Live from DMA06: The FTC Tightens Up ID Theft Rules

Oct 17, 2006 8:06 PM  By

(Direct) San Francisco–Identity theft? Ho-hum.

Woe to you, friend, if that’s your attitude. Data security may be dead in Congress this year, but the Federal Trade Commission is on the case, and that could mean trouble for lax companies.

“The FTC has stepped into the void,” said Emilio Ciividanes, a partner in Venable LLP. “And every proposal for comprehensive legislation has the FTC playing an important role.”

For one thing, the commission is now putting its finishing touches on its ID Theft Red Flags Rule, requiring that companies spot and address identity theft risks.

What would constitute a red flag? If there are multiple addresses for a credit-card holder, according to Joel Winston, associate director of the Privacy and Identity Protection division of the FTC’s Bureau of Consumer Protection, speaking at DMA06 in San Francisco.

And the FTC is aggressively pursuing companies for allowing security breaches to occur or for not having protections in place. And why not? It is getting 15,000-20,000 consumer messages a week through its Identity Theft Website and telephone number.

Winston argued that the commission pursues only the most serious cases and that it is not nitpicking. But he admitted that an FTC probe “is no fun.” Meanwhile, the lame-duck Congress has checked out.

“There’s not a large likelihood of action on any security breach bills,” said Jerry Cerasale, vice president of government affairs for the Direct Marketing Association.

One problem may be that there are too many bills. “There’s been an embarrassment of riches,” said Ciividanes. “Too many committees took too much of an interest. There’s been three bills in the Senate, four in the House, and some gridlock.” The only bill to make it in the House was a limited one protecting veterans.

But the states are busy passing laws, and most follow the California statute, requiring that firms notify consumers for every breach, Cerasale said on Sunday.

According to Winston, 34 states now have laws in this area, up from 20 last year. Among the most troublesome is North Dakota’s, which designates the name and address combined with the date of birth as sensitive information.

Moreover, the President’s Commission on Identity Theft is due to deliver its report to Bush on Nov. 6. It will make recommendations on security, criminal enforcement, legislation and education.

On the federal level, data security is already covered for some firms under Gramm-Leach Bliley Act. Under that, financial services firms must provide privacy notices to customers every year and give them the chance to opt out. It also requires that firms implement security in line with the FTC’s Safeguards Rule. It states that companies must develop a written security plan, scalable to the size of the business. They are also required to conduct risk assessment and monitor their service providers.

But this rule is “process oriented,” Winston said. “it doesn’t impose technical standards.”

However, every data security law introduced in Congress has imposed the Safeguards Rule standards on all businesses, Winston said. And the FTC urges companies to observe the spirit of the rule even if they are not covered by it.

Most cases brought by the FTC are for unfair and deceptive practices as defined by the Federal Trade Commission Act. If you state that personal information is secure, “you have to live up to that promise,” Winston said.

But cases against two retailers and two service vendors are based on the premise that a firm that fails to protect customer data is guilty of unfair practices. In one such case, thieves hacked into a retail database, resulting in “millions in unauthorized charges,” Winston said.

Most FTC investigations are about data practices, not actual breaches, he continued.

Much identity theft is due to things like dumpster diving or misuse of credit cards by family members or friends. But a portion is also due to corporate sloppiness, and to lack of awareness by firms of the data they are holding.

“It’s amazing to me that businesses have no idea of what information they’re collecting and why,” Winston said.