The Federal Trade Commission told Congress today that companies should protect consumers’ data so that it doesn’t fall into the hands of identity thieves. In testimony before the House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing, and Trade, the agency recommended that Congress pass legislation that would require companies to implement reasonable security policies and procedures and to notify consumers when there is a security breach.
“Data security is of critical importance,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace.”
The FTC is committed to a comprehensive, three-pronged effort to promote data security that includes law enforcement, consumer education, and data collection and analysis, the testimony states. Since 2001, the agency has brought 34 cases against businesses that allegedly failed to protect consumers’ personal information. In delivering the Commission’s testimony, Vladeck noted two new FTC cases in this area.
The first case involves Ceridian Corporation, a human resource services and payroll processing company that allegedly failed to protect highly sensitive payroll information. In 2009, an intruder was able to hack into one of Ceridian’s payroll processing systems, compromising the personal data – including Social Security numbers and financial account numbers – of approximately 28,000 employees of Ceridian’s small business customers.
The FTC also announced a case involving Lookout Services, Inc.. This company offers web application services that assist employers in verifying their employees’ eligibility to work in the United States. The agency alleged the company’s numerous security failings left Lookout’s entire customer database of Social Security numbers, passport numbers, military identification numbers, and dates of birth vulnerable, and that in the fall of 2009 an employee of one of its customers twice obtained unauthorized access to that database.
Both companies agreed to settlement orders with the FTC that bar future misrepresentations and require them to implement a comprehensive information security program. Both companies also will be required to obtain independent security audits every other year for 20 years.
According to the testimony, the FTC also promotes better data security practices through extensive consumer and business education. The agency sponsors OnGuard Online and its Spanish-language counterpart Alerta en Linea, which educate consumers about basic computer security. It also provides print and online publications such as FTC’s Identity Theft Primer, a Victim Recovery Guide, and a business guide on data security for businesses.
The FTC also engages in policy-based efforts related to data security. For example, the Commission staff held a series of public roundtables that explored consumer privacy, and issued a preliminary staff report that endorsed key data security principles, based on the roundtables and public comments. The FTC also will hold a Child Identity Theft Forum on July 12, 2011 in conjunction with the Office for Victims of Crime, Office for Justice Programs, U.S. Dept. of Justice.
“The goal of this forum is to develop ways to effectively advise parents on how to avoid child identity theft, how to protect children’s personal data, and how to help parents and young adults who are victimized as children recover from the crime,” the testimony states.
The Commission vote to issue the testimony was 5-0.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and
unfair business practices and to provide information to help spot, stop, and avoid them. To
file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-
877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a
secure, online database available to more than 1,800 civil and criminal law enforcement
agencies in the U.S. and abroad. The FTC’s website provides free information on a variety
of consumer topics. “Like” the FTC on Facebook and “follow” us on Twitter.