FTC Testifies on Data Security and Identity Theft

The Federal Trade Commission testified today before the U.S. Senate Committee on Banking, Housing, and Urban Affairs about the reach of existing federal laws that require certain information providers to safeguard sensitive information and to ensure that the information doesn’t fall into the wrong hands. The Senate Banking Committee is examining recent developments involving the security of sensitive consumer information.

FTC Chairman Deborah Platt Majoras said that increased scrutiny about the security of consumer data takes place against the background of the threat of identity theft, a crime that harms both consumers and financial institutions. “A 2003 FTC survey showed that over a one-year period, nearly 10 million people – or 4.6 percent of the adult population – had discovered that they were victims of some form of identity theft.”

There are three laws enforced by the FTC that restrict disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts, the testimony says.

“The Fair Credit Reporting Act primarily prohibits the distribution of ‘consumer reports’ by ‘consumer reporting agencies’ (CRAs) except for specified ‘permissible purposes’ and requires CRAs to employ procedures to ensure that they provide consumer reports to recipients only for such purposes,” according to the testimony. Data brokers who sell “consumer reports” are subject to the FCRA restrictions.

The Gramm-Leach-Bliley Act imposes privacy and security obligations on a broadly defined group of financial institutions, including those engaged in banking, lending, and insurance activities as well as loan brokering, credit reporting, and real estate settlement services. “To the extent that data brokers fall within the definition of financial institutions, they would be subject to the Act,” Majoras said.

In addition, the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce. Prohibited practices include deceptive claims that companies make about privacy, including claims about the security they provide for consumer information,” the testimony says. “The Commission has brought five cases against companies for deceptive security claims, alleging that the companies made . . . promises to take reasonable steps to protect sensitive consumer information. Because they allegedly failed to take such steps, their claims were deceptive.”

“The Commission is committed to ensuring the continued safety of consumers’ personal information,” Majoras said.

The Commission vote to authorize the testimony was 5-0.

Copies of the testimony are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov . The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(FTC File No. 052 3069)