FTC Testifies on Government Agencies Collection and Use of Personal Information and Identity Theft

The Federal Trade Commission today told the Ohio Privacy and Public Records Access Study Committee in Columbus, Ohio that public agencies can “play a key role in reducing the incidence and impact of identity theft.” Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection told the Committee, created by the Ohio legislature, that government agencies should limit the amount of information they collect, restrict access to the information, and implement procedures to respond to data breaches.

The testimony notes that the President’s Identity Theft Task Force, co-chaired by Attorney General Alberto Gonzales and FTC Chairman Deborah Platt Majoras, recently delivered a comprehensive national strategy to combat identity theft. The plan “includes recommendations on how to prevent sensitive data from falling into the wrong hands, to make such data less valuable to identity thieves by improving authentication, to ease victim recovery and to improve tools for effective criminal law enforcement.” The plan includes 31 initiatives the federal government should consider taking to combat identity theft.

According to the testimony, Social Security numbers, often the key to identity theft, are widely available in federal, state, and local government public records. “As of 2004, 41 states and the District of Columbia, as well as 75 percent of U.S. counties, displayed SSNs in public records.” The Task Force recommended that federal government agencies “take steps to eliminate, restrict, or conceal the use of SSNs wherever possible, including assigning employee identification numbers where practicable. . . . Many of the recommendations to federal agencies can be applied equally to government agencies at all levels.”

The testimony notes that federal agencies are taking measures to strengthen their information security, and states that the Office of Management and Budget has issued guidelines about how agencies should safeguard sensitive information. “The Task Force also recommended the development of a list of the most common mistakes to avoid in protecting personal information held by the government.”

Both private-sector and government entities should take steps to avoid data breaches, the testimony states. “In addition to taking steps to avoid such breaches, government agencies also should have response plans in place should a breach occur.” Such a plan would help an agency determine whether to notify consumers of the breach; what the notification should say; which third parties, if any should be notified; and whether to offer credit monitoring to people whose records may have been compromised.

“To succeed in the battle against identity theft, governments, together with the private sector, must make it more difficult for thieves to obtain the information they need to steal identities and respond appropriately to data breaches if they occur. . . . From county clerks and town halls to federal departments, public agencies play a key role in reducing the incidence and impact of identity theft,” the testimony states.

The Commission vote to approve the testimony was 5-0.

Copies of the testimony are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.shtm. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad.