Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« HIPAA, FERPA and Lawsuits | Main | Survey Forecasts Increasing Numbers of Data Breaches: Business Leaders Need to Support and Invest in Security »

FTC Pretexting Report: All Businesses are Obligated to Protect Consumer Data Under Multiple Federal Regulations

Yesterday the FTC released a 13-page report on "Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?" documenting their stance on consumer information privacy, discussing their efforts in combatting pretexting, and making recommendations to congress for stronger laws and enforcement.

If you wonder what pretexting is and want to understand better what all the hubbub is surrounding the HP board pretexting and privacy turmoil, then this is a nice report for you to read.

Some interesting tidbits from within the report...

  • "...in May 2006, the Commission filed five lawsuits in federal courts across the country against online data brokers that, directly or through third parties, allegedly obtained and sold consumer telephone records without the consumer’s knowledge or consent."

Pretexting appears to be widely practiced.  Considering few, but thankfully growing, numbers of companies have strong identity verification procedures in place, this is not surprising.

  • "The complaints charge the defendants with violating Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”7 In each of these cases, the defendants advertised on their websites that they could obtain confidential customer phone records from telecommunications carriers for fees ranging from $65 to $180. The FTC alleged that the defendants or persons they hired obtained this information by using false pretenses, including posing as the phone carrier’s customer to induce the telephone company’s employees to disclose the records."

Unfortunately many information security and privacy officers are not aware of the FTC Act, but they should be.  It certainly applies to a much wider scope of activity than just pretexting; many companies have received fines and penalties under the FTC Act because they did not follow their own posted privacy policies, their employees carelessly sent PII within emails to large groups of customers, and so on.

  • "Although the acquisition of telephone records does not present the same risk of immediate financial harm as the acquisition of financial records does, it nonetheless is a serious intrusion into consumers’ privacy and could result in stalking, harassment, and embarrassment."

This is an important point, and it is good that a federal agency is stating this.  Misuse and unauthorized access of PII most commonly is associated with identity fraud, but so many more bad things can happen as a result of criminals and fraudsters obtaining PII.

  • "And while there is no specific federal civil law that prohibits pretexting for consumer telephone records, the Commission may bring a law enforcement action against a pretexter of telephone records for deceptive or unfair practices under Section 5 of the FTC Act."

Good!  In fact, much of the strength of the FTC Act is that it does not get into naming specific activities, but covers the general ways in which companies must do business in an honest and ethical manner.

  • "In addition to the recent cases involving telephone records pretexting, the Commission has brought actions under Section 5 of the FTC Act and Section 521 of the GLBA against businesses that use false pretenses to obtain financial information without consumer consent."

Another good point; pretexting is also covered under the Gramm Leach Bliley Act (GLBA).

  • In 2oo1, "FTC staff conducted a “surf” of more than 1,000 websites and a review of more than 500 advertisements in print media to identify firms offering to conduct searches for consumers’ financial data. The staff found approximately 200 firms that offered to obtain and sell consumers’ asset or bank account information to third parties. The staff then sent notices to these firms advising them that their practices were subject to the FTC Act and the GLBA, and providing information about how to comply with the law."

200 companies from the 500 ads...if each of the ads was from a different company (which they probably were not) this would mean 40% of companies they looked at were obtaining personal information through other than legitimate or ethical methods.  This percentage is likely higher considering some of the companies probably put more than one of these ads out on the websites.

  • "In 1999, Congress passed the GLBA, which provided another tool to attack the unauthorized acquisition of consumers’ financial information.17 Section 521 of the GLBA prohibits “false, fictitious, or fraudulent statement[s] or representation[s] to an officer, employee, or agent of a financial institution” to obtain customer information of a financial institution."

This GLBA statement covers a wide range of activities that have been reportedly pursued by many organizations.

As the report indicates, the FTC has made efforts to warn the public about pretexting through some awareness efforts, such as their consumer alert, "Pretexting: Your Personal Information Revealed."

  • "in several recent cases, the Commission has challenged data security practices as unreasonably exposing consumer data to theft and misuse.26 Companies that have failed to implement reasonable security and safeguard processes for consumer data face liability under various statutes enforced by the FTC, including the Fair Credit Reporting Act, the Safeguards provisions of the GLBA, and Section 5 of the FTC Act."

And also the Fair Credit Reporting Act (FCRA); another regulation to make sure your company is complying with, if applicable.  Make sure you know if it IS applicable; don't make assumptions that it is not.

The FTC's Recommendations within the report:

1.  "Have more specific prohibitions against pretexting for consumer telephone records and soliciting or selling consumer telephone records obtained through actual or reasonably known pretexting activity."

2.  Ensure "any such legislation contain appropriate exceptions for specified law enforcement purposes."

3.  Ensure "as part of any such legislation give the Commission authority to seek civil penalties against violators."

4.  "Congress enact cross-border fraud legislation. The proposal, called the “US SAFE WEB Act,” will overcome many of the existing obstacles to information sharing in cross-border investigations."

Technorati Tags








 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on September 30, 2006 7:37 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/193

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.