FTC Tightens ID Theft Regs

Identity theft? Ho-hum.

Woe to you, friend, if that’s your attitude. Data security may be dead in Congress this year, but the Federal Trade Commission is on the case, and that could mean trouble for lax companies.

“The FTC has stepped into the void,” said Emilio Cividanes, a partner in Venable LLP. “And every proposal for comprehensive legislation has the FTC playing an important role.”

For one thing, the commission is now putting finishing touches on its Identity Theft Red Flag rule, requiring that companies spot and address ID theft risks.

What would constitute a red flag? If there are multiple addresses for a credit cardholder, according to Joel Winston, associate director of the FTC Bureau of Consumer Protection’s privacy and identity protection division, speaking at DMA06 in San Francisco last month.

And the FTC is aggressively pursuing companies for allowing security breaches to occur, or for not having protections in place. The reason? It’s getting from 15,000 to 20,000 consumer messages a week through its identity theft Web site and telephone number.

Winston argued that the commission pursues only the most serious cases, and that it is not nitpicking. But he admitted that an FTC probe “is no fun.”

Meanwhile, the lame-duck Congress has checked out.

“There’s not a large likelihood of action on any security breach bills,” said Jerry Cerasale, vice president for government affairs at the Direct Marketing Association.

One problem may be that there are too many bills.

“There’s been an embarrassment of riches,” said Cividanes. “Too many committees took too much of an interest. There’s been three bills in the Senate, four in the House, and some gridlock.”

The only bill to make it in the House was a limited one protecting veterans. But the states are busy passing laws, and most follow the California statute requiring that firms notify consumers for every breach, Cerasale said.

According to Winston, 34 states now have laws in this area, up from 20 last year. Among the most troublesome is North Dakota’s, which designates the name and address combined with the date of birth as sensitive information.

Moreover, the President’s Commission on Identity Theft is due to deliver its report to the White House Nov. 6. It will make recommendations on security, criminal enforcement, legislation and education.

On the federal level, data security already is covered for some companies under the Gramm-Leach-Bliley Act. Financial services firms must provide privacy notices to customers every year and give them a chance to opt out.

The act also requires that companies implement security in line with the FTC’s Safeguards Rule. It states that firms must develop a written security plan scalable to the size of their business. Companies also are required to conduct risk assessment and monitor their service providers.

But this rule is “process oriented,” Winston said. “It doesn’t impose technical standards.”

However, every data security law introduced in Congress has imposed the Safeguards Rule standards on all businesses, according to Winston. And the FTC urges firms to observe the spirit of the rule even if they’re not covered by it.

Most cases brought by the FTC are for unfair and deceptive practices as defined by the Federal Trade Commission Act. If you state that personal information is secure, “you have to live up to that promise,” Winston said.

But cases against two retailers and two service vendors are based on the premise that a company which fails to protect customer data is guilty of unfair practices. In one such case, thieves hacked into a retail database, resulting in “millions in unauthorized charges,” Winston added.

Most FTC investigations are about data practices, not actual breaches, he continued.

Much identity theft is due to things like dumpster diving, or misuse of credit cards by family members or friends. But a portion also is due to corporate sloppiness, and to lack of awareness by firms of the data they’re holding.

“It’s amazing to me that businesses have no idea what information they’re collecting and why,” Winston said.