federal trade commission protecting consumer privacy
DESCRIPTION
Federal Trade Commission Protecting Consumer Privacy. J. Howard Beales, III, Director Bureau of Consumer Protection Federal Trade Commission. FTC’s Approach to Privacy. Consumers are concerned about consequences Focus on misuse of information No distinction between online and offline - PowerPoint PPT PresentationTRANSCRIPT
Federal Trade CommissionProtecting Consumer Privacy
J. Howard Beales, III, Director
Bureau of Consumer Protection
Federal Trade Commission
FTC’s Approach to Privacy
Consumers are concerned about consequences
Focus on misuse of information
No distinction between online and offline
Benefits of Information Sharing
The National Do Not Call Registry
Telemarketing Sales Rule Amendments Adopted December 2002 include Do Not Call
Giving Consumers a Choice 61 million telephone numbers registered since
June 27 Consumers with registered numbers have filed
over 300,000 complaints since October 11 Harris Poll found that 92% of the respondents have
received fewer calls since registering
Enforcing Do Not Call
National Consumer Counsel Masqueraded as a nonprofit debt
negotiation organization Called consumers who placed their
phone numbers on the National Do Not Call Registry
Identity Theft
Survey Results Released September 2003
The research took place during March and April 2003
Involved a random sample telephone survey of over 4,000 U.S. adults
New Accounts & Other Frauds
Other Existing Accounts
Existing Credit Card Only
Total Victimization
Federal Trade Commission
1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). 2Based on the U.S. population age 18 and over (215.47 million) as of July 1, 2002 (Source: Population Division, U.S. Census Bureau; Table NA-EST2002-ASRO-01).
3.2 million victims (1.5%)2
1.5 million victims
(0.7%)
5.2 million victims
(2.4%)
9.9 million victims
(4.6%)
Vic
tim
s in
Mil
lion
s Incidence of Identity Theft, Past Year1
0
5
10
15
23%
13% 14%
49%
0%
25%
50%
75%
Theft Transaction Other Don't Know
How Thief Obtained Victim’s Information1
Federal Trade Commission
1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages based on respondents who indicated they had been the victim of identity theft within the past five years.
Cost of Identity Theft in the Last Year1
Federal Trade Commission September 2003
$33 billion
1Source: Identity Theft Survey Report (Table 2, page 7) conducted by Synovate for the FTC (March-April 2003).
$47 billion
$14 billion
(in
bill
ions
)
Money Victim Paid Out of Pocket1
Federal Trade Commission
Average Per Victim: $500
1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages and average per victim based on respondents who indicated they had been the victim of identity theft within the past five years.
63%
11% 12%8%
0%
25%
50%
75%
None Less Than $100 $100-$999 $1,000 or More
Identity Theft
Role of Law Enforcement
Civil Actions: “phishing” cases
Criminal Prosecution
Identity Theft
Other Law Enforcement cases
TriWest
TCI
Legislative DevelopmentsFACTA
FACTA (Fair and Accurate Credit Transactions Act of 2003) amends the Fair Credit Reporting Act.
Creates new rights for consumers in the credit arena, including:
●Annual free credit reports●Streamlined dispute process●Expansion of consumers’ adverse action
rights
FACTA & IDTPrevention & Victim Assistance
▪ Codifies the Fraud Alert Procedure
▪ Trade Line Blocking for Credit Reports
▪ Credit card truncation on Receipts
▪ ID theft red flags for Bank Examinations
▪ Require proper disposal of consumer report information
Information Security: General Principles
Section 5 of the FTC Act: deceptive or unfair practices are illegal
Promises to keep consumers’ information secure must be truthful
When security measures inadequate, those promises are deceptive
Failure to take reasonable security precautions may also be unfair
Security Procedures Must Be Appropriate In The Circumstances
Inadvertent release of sensitive personal information due to inadequate security procedures – Eli Lilly
Our analysis: were there reasonable procedures in light of the sensitivity of the information to prevent such breaches?
What constitutes reasonable and appropriate procedures is linked directly to the sensitivity of the information collected by the company
Law Violations Without a Known Breach
Companies Cannot Simply Wait for a Breach to Occur
Must Take Reasonable Steps to Guard Against Reasonably Anticipated Vulnerabilities
Breach or No Breach is not Determinative -- Microsoft
Assessing Risks and Vulnerabilities
Security is a process
Information security program assesses reasonable and foreseeable risks and threats
Must assess and adjust to new technologies, new threats: Guess.com
Creating Vulnerabilities
Making sure that you do not create vulnerabilities
A system upgrade introduced a security vulnerability that allowed web users to access order history records and to view certain personal information: Tower
Notice
Case-by-case determination of when appropriate
Sensitivity of information breached
Other parties besides consumers may best in best position to reduce harm
Spam
Three-pronged approach
Research
Targeted Law Enforcement
Education
Spam Research
False Claims in Spam Study April 2003
Two-thirds of spam appears to be deceptive on its face, and likely violates the FTC Act
Much of the rest is pornography or offers for illegal products or services
Only 16.5% of the spam did not sell an illegitimate product or service.
Spam Research: False Claims in Spam Study
Most spam is not from large companies
Random sample of 114 pieces of spam: None was sent by a Fortune 500 company Only one was sent by a Fortune 1000
company 95% confident that less than 5% of the 11.6
million pieces of spam in our database came from Fortune 1000 companies.
Spam Law Enforcement
Targeted Law Enforcement
62 cases addressing deceptive spam
Our spam database receives over 250,000 pieces of spam daily
Challenges presented by enforcement
CAN-SPAM Cases
Phoenix Avatar, et al. Alleged violations of the FTC Act and of CAN-
SPAM Cooperation with DOJ lead to a criminal indictment
against all defendants Global Web Promotions, et al.
Alleged violations of the FTC Act and of CAN-SPAM
Defendants located in Australia and New Zealand
CAN-SPAM Rules and Reports
Additional rules interpreting certain CAN-Spam provisions
Studies Do-Not-Email Registry Special labeling of sexually explicit spam Labeling of all spam Bounty system to promote enforcement
Report to Congress due in 2 years
Spam Education
Open Relay Project: Our first international effort to identify insecure mail servers
Operation Secure Your Server: Worldwide effort to close spammers’ access to anonymity
WHAT CAN I EXPECT FROM THE FTC IN
THE COMING YEAR?
Top Priorities
Do Not Call Enforcement
FCRA
Information Security
Spam
Federal Trade Commission
For the Consumer
1-877-FTC-HELP
www.ftc.gov