FTC Testifies on Data Security, Peer-to-Peer File Sharing

The Federal Trade Commission today testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information.

In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations.

“A critical element of privacy is data security. If companies do not protect the sensitive consumer information that they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace,” the testimony stated.

The Commission made two further recommendations regarding the data security legislation: It suggested that the legislation be extended to cover data stored on paper, as well as electronic data. It also recommended that certain provisions imposing obligations on information brokers – companies whose business is to collect and sell information about individuals who are not their customers – be targeted specifically to address harms consumers may face when brokers sell information about them, to the extent that such harms are not already addressed by federal law. These provisions should not displace existing legal protections.

The FTC currently enforces several laws that restrict the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts: the Fair Credit Reporting Act restricts disclosure of consumer credit reports except for specified permissible purposes; the Gramm-Leach-Bliley Act imposes privacy and security obligations on financial institutions; and the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce.

Using its authority under these laws, the testimony noted, the Commission has brought 26 law enforcement actions since 2001 against companies that allegedly failed to maintain
reasonable procedures to protect consumers’ personal information, including a case the agency has just settled against James B. Nutter & Company. The company is based in Missouri and makes and services residential mortgage loans around the country. It collects information from loan applicants, including their Social Security numbers, financial information, and employment and credit histories. The Commission’s complaint alleges that, beginning in 2004, JBN engaged in a number of practices that taken together failed to provide reasonable and appropriate security for sensitive consumer information, in violation of the FTC’s Safeguards Rule. In addition, the complaint alleges that the company violated the FTC’s Privacy Rule by failing to provide privacy notices and, later, providing notices that were inaccurate. To settle these charges, JBN has agreed to a proposed order that would require it to establish and maintain a comprehensive data security program covering consumers’ personal information, and to hire an independent auditor to assess its security procedures every two years for 10 years, and to certify that these procedures comply with the proposed order. The proposed order also bars JBN from violating the agency’s Safeguards and Privacy Rules.

The Commission previously has filed data security cases against retailers TJX, CVS Caremark and DSW Shoe Warehouse, and the data brokers ChoicePoint and Reed Elsevier, Inc., which operates Lexis Nexis and Seisint, Inc. The FTC also promotes better data security practices through extensive consumer and business education, the testimony stated. On the policymaking front, the FTC recently proposed a rule that would require that consumers be notified when the security of their health information is breached. In addition, the FTC is examining privacy issues associated with behavioral advertising and the use of personal health records and cloud computing networks.

The testimony also details the Commission’s activities with regard to inadvertent file sharing on P2P networks. Although P2P technologies hold potential benefits for computer users and businesses, they also can raise the risk that sensitive information will be made available over P2P networks, either through inadvertent sharing or through malware. The testimony noted that the agency has brought cases related to P2P file sharing, has helped P2P software developers devise voluntary best practices to help consumers prevent inadvertent file sharing, and continues to monitor efforts by companies to comply with these practices. The Commission also has held a workshop on P2P, issued a report, and alerted consumers to the risk of inadvertent file sharing. The testimony stated that the Commission also is supportive of H.R.1319, the Informed P2P User Act, legislation that would set a minimum standard for P2P software companies to follow in notifying consumers about what files a P2P program will share, and in obtaining consent from consumers before the files are made available.

The Commission vote to approve the testimony was 4-0.

The Commission vote to approve the administrative complaint and proposed consent agreement with JBN was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through June 8, 2009, after which the Commission will decide whether to make it final. To file a public comment, please click on the following hyperlink: http://www.ftc.gov/os/2009/05/0723108publiccomment.pdf and follow the instructions at that site.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. A complaint is not a finding or ruling that a respondent has actually violated the law. The consent agreement is for settlement purposes only and does not constitute an admission by the respondent of a law violation.

Copies of the documents mentioned in this release are available from the FTC’s Web site at http://www.ftc.gov and from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. Call toll-free: 1-877-FTC-HELP. The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

(DataTestimony.wpd)