Credit Report Resellers Settle FTC Charges Over Poor Security

Posted on March 1, 2011 by Scott J. Carpenter

The Federal Trade Commission recently announced that it reached a settlement with three consumer credit report resellers whose information security practices and procedures were not sufficient to prevent hackers to obtain more than 1,800 consumer credit reports without authorization. The settlement resolves allegations that the resellers violated the Fair Credit Reporting Act, the FTC Act and the Gramm Leach Bliley Safeguards Rule by failing to take appropriate precautions to protect credit reports and the personal information such reports contain. According to the FTC, the resellers’ information security deficiencies included (1) not having comprehensive information security policies or procedures in place; (2) releasing consumer reports to clients who lacked basic security measures, such as firewalls and updated antivirus software; (3) failing to protect their own internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose for having them; and (4) not making reasonable efforts to protect against future breaches even after becoming aware of the hackers’ illegitimate activities.

The FTC’s proposed consent order prohibits further violations of the Safeguards Rule and also requires the resellers to do the following:

o       implement comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients;

o       obtain independent audits of their security programs, every other year for 20 years;

o       furnish credit reports only to those with a permissible purpose; and

o       maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

FTC Commissioner Julie Brill used the settlement as an opportunity to emphasize the gravity of the resellers’ offenses and the FTC’s commitment to protecting consumers and their personal information. In connection with the settlement, Commissioner Brill announced that “in the future we will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports, as required by the Fair Credit Reporting Act.”
Tags: , , , ,

If You Let Them Build It, They Will Come: Regulatory Agencies Release Model Privacy Notice Online Form Builder

Posted on May 6, 2010 by Kevin Khurana

More than five months ago, eight federal regulatory agencies released their final model privacy notice form (“Model Form”) (which we blogged about here) to help financial institutions satisfy the disclosure requirements established by the Gramm-Leach-Bliley Act (“GLBA”) and help consumers understand how these institutions collect and share their information. On April 15, 2010, those same agencies attempted to ease the burden of completing the Model Form by releasing an Online Form Builder.

The Online Form Builder provides the financial institution with the choice of four form options depending on the financial institution’s data sharing practices and the opt-out rights it extends to consumers.

Some financial institutions will gravitate towards the Model Form because by using it, they will obtain a legal “safe harbor” which confirms their compliance with the GLBA’s disclosure requirements. It remains to be seen, however, whether all financial institutions will adopt the Model Form given the difficulty a financial institution may have in conveying its complex affiliate relationships and the fact that the Model Form rules do not allow the form to be modified in any material respect.
Tags: , , , , , ,

Innocent Mall Shoppers, You're Off the Hook: Federal Agencies Release Model GLBA Privacy Notice Form

Posted on November 20, 2009 by Brendon Tavelli

On November 17, 2009, eight federal regulatory agencies released their final model privacy notice form that is intended to make it easier for consumers to understand how financial institutions collect and share information about them. The model privacy notice form, which features a version that offers consumers an opt-out and one with no opt-out, represents the culmination of extensive research and testing by the various agencies, which included a nationwide mall-intercept study (see our previous post here), and their analysis of public comments on the model form first proposed on March 29, 2007. The agencies’ efforts in this regard were spurned by the Financial Services Regulatory Relief Act of 2006, which amended the Gramm-Leach-Bliley Act (“GLBA”) and called upon the federal financial services agencies to jointly propose a succinct and comprehensible format for GLBA privacy notices.

The final model privacy notice form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission. It is hailed as a consumer-friendly notice that allows consumers to easily compare the privacy practices of different financial institutions. Financial institutions that choose to use the model form, which will take effect 30 days after publication in the Federal Register, will obtain a “safe harbor” that declares them in compliance with the GLBA’s disclosure requirements. Publication of the final model privacy notice in the Federal Register is expected soon.

With the release of the model form, despite opposition from major industry players, the agencies plan to eliminate the existing sample clauses and accompanying compliance safe harbors, which limited the liability of financial institutions that issued privacy notices containing these sample clauses. Existing safe harbors and sample clauses will be phased out over a one-year period.
Tags: , , , , , ,

Feud of the Forms -- The Battle of The GLBA Notices

Posted on April 22, 2009 by Brendon Tavelli

The U.S. Securities and Exchange Commission ("SEC”) announced on April 15, 2009 that it is reopening the period for public comment on proposed amendments to Regulation S-P, the SEC’s Gramm-Leach-Bliley Act (“GLBA”) implementing regulations. The SEC’s announcement follows the release of a report detailing the results of the second phase of the Interagency Notice Project (“INP”). The report by Drs. Alan Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, uses the results of a mall-intercept study to compare the performance of a prototype financial privacy notice developed by the Kleimann Communication Group (“KCG”) during the first phase of the INP against three alternative notices. The Levy-Hastak report, among other things, confirms what proponents of the INP suspected – some GLBA privacy notices are largely ineffective in conveying information to consumers that allows them to make rational decisions about the sharing of their personal financial information.

Launched in 2004, the INP is directed to evaluating consumer comprehension of GLBA privacy notices and the communication effectiveness of different notice formats. The INP’s ultimate goal is to facilitate the adoption of a model form which may be used by financial institutions to provide GLBA-required notices. In order to assess the relative effectiveness of different GLBA notice formats, researchers distributed one of four alternative notices to mall shoppers in five locations across the United States. These notice recipients were then asked a series of questions designed to test their ability to (a) compare banks’ information collection and sharing practices, (b) evaluate available “opt-out” choices described in the notices, and (c) make informed and reasoned choices between banks. The Levy-Hastak report used the results of this quantitative study to analyze four different notice formats: 

  • KCG Table Notice: This notice, the Phase I model form, uses a table on page one to describe (1) the types of sharing engaged in by financial institutions; (2) for each type of sharing, whether a particular institution shares personal information; and (3) whether the institution offers the consumer an opportunity to opt out or limit such sharing.
  • KCG Prose Notice: This notice is the prose version of the Phase I model form. This notice differs from the KCG Table notice only in that it replaces the table on page one with a bulleted list that describes the information contained in the table.
  • Current Notice: This notice is a composite notice that is generally representative of GLBA notices currently provided by financial institutions to consumers.
  • Sample Clause Notice: This notice is comprised solely of Sample Clauses that provide only the specific information that relates to the individual financial institution.

The Levy-Hastak report points out the weakness of the Current Notice, but stops short of declaring a clear winner in the battle of forms. The Sample Clause Notice’s strong performance with respect to tasks that merely required respondents to find information within the notice underscores the importance of short forms. But the KCG Table Notice outperformed the other notice formats across “a diverse set of communication effectiveness measures.” Specifically, the survey results demonstrated that the KCG Table Notice helped respondents better understand the information contained in the notice which enabled them to make informed and logical decisions about financial information sharing.

The complete Levy-Hastak report is available here. The SEC’s public comment period will remain open until May 20, 2009.
Tags: , , , , , , , , ,