Federal Trade Commission Protecting Consumer Privacy

Federal Trade CommissionProtecting Consumer Privacy

J. Howard Beales, III, Director

Bureau of Consumer Protection

Federal Trade Commission

FTC’s Approach to Privacy

Consumers are concerned about consequences

Focus on misuse of information

No distinction between online and offline

Benefits of Information Sharing

The National Do Not Call Registry

Telemarketing Sales Rule Amendments Adopted December 2002 include Do Not Call

Giving Consumers a Choice 61 million telephone numbers registered since

June 27 Consumers with registered numbers have filed

over 300,000 complaints since October 11 Harris Poll found that 92% of the respondents have

received fewer calls since registering

Enforcing Do Not Call

National Consumer Counsel Masqueraded as a nonprofit debt

negotiation organization Called consumers who placed their

phone numbers on the National Do Not Call Registry

Identity Theft

Survey Results Released September 2003

The research took place during March and April 2003

Involved a random sample telephone survey of over 4,000 U.S. adults

New Accounts & Other Frauds

Other Existing Accounts

Existing Credit Card Only

Total Victimization

Federal Trade Commission

1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). 2Based on the U.S. population age 18 and over (215.47 million) as of July 1, 2002 (Source: Population Division, U.S. Census Bureau; Table NA-EST2002-ASRO-01).

3.2 million victims (1.5%)2

1.5 million victims

(0.7%)

5.2 million victims

(2.4%)

9.9 million victims

(4.6%)

Vic

tim

s in

Mil

lion

s Incidence of Identity Theft, Past Year1

0

5

10

15

23%

13% 14%

49%

0%

25%

50%

75%

Theft Transaction Other Don't Know

How Thief Obtained Victim’s Information1

Federal Trade Commission

1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages based on respondents who indicated they had been the victim of identity theft within the past five years.

Cost of Identity Theft in the Last Year1

Federal Trade Commission September 2003

$33 billion

1Source: Identity Theft Survey Report (Table 2, page 7) conducted by Synovate for the FTC (March-April 2003).

$47 billion

$14 billion

(in

bill

ions

)

Money Victim Paid Out of Pocket1

Federal Trade Commission

Average Per Victim: $500

1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages and average per victim based on respondents who indicated they had been the victim of identity theft within the past five years.

63%

11% 12%8%

0%

25%

50%

75%

None Less Than $100 $100-$999 $1,000 or More

Identity Theft

Role of Law Enforcement

Civil Actions: “phishing” cases

Criminal Prosecution

Identity Theft

Other Law Enforcement cases

TriWest

TCI

Legislative DevelopmentsFACTA

FACTA (Fair and Accurate Credit Transactions Act of 2003) amends the Fair Credit Reporting Act.

Creates new rights for consumers in the credit arena, including:

●Annual free credit reports●Streamlined dispute process●Expansion of consumers’ adverse action

rights

FACTA & IDTPrevention & Victim Assistance

▪ Codifies the Fraud Alert Procedure

▪ Trade Line Blocking for Credit Reports

▪ Credit card truncation on Receipts

▪ ID theft red flags for Bank Examinations

▪ Require proper disposal of consumer report information

Information Security: General Principles

Section 5 of the FTC Act: deceptive or unfair practices are illegal

Promises to keep consumers’ information secure must be truthful

When security measures inadequate, those promises are deceptive

Failure to take reasonable security precautions may also be unfair

Security Procedures Must Be Appropriate In The Circumstances

Inadvertent release of sensitive personal information due to inadequate security procedures – Eli Lilly

Our analysis: were there reasonable procedures in light of the sensitivity of the information to prevent such breaches?

What constitutes reasonable and appropriate procedures is linked directly to the sensitivity of the information collected by the company

Law Violations Without a Known Breach

Companies Cannot Simply Wait for a Breach to Occur

Must Take Reasonable Steps to Guard Against Reasonably Anticipated Vulnerabilities

Breach or No Breach is not Determinative -- Microsoft

Assessing Risks and Vulnerabilities

Security is a process

Information security program assesses reasonable and foreseeable risks and threats

Must assess and adjust to new technologies, new threats: Guess.com

Creating Vulnerabilities

Making sure that you do not create vulnerabilities

A system upgrade introduced a security vulnerability that allowed web users to access order history records and to view certain personal information: Tower

Notice

Case-by-case determination of when appropriate

Sensitivity of information breached

Other parties besides consumers may best in best position to reduce harm

Spam

Three-pronged approach

Research

Targeted Law Enforcement

Education

Spam Research

False Claims in Spam Study April 2003

Two-thirds of spam appears to be deceptive on its face, and likely violates the FTC Act

Much of the rest is pornography or offers for illegal products or services

Only 16.5% of the spam did not sell an illegitimate product or service.

Spam Research: False Claims in Spam Study

Most spam is not from large companies

Random sample of 114 pieces of spam: None was sent by a Fortune 500 company Only one was sent by a Fortune 1000

company 95% confident that less than 5% of the 11.6

million pieces of spam in our database came from Fortune 1000 companies.

Spam Law Enforcement

Targeted Law Enforcement

62 cases addressing deceptive spam

Our spam database receives over 250,000 pieces of spam daily

Challenges presented by enforcement

CAN-SPAM Cases

Phoenix Avatar, et al. Alleged violations of the FTC Act and of CAN-

SPAM Cooperation with DOJ lead to a criminal indictment

against all defendants Global Web Promotions, et al.

Alleged violations of the FTC Act and of CAN-SPAM

Defendants located in Australia and New Zealand

CAN-SPAM Rules and Reports

Additional rules interpreting certain CAN-Spam provisions

Studies Do-Not-Email Registry Special labeling of sexually explicit spam Labeling of all spam Bounty system to promote enforcement

Report to Congress due in 2 years

Spam Education

Open Relay Project: Our first international effort to identify insecure mail servers

Operation Secure Your Server: Worldwide effort to close spammers’ access to anonymity

WHAT CAN I EXPECT FROM THE FTC IN

THE COMING YEAR?

Top Priorities

Do Not Call Enforcement

FCRA

Information Security

Spam

Federal Trade Commission

For the Consumer

1-877-FTC-HELP

www.ftc.gov