vulnerabilities, according to Federal Trade Commission testimony. Addressing the House Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, of the Committee on Government Reform, FTC Commissioner Orson Swindle discussed the challenges that consumers and businesses face in protecting their computer systems and the information contained in them. He also described the FTC’s efforts to address concerns about information security and prevent identity theft through a combined approach that includes educating consumers and businesses about emerging threats and the fundamental importance of good security practices; encouraging technology enhancements to improve security; targeted law enforcement actions; and international cooperation.

“We rely on electronic information systems for the orderly operation of our financial systems and power supplies, the efficient processing of our transactions, twenty-four hour access to information, shopping, and many other conveniences,” Swindle said. He noted that, to provide these benefits, electronic data systems store sensitive consumer information, including financial and medical records. If not adequately protected, these systems and databases can become extremely vulnerable to breaches and other security risks.

The testimony explains that companies that store consumer information have a responsibility to safeguard that data to minimize the threat of security breaches. To do so, businesses should develop a security plan and make security monitoring and oversight part of their regular operations. Swindle noted that the FTC actively provides businesses and consumers with information about security risks and precautions, aiming to prevent breaches before they happen. In the event that data is compromised, the testimony explains, companies should alert local law enforcement agencies, notify other businesses if the data compromise affects them, and assess whether to notify consumers.

The testimony highlights a number of the Commission’s educational and law enforcement initiatives to combat identity theft. For several years, the agency has engaged in a broad campaign to educate businesses and consumers about the risks to personal information and the importance of information security. This campaign includes extensive outreach to consumers and businesses through the FTC website (www.ftc.gov/infosecurity), educational alerts, participation in joint security initiatives with other government agencies and private groups, and work with the Organization for Economic Cooperation and Development (OECD) to develop and implement the OECD’s information security guidelines. In addition, the FTC has brought cases under the FTC Act challenging allegedly deceptive claims about information security. Currently, Commission staff is also conducting non-public investigations of compliance with the Gramm-Leach Bliley Safeguards Rule, which requires financial institutions under the FTC’s jurisdiction to implement reasonable procedures to safeguard customer information.

Swindle also discussed the FTC’s program to help consumers who have been victimized by identity theft. The FTC’s identity theft program receives complaints, provides victim assistance online and by phone, and conveys information to hundreds of law enforcement agencies. As part of this program, the FTC currently is working to implement provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which affords new protections to identity theft victims. In addition, the FTC continues to encourage the use of domain-level authentication as a way to identify and locate spammers and prevent “phishing,” a high-tech scam that uses spam to deceive consumers into disclosing sensitive personal information, and other Internet scams.

“The FTC is working to ensure that all companies entrusted with personal information take reasonable steps to secure that information and minimize the risk that it may be misused,” Swindle concluded. “The agency will continue to be vigilant in promoting a culture of security.”

The Commission vote to approve the testimony was 5-0.

Copies of the testimony are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(FTC File No. P034806)