Proposed Consent Agreement In the Matter of ACRAnet, Inc., a corporation, File No.0923088 #552781-00028

Submission Number:
Adam Kiehl
Verified, Incorporated
Initiative Name:
Proposed Consent Agreement In the Matter of ACRAnet, Inc., a corporation, File No.0923088
March 7, 2011 Hon. Donald S. Clark Federal Trade Commission Office of the Secretary 600 Pennsylvania Avenue, NW Washington, DC 20580 Via Electronic Filing Re: In the Matter of SettlementOne Credit Corporation, et al., File No. 082 3208 In the Matter of ACRAnet, Inc., File No. 092 3088 In the Matter of Fajilan and Associates, et al. File No. 092 3089 Dear Mr. Clark: Verified, Incorporated appreciates the opportunity to comment on the Federal Trade Commission s ( FTC ) proposed settlements in the three above-referenced matters. Background on Verified, Incorporated. Verified was founded in 2002, as a credit reporting agency (known to you as a reseller in Fair Credit Reporting Act ( FCRA ) terms, servicing the consumer reporting needs of property managers, and employers. Our services touch all 50 states domestically, and we ve grown 20% per year since 2002. My company is very similar to the respondents companies referenced above. As a reseller of consumer reports, we obtain reports from the three nationwide consumer reporting agencies and create combined, or tri-merge , and other specialty hybrid consumer reports for specific property leasing and employment screening needs. I take the duty of being a good steward of the consumers data within my control very seriously and have never neglected my obligation to safeguard the consumers information. I agree with the FTC s statements about problems associated with identity theft and for that reason I have devoted significant corporate resources, including investment in sophisticated technology systems, to protect consumer data within my control. The FTC s Statement about the Respondents I notice that the respondents in these matters did not admit to any of the complaint allegations. Each company made a business decision to settle on the terms of the negotiated order, rather than incur the significant legal fees and expenses of defending an FTC enforcement action. For that reason, I find troubling FTC s press release and particularly the statement of Commissioner Brill, joined by the Chairman and Commissioners Rosch and Ramirez (the Commissioners Statement ). These FTC statements are not a reflection of the efforts that I take in protecting the consumers data and I find them derogatory and inflammatory in nature. I believe that these types of messages are likely to give the public an inaccurate impression of my industry and our compliance with Federal laws. Despite the impression created by the FTC s press release and the Commissioners Statement, each of these three resellers had implemented and maintained an information security program that was reasonably designed to protect the security, confidentiality, and integrity of customer information, as required under the GLBA Safeguards Rule. Each reseller maintained reasonable procedures to limit the provision of consumer reports to end-users who had a permissible purpose for the reports in accordance with the FCRA. Moreover, each reseller required its end-users to agree by written contract that they would implement and maintain adequate information security systems, controls and procedures, including firewalls and other appropriate data security measures. These written agreements provided that an end-user s violation of these contractual obligations could result in suspension of the end-user s access to the reseller s portal or termination of the agreement. By implementing vigorous internal security measures and contractually mandating that end-users act similarly, the resellers met their legal obligations under the FCRA and the GLBA to protect consumer information. The Missing Parties in the Proposed Orders None of the unprotected computer systems involved in the data breaches that led to these enforcement actions were within the ownership or control of these resellers. The FTC s complaints allege that the breaches occurred because the end-users lacked adequate fi