Yesterday the FTC released a 13-page report on "Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?" documenting their stance on consumer information privacy, discussing their efforts in combatting pretexting, and making recommendations to congress for stronger laws and enforcement.
If you wonder what pretexting is and want to understand better what all the hubbub is surrounding the HP board pretexting and privacy turmoil, then this is a nice report for you to read.
Some interesting tidbits from within the report…
- "…in May 2006, the Commission filed five lawsuits in federal courts across the country against online data brokers that, directly or through third parties, allegedly obtained and sold consumer telephone records without the consumer’s knowledge or consent."
Pretexting appears to be widely practiced. Considering few, but thankfully growing, numbers of companies have strong identity verification procedures in place, this is not surprising.
- "The complaints charge the defendants with violating Section 5 of the FTC Act, which prohibits ‚Äúunfair or deceptive acts or practices in or affecting commerce.‚Äù7 In each of these cases, the defendants advertised on their websites that they could obtain confidential customer phone records from telecommunications carriers for fees ranging from $65 to $180. The FTC alleged that the defendants or persons they hired obtained this information by using false pretenses, including posing as the phone carrier’s customer to induce the telephone company’s employees to disclose the records."
Unfortunately many information security and privacy officers are not aware of the FTC Act, but they should be. It certainly applies to a much wider scope of activity than just pretexting; many companies have received fines and penalties under the FTC Act because they did not follow their own posted privacy policies, their employees carelessly sent PII within emails to large groups of customers, and so on.
- "Although the acquisition of telephone records does not present the same risk of immediate financial harm as the acquisition of financial records does, it nonetheless is a serious intrusion into consumers’ privacy and could result in stalking, harassment, and embarrassment."
This is an important point, and it is good that a federal agency is stating this. Misuse and unauthorized access of PII most commonly is associated with identity fraud, but so many more bad things can happen as a result of criminals and fraudsters obtaining PII.
- "And while there is no specific federal civil law that prohibits pretexting for consumer telephone records, the Commission may bring a law enforcement action against a pretexter of telephone records for deceptive or unfair practices under Section 5 of the FTC Act."
Good! In fact, much of the strength of the FTC Act is that it does not get into naming specific activities, but covers the general ways in which companies must do business in an honest and ethical manner.
- "In addition to the recent cases involving telephone records pretexting, the Commission has brought actions under Section 5 of the FTC Act and Section 521 of the GLBA against businesses that use false pretenses to obtain financial information without consumer consent."
Another good point; pretexting is also covered under the Gramm Leach Bliley Act (GLBA).
- In 2oo1, "FTC staff conducted a “surf” of more than 1,000 websites and a review of more than 500 advertisements in print media to identify firms offering to conduct searches for consumers’ financial data. The staff found approximately 200 firms that offered to obtain and sell consumers’ asset or bank account information to third parties. The staff then sent notices to these firms advising them that their practices were subject to the FTC Act and the GLBA, and providing information about how to comply with the law."
200 companies from the 500 ads…if each of the ads was from a different company (which they probably were not) this would mean 40% of companies they looked at were obtaining personal information through other than legitimate or ethical methods. This percentage is likely higher considering some of the companies probably put more than one of these ads out on the websites.
- "In 1999, Congress passed the GLBA, which provided another tool to attack the unauthorized acquisition of consumers’ financial information.17 Section 521 of the GLBA prohibits “false, fictitious, or fraudulent statement[s] or representation[s] to an officer, employee, or agent of a financial institution” to obtain customer information of a financial institution."
This GLBA statement covers a wide range of activities that have been reportedly pursued by many organizations.
As the report indicates, the FTC has made efforts to warn the public about pretexting through some awareness efforts, such as their consumer alert, "Pretexting: Your Personal Information Revealed."
- "in several recent cases, the Commission has challenged data security practices as unreasonably exposing consumer data to theft and misuse.26 Companies that have failed to implement reasonable security and safeguard processes for consumer data face liability under various statutes enforced by the FTC, including the Fair Credit Reporting Act, the Safeguards provisions of the GLBA, and Section 5 of the FTC Act."
And also the Fair Credit Reporting Act (FCRA); another regulation to make sure your company is complying with, if applicable. Make sure you know if it IS applicable; don’t make assumptions that it is not.
The FTC’s Recommendations within the report:
1. "Have more specific prohibitions against pretexting for consumer telephone records and soliciting or selling consumer telephone records obtained through actual or reasonably known pretexting activity."
2. Ensure "any such legislation contain appropriate exceptions for specified law enforcement purposes."
3. Ensure "as part of any such legislation give the Commission authority to seek civil penalties against violators."
4. "Congress enact cross-border fraud legislation. The proposal, called the “US SAFE WEB Act,” will overcome many of the existing obstacles to information sharing in cross-border investigations."
Technorati Tags
information security
IT compliance
policies and procedures
FTC Act
GLBA
FCRA
pretexting
awareness and training
privacy