Watch Your End User: FTC Goes After Credit Reporting Agencies for Failing to Monitor Their Clients' Security Protocols

The Federal Trade Commission (FTC) recently reached a settlement with three credit reporting agencies, SettlementOne, ACRAnet, and Statewide Credit Services. These companies (respondents) have contracted to received credit reports and their accompanying bits of sensitive information from the three major consumer reporting agencies, Equifax, Experian, and TransUnion. With this information, the respondents create "trimerge reports" that can be accessed by the respondents' clients via a user name and password to assess the credit worthiness of individuals seeking credit. The essential issue, according to the FTC, was that these companies had failed to monitor the security protocols of their clients, resulting in a situation where hackers were able to breach clients' systems in order to access sensitive information on approximately 1,800 consumers. Data security has become a major issue to the Commission given the impact of identity theft and other data crime. The FTC's latest report on the matter estimates that 8.3 million Americans were victims of identity theft in 2005. Aside from the financial harm, which the Report estimated at $15.6 billion, consumers also face lingering issues, such as problems obtaining additional lines of credit or new loans, unpleasant dealings with collection agencies, and hours upon hours of lost time trying to restore their financial and data security. The FTC's Complaints against the respondents (SettlementOne, ACRAnet, Statewide Credit Services) and affiliated entities alleged violations of the Gramm-Leach-Bliley Act Safeguards Rule, Fair Credit Reporting Act (FCRA), and Section 5 of the FTC Act by, among other things, (1) neglecting to create and articulate security policies for end users to follow; (2) not establishing and maintaining adequate security protocols; (3) failing to ensure that the end users of their products would properly protect sensitive information; (4) failing to provide training on security measures to end users; (5) not creating a system to monitor end users' access of trimerge reports (including odd patterns or suspicious viewing); and (6) not remedying security issues even after known breaches. The FTC alleged that, because of these failures, the respondents had allowed their clients to access reports without ensuring that they had "basic security measures in place, such as firewalls and updated antivirus software." The FTC further asserted that after the alleged data breaches occurred, the respondents did not take reasonable steps to find out the causes of the breaches or to ensure that such breaches would not occur again in the future. Altogether, the crux of the FTC's allegations was that the reporting agencies had failed to take "reasonable and appropriate measures" in maintaining the confidentiality and security of sensitive information by failing to ensure that only persons with-in the words of the FCRA-a "permissible purpose[ ]" would receive third-parties' credit reports (i.e., that unauthorized persons could not access such information), and that the reporting agencies' actions thereby threatened to cause or caused substantial injury to consumers. In the Consent Orders (SettlementOne, ACRAnet, Statewide Credit Services), each respondent agreed to implement "comprehensive information security program[s]" that would protect the security of confidential information contained in the trimerge reports. Each signed off on having a key employee to oversee the program and to updating the program regularly to keep up with ongoing security needs. To ensure compliance with these terms, the respondents agreed to undergo assessments by independent parties, with assessment reports to be submitted to the FTC for the next 20 years. These assessment reports must certify the adequacy of the safeguards the respondents have in place as well as that the respondents' information protection systems are working properly. Separate from the final agreement, Commissioner Brill issued a statement – which was joined by Chairman Leibowitz and Commissioners Rosch and Ramirez – indicating that, in the future, these Commissioners "will call for imposition of civil penalties against resellers of consumer reports" who do not go to the appropriate lengths to protect the sensitive information contained in these reports. It seems that the Commission was not willing to go that far in this case, with Commissioner Brill's statement recognizing that this was the first instance in which the FTC had held credit reporting agencies responsible for the data-protection failures of their clients. While the respondents did not bear the full burden of the FTC's potential enforcement mechanisms, this case makes clear that information brokers should scrutinize the information security policies of their clients and should at all times be as knowledgeable as possible regarding the security and confidentiality measures their clients are taking. – Ronald Lee, Nancy Perkins, and Michael Thorpe

Read more detail on Recent Advertising Law Posts –

This entry was posted in Advertising Law and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply