Credit Technologies, Inc.
Proposed Consent Agreement In the Matter of ACRAnet, Inc., a corporation, File No.0923088
Despite the impression created by the FTC s press release and the Commissioners Statement, each of these three resellers had implemented and maintained an information security program that was reasonably designed to protect the security, confidentiality, and integrity of customer information, as required under the GLBA Safeguards Rule. Each reseller maintained reasonable procedures to limit the provision of consumer reports to end-users who had a permissible purpose for the reports in accordance with the FCRA. Moreover, each reseller required its end-users to agree by written contract that they would implement and maintain adequate information security systems, controls and procedures, including firewalls and other appropriate data security measures. These written agreements provided that an end-user s violation of these contractual obligations could result in suspension of the end-user s access to the reseller s portal or termination of the agreement. By implementing vigorous internal security measures and contractually mandating that end-users act similarly, the resellers met their legal obligations under the FCRA and the GLBA to protect consumer information. The Missing Parties in the Proposed Orders None of the unprotected computer systems involved in the data breaches that led to these enforcement actions were within the ownership or control of these resellers. The FTC s complaints allege that the breaches occurred because the end-users lacked adequate firewalls or other security controls. Thus, the alleged failures of these independent third parties, and not the resellers actions, contributed to the security breaches. These end-users apparently did not meet their own legal obligations under the FCRA and the GLBA, and they appear to have breached their contractual obligations to the resellers. For these reasons, I believe that the Commission s enforcement actions targeted the wrong parties in these matters. The proposed orders essentially require the respondent resellers to comply with their legal obligations under the GLBA and the FCRA obligations that the resellers had endeavored to meet even prior to the FTC s enforcement actions. Because the end-users are not subject to these consent orders, the FTC s enforcement actions will not protect consumers with respect to the security and confidentiality of consumer information held by these end-users. It is important to understand that, as mortgage lenders, property managers and employers these end-users receive and maintain consumers identifying information and highly confidential financial information from applications, financial institutions, employers and others, in addition to consumer reports from resellers. These end-users are subject to the same GLBA and FCRA laws as the resellers. Yet, the FTC s orders will not require these end-users to implement any measures to comply with these laws. Clearly, the FTC has brought the wrong parties under order. The Commissioners Statement Despite the fact that the FTC s orders apply only to the resellers, the Commissioners Statement asserts that these are the first cases in which the Commission has held resellers responsible for downstream data protection failures. This statement is at odds with the terms of the consent orders and, for the most part, even the complaint s allegations. As an owner of a consumer reporting agency, I am deeply troubled by the Commissioners apparent plan to hold resellers responsible for the potential failures of independent third parties to protect consumer data. There is no basis in the FCRA or even the GLBA Safeguards Rule for this kind of liability. I have additional comments which exceed the space limitations of this submission form. Please see the attached document. Thank you again for the opportunity to comment on these matters. Sincerely, Thomas P. Conwell III President Credit Technologies, Inc.