Proposed Consent Agreement In the Matter of ACRAnet, Inc., a corporation, File No.0923088 #552781-00025

Submission Number:
Laura Randazzo
National Association of Professional Background Screeners
North Carolina
Initiative Name:
Proposed Consent Agreement In the Matter of ACRAnet, Inc., a corporation, File No.0923088
March 7, 2011 Via Electronic Filing Federal Trade Commission Office of the Secretary Room H-135 (Annex D) 600 Pennsylvania Avenue, NW Washington, DC 20580 RE: In the Matter of SettlementOne Credit Corporation, File No. 082 3208 In the Matter of ACRAnet, Inc., File No. 092 3088 In the Matter of Statewide Credit Services, File No. 092 3089 To Whom It May Concern: The National Association of Professional Background Screeners ( NAPBS or Association ) appreciates the opportunity to comment on the Federal Trade Commission s ( FTC or Commission ) proposed consent orders in the above referenced matters. NAPBS is a trade association representing the interests of nearly 700 consumer reporting agencies and affiliated members in the employment, tenant and background screening industry. The Association exists to promote ethical business practices, promote compliance with the Fair Credit Reporting Act ( FCRA ) and foster awareness of issues related to consumer protection and privacy rights within the background screening industry. NAPBS provides relevant programs and training aimed at empowering members to better serve clients and to maintain standards of excellence in the background screening industry. At the heart of proposed consent orders is the requirement that the named respondents establish and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers, including the security, confidentiality, and integrity of personal information accessible to end users. NAPBS has two major concerns stemming from the proposed consent orders and the Commissioners statement. First would be the imposition of new obligations for consumer reporting agencies that provide consumer data to end-users, by holding resellers responsible for downstream data protection failures. Second would be the statement that the FTC will seek civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligation to protect information contained in consumer reports, as required by the Fair Credit Reporting Act. Our concern with the latter statement being that it implies consumer reporting agencies do not take seriously the statutory requirement that consumer reports only be used for a permissible purpose pursuant to FCRA. NAPBS member companies are defined as consumer reporting agencies under the FCRA and our membership includes resellers of consumer reports. The Association strongly supports robust protection of sensitive consumer information and the protection of such data is critical to our industry, as personal data is what we deal in. We also vigorously support the requirement that consumer reports should only be used for permissible purposes, as required by the FCRA. Current law requires that consumer reporting agencies have reasonable procedures to safeguard data provided to end-users, and, that consumer reports be provided only to a person which the consumer reporting agency has reason to believe has a permissible purpose for the report. The joint statement by the Commissioners indicating that the FTC holds resellers responsible for downstream data protection failures by end-users of consumer reports is overly broad and leads us to believe that the FTC will, moving forward, bring enforcement actions focused on resellers which would impose on them statutory obligations which go beyond current requirements. If that is the case, consumer reporting agencies could always, either individually or jointly, be held liable for end-users and others information security programs and practices. Consumer reporting agencies go to great lengths to secure and test their own information security systems and it would be unreasonable and costly to require that they also do the same for end-users, particularly when the law already requires