Federal Trade Commission Protecting Consumer Privacy J. Howard Beales, III, Director Bureau of Consumer Protection Federal Trade Commission
FTC s Approach to Privacy Consumers are concerned about consequences Focus on misuse of information No distinction between online and offline Benefits of Information Sharing
The National Do Not Call Registry Telemarketing Sales Rule Amendments Adopted December 2002 include Do Not Call Giving Consumers a Choice 61 million telephone numbers registered since June 27 Consumers with registered numbers have filed over 300,000 complaints since October 11 Harris Poll found that 92% of the respondents have received fewer calls since registering
Enforcing Do Not Call National Consumer Counsel Masqueraded as a nonprofit debt negotiation organization Called consumers who placed their phone numbers on the National Do Not Call Registry
Identity Theft Survey Results Released September 2003 The research took place during March and April 2003 Involved a random sample telephone survey of over 4,000 U.S. adults
Incidence of Identity Theft, Past Year 1 Federal Trade Commission 15 9.9 million victims Victims in Millions 10 5 3.2 million victims (1.5%) 2 1.5 million victims 5.2 million victims (2.4%) (4.6%) (0.7%) 0 New Accounts & Other Frauds Other Existing Accounts Existing Credit Card Only Total Victimization 1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). 2Based on the U.S. population age 18 and over (215.47 million) as of July 1, 2002 (Source: Population Division, U.S. Census Bureau; Table NA-EST2002-ASRO-01).
How Thief Obtained Victim s Information 1 Federal Trade Commission 75% 50% 49% 25% 23% 13% 14% 0% Theft Transaction Other Don't Know 1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages based on respondents who indicated they had been the victim of identity theft within the past five years.
Cost of Identity Theft in the Last Year 1 Federal Trade Commission September 2003 $50 $47 $47 billion $40 (in billions) $30 $33 $33 billion $20 $14 $14 billion $10 $0 New Accounts & Other Frauds Misuse of Existing Accounts (Credit Card & Non-Credit Card) All Identity Theft 1 Source: Identity Theft Survey Report (Table 2, page 7) conducted by Synovate for the FTC (March-April 2003).
Money Victim Paid Out of Pocket 1 Federal Trade Commission 75% 63% Average Per Victim: $500 50% 25% 11% 12% 8% 0% None Less Than $100 $100-$999 $1,000 or More 1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages and average per victim based on respondents who indicated they had been the victim of identity theft within the past five years.
Identity Theft Role of Law Enforcement Civil Actions: phishing cases Criminal Prosecution
Identity Theft Other Law Enforcement cases TriWest TCI
Legislative Developments FACTA FACTA (Fair and Accurate Credit Transactions Act of 2003) amends the Fair Credit Reporting Act. Creates new rights for consumers in the credit arena, including: Annual free credit reports Streamlined dispute process Expansion of consumers adverse action rights
FACTA & IDT Prevention & Victim Assistance Codifies the Fraud Alert Procedure Trade Line Blocking for Credit Reports Credit card truncation on Receipts ID theft red flags for Bank Examinations Require proper disposal of consumer report information
Information Security: General Principles Section 5 of the FTC Act: deceptive or unfair practices are illegal Promises to keep consumers information secure must be truthful When security measures inadequate, those promises are deceptive Failure to take reasonable security precautions may also be unfair
Security Procedures Must Be Appropriate In The Circumstances Inadvertent release of sensitive personal information due to inadequate security procedures Eli Lilly Our analysis: were there reasonable procedures in light of the sensitivity of the information to prevent such breaches? What constitutes reasonable and appropriate procedures is linked directly to the sensitivity of the information collected by the company
Law Violations Without a Known Breach Companies Cannot Simply Wait for a Breach to Occur Must Take Reasonable Steps to Guard Against Reasonably Anticipated Vulnerabilities Breach or No Breach is not Determinative -- Microsoft
Assessing Risks and Vulnerabilities Security is a process Information security program assesses reasonable and foreseeable risks and threats Must assess and adjust to new technologies, new threats: Guess.com
Creating Vulnerabilities Making sure that you do not create vulnerabilities A system upgrade introduced a security vulnerability that allowed web users to access order history records and to view certain personal information: Tower
Notice Case-by-case determination of when appropriate Sensitivity of information breached Other parties besides consumers may best in best position to reduce harm
Spam Three-pronged approach Research Targeted Law Enforcement Education
Spam Research False Claims in Spam Study April 2003 Two-thirds of spam appears to be deceptive on its face, and likely violates the FTC Act Much of the rest is pornography or offers for illegal products or services Only 16.5% of the spam did not sell an illegitimate product or service.
Spam Research: False Claims in Spam Study Most spam is not from large companies Random sample of 114 pieces of spam: None was sent by a Fortune 500 company Only one was sent by a Fortune 1000 company 95% confident that less than 5% of the 11.6 million pieces of spam in our database came from Fortune 1000 companies.
Spam Law Enforcement Targeted Law Enforcement 62 cases addressing deceptive spam Our spam database receives over 250,000 pieces of spam daily Challenges presented by enforcement
CAN-SPAM Cases Phoenix Avatar, et al. Alleged violations of the FTC Act and of CAN- SPAM Cooperation with DOJ lead to a criminal indictment against all defendants Global Web Promotions, et al. Alleged violations of the FTC Act and of CAN- SPAM Defendants located in Australia and New Zealand
CAN-SPAM Rules and Reports Additional rules interpreting certain CAN-Spam provisions Studies Do-Not-Email Registry Special labeling of sexually explicit spam Labeling of all spam Bounty system to promote enforcement Report to Congress due in 2 years
Spam Education Open Relay Project: Our first international effort to identify insecure mail servers Operation Secure Your Server: Worldwide effort to close spammers access to anonymity
WHAT CAN I EXPECT FROM THE FTC IN THE COMING YEAR?
Top Priorities Do Not Call Enforcement FCRA Information Security Spam
Federal Trade Commission For the Consumer 1-877-FTC-HELP www.ftc.gov