Federal Trade Commission
Protecting Consumer Privacy
J. Howard Beales, III, Director
Bureau of Consumer Protection
Federal Trade Commission
FTC’s Approach to Privacy

Consumers are concerned about
consequences

Focus on misuse of information

No distinction between online and
offline

Benefits of Information Sharing
The National Do Not Call Registry

Telemarketing Sales Rule Amendments
Adopted December 2002 include Do Not Call




Giving Consumers a Choice
61 million telephone numbers registered since
June 27
Consumers with registered numbers have filed
over 300,000 complaints since October 11
Harris Poll found that 92% of the respondents have
received fewer calls since registering
Enforcing Do Not Call



National Consumer Counsel
Masqueraded as a nonprofit debt
negotiation organization
Called consumers who placed their
phone numbers on the National Do Not
Call Registry
Identity Theft

Survey Results Released September
2003

The research took place during March and
April 2003

Involved a random sample telephone
survey of over 4,000 U.S. adults
Incidence of Identity Theft, Past Year1
Federal Trade Commission
15
Victims in Millions
9.9 million victims
(4.6%)
10
5.2 million victims
(2.4%)
5
3.2 million victims
(1.5%)2
1.5 million victims
(0.7%)
0
New Accounts &
Other Frauds
1Source:
2Based
Other
Existing Accounts
Existing Credit Card
Only
Total
Victimization
Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003).
on the U.S. population age 18 and over (215.47 million) as of July 1, 2002 (Source: Population Division, U.S. Census Bureau; Table NA-EST2002-ASRO-01).
How Thief Obtained Victim’s Information1
Federal Trade Commission
75%
49%
50%
23%
25%
13%
14%
Transaction
Other
0%
Theft
1Source:
Don't Know
Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages based on respondents who indicated they had been the victim of
identity theft within the past five years.
Cost of Identity Theft in the Last Year1
Federal Trade Commission
September 2003
$50
$47 $47
billion
(in billions)
$40
$33 $33
billion
$30
$20
$14 $14
billion
$10
$0
New Accounts & Other Frauds
1Source:
Misuse of Existing Accounts
(Credit Card & Non-Credit Card)
All Identity Theft
Identity Theft Survey Report (Table 2, page 7) conducted by Synovate for the FTC (March-April 2003).
Money Victim Paid Out of Pocket1
Federal Trade Commission
75%
63%
Average Per Victim:
$500
50%
25%
11%
12%
Less Than $100
$100-$999
8%
0%
None
1Source:
$1,000 or More
Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages and average per victim based on respondents who indicated they had
been the victim of identity theft within the past five years.
Identity Theft

Role of Law Enforcement

Civil Actions: “phishing” cases

Criminal Prosecution
Identity Theft

Other Law Enforcement cases

TriWest

TCI
Legislative Developments
FACTA
FACTA (Fair and Accurate Credit
Transactions Act of 2003) amends the Fair
Credit Reporting Act.
Creates new rights for consumers in the
credit arena, including:
●Annual free credit reports
●Streamlined dispute process
●Expansion of consumers’ adverse action
rights
FACTA & IDT
Prevention & Victim Assistance
▪ Codifies the Fraud Alert Procedure
▪ Trade Line Blocking for Credit Reports
▪ Credit card truncation on Receipts
▪ ID theft red flags for Bank Examinations
▪ Require proper disposal of consumer
report information
Information Security: General
Principles

Section 5 of the FTC Act: deceptive or unfair
practices are illegal

Promises to keep consumers’ information
secure must be truthful

When security measures inadequate, those
promises are deceptive

Failure to take reasonable security
precautions may also be unfair
Security Procedures Must Be
Appropriate In The Circumstances

Inadvertent release of sensitive personal
information due to inadequate security
procedures – Eli Lilly

Our analysis: were there reasonable
procedures in light of the sensitivity of the
information to prevent such breaches?

What constitutes reasonable and appropriate
procedures is linked directly to the sensitivity
of the information collected by the company
Law Violations Without a
Known Breach

Companies Cannot Simply Wait for a Breach
to Occur

Must Take Reasonable Steps to Guard
Against Reasonably Anticipated Vulnerabilities

Breach or No Breach is not Determinative -Microsoft
Assessing Risks and Vulnerabilities

Security is a process

Information security program assesses
reasonable and foreseeable risks
and threats

Must assess and adjust to new
technologies, new threats: Guess.com
Creating Vulnerabilities

Making sure that you do not create
vulnerabilities

A system upgrade introduced a security
vulnerability that allowed web users to
access order history records and to view
certain personal information: Tower
Notice

Case-by-case determination of when
appropriate

Sensitivity of information breached

Other parties besides consumers may
best in best position to reduce harm
Spam

Three-pronged approach

Research

Targeted Law Enforcement

Education
Spam Research
False Claims in Spam Study April 2003

Two-thirds of spam appears to be deceptive on its
face, and likely violates the FTC Act

Much of the rest is pornography or offers for illegal
products or services

Only 16.5% of the spam did not sell an illegitimate
product or service.
Spam Research: False Claims in
Spam Study

Most spam is not from large companies

Random sample of 114 pieces of spam:



None was sent by a Fortune 500 company
Only one was sent by a Fortune 1000
company
95% confident that less than 5% of the 11.6
million pieces of spam in our database
came from Fortune 1000 companies.
Spam Law Enforcement

Targeted Law Enforcement

62 cases addressing deceptive spam

Our spam database receives over 250,000
pieces of spam daily

Challenges presented by enforcement
CAN-SPAM Cases

Phoenix Avatar, et al.



Alleged violations of the FTC Act and of CANSPAM
Cooperation with DOJ lead to a criminal indictment
against all defendants
Global Web Promotions, et al.


Alleged violations of the FTC Act and of CANSPAM
Defendants located in Australia and New Zealand
CAN-SPAM Rules and Reports

Additional rules interpreting certain
CAN-Spam provisions

Studies





Do-Not-Email Registry
Special labeling of sexually explicit spam
Labeling of all spam
Bounty system to promote enforcement
Report to Congress due in 2 years
Spam Education

Open Relay Project: Our first
international effort to identify insecure
mail servers

Operation Secure Your Server:
Worldwide effort to close spammers’
access to anonymity
WHAT CAN I EXPECT
FROM THE FTC IN
THE COMING YEAR?
Top Priorities

Do Not Call Enforcement

FCRA

Information Security

Spam
Federal Trade Commission
For the Consumer
1-877-FTC-HELP
www.ftc.gov
Descargar

Federal Trade Commission 2002 Privacy Agenda