290 likes | 466 Vues
Federal Trade Commission Protecting Consumer Privacy. J. Howard Beales, III, Director Bureau of Consumer Protection Federal Trade Commission. FTC’s Approach to Privacy. Consumers are concerned about consequences Focus on misuse of information No distinction between online and offline
E N D
Federal Trade CommissionProtecting Consumer Privacy J. Howard Beales, III, Director Bureau of Consumer Protection Federal Trade Commission
FTC’s Approach to Privacy • Consumers are concerned about consequences • Focus on misuse of information • No distinction between online and offline • Benefits of Information Sharing
The National Do Not Call Registry • Telemarketing Sales Rule Amendments Adopted December 2002 include Do Not Call • Giving Consumers a Choice • 61 million telephone numbers registered since June 27 • Consumers with registered numbers have filed over 300,000 complaints since October 11 • Harris Poll found that 92% of the respondents have received fewer calls since registering
Enforcing Do Not Call • National Consumer Counsel • Masqueraded as a nonprofit debt negotiation organization • Called consumers who placed their phone numbers on the National Do Not Call Registry
Identity Theft • Survey Results Released September 2003 • The research took place during March and April 2003 • Involved a random sample telephone survey of over 4,000 U.S. adults
Incidence of Identity Theft, Past Year1 Federal Trade Commission 9.9 million victims (4.6%) Victims in Millions 5.2 million victims (2.4%) 3.2 million victims (1.5%)2 1.5 million victims (0.7%) New Accounts & Other Frauds Other Existing Accounts Existing Credit Card Only Total Victimization 1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). 2Based on the U.S. population age 18 and over (215.47 million) as of July 1, 2002 (Source: Population Division, U.S. Census Bureau; Table NA-EST2002-ASRO-01).
How Thief Obtained Victim’s Information1 Federal Trade Commission 1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages based on respondents who indicated they had been the victim of identity theft within the past five years.
Cost of Identity Theft in the Last Year1 Federal Trade Commission September 2003 $47 billion $33 billion (in billions) $14 billion 1Source: Identity Theft Survey Report (Table 2, page 7) conducted by Synovate for the FTC (March-April 2003).
Money Victim Paid Out of Pocket1 Federal Trade Commission Average Per Victim: $500 1Source: Identity Theft Survey Report conducted by Synovate for the FTC (March-April 2003). Percentages and average per victim based on respondents who indicated they had been the victim of identity theft within the past five years.
Identity Theft • Role of Law Enforcement • Civil Actions: “phishing” cases • Criminal Prosecution
Identity Theft • Other Law Enforcement cases • TriWest • TCI
Legislative DevelopmentsFACTA FACTA (Fair and Accurate Credit Transactions Act of 2003) amends the Fair Credit Reporting Act. Creates new rights for consumers in the credit arena, including: ●Annual free credit reports ●Streamlined dispute process ●Expansion of consumers’ adverse action rights
FACTA & IDTPrevention & Victim Assistance ▪ Codifies the Fraud Alert Procedure ▪ Trade Line Blocking for Credit Reports ▪ Credit card truncation on Receipts ▪ ID theft red flags for Bank Examinations ▪ Require proper disposal of consumer report information
Information Security: General Principles • Section 5 of the FTC Act: deceptive or unfair practices are illegal • Promises to keep consumers’ information secure must be truthful • When security measures inadequate, those promises are deceptive • Failure to take reasonable security precautions may also be unfair
Security Procedures Must Be Appropriate In The Circumstances • Inadvertent release of sensitive personal information due to inadequate security procedures – Eli Lilly • Our analysis: were there reasonable procedures in light of the sensitivity of the information to prevent such breaches? • What constitutes reasonable and appropriate procedures is linked directly to the sensitivity of the information collected by the company
Law Violations Without a Known Breach • Companies Cannot Simply Wait for a Breach to Occur • Must Take Reasonable Steps to Guard Against Reasonably Anticipated Vulnerabilities • Breach or No Breach is not Determinative -- Microsoft
Assessing Risks and Vulnerabilities • Security is a process • Information security program assesses reasonable and foreseeable risks and threats • Must assess and adjust to new technologies, new threats: Guess.com
Creating Vulnerabilities • Making sure that you do not create vulnerabilities • A system upgrade introduced a security vulnerability that allowed web users to access order history records and to view certain personal information: Tower
Notice • Case-by-case determination of when appropriate • Sensitivity of information breached • Other parties besides consumers may best in best position to reduce harm
Spam • Three-pronged approach • Research • Targeted Law Enforcement • Education
Spam Research False Claims in Spam Study April 2003 • Two-thirds of spam appears to be deceptive on its face, and likely violates the FTC Act • Much of the rest is pornography or offers for illegal products or services • Only 16.5% of the spam did not sell an illegitimate product or service.
Spam Research: False Claims in Spam Study • Most spam is not from large companies • Random sample of 114 pieces of spam: • None was sent by a Fortune 500 company • Only one was sent by a Fortune 1000 company • 95% confident that less than 5% of the 11.6 million pieces of spam in our database came from Fortune 1000 companies.
Spam Law Enforcement • Targeted Law Enforcement • 62 cases addressing deceptive spam • Our spam database receives over 250,000 pieces of spam daily • Challenges presented by enforcement
CAN-SPAM Cases • Phoenix Avatar, et al. • Alleged violations of the FTC Act and of CAN-SPAM • Cooperation with DOJ lead to a criminal indictment against all defendants • Global Web Promotions, et al. • Alleged violations of the FTC Act and of CAN-SPAM • Defendants located in Australia and New Zealand
CAN-SPAM Rules and Reports • Additional rules interpreting certain CAN-Spam provisions • Studies • Do-Not-Email Registry • Special labeling of sexually explicit spam • Labeling of all spam • Bounty system to promote enforcement • Report to Congress due in 2 years
Spam Education • Open Relay Project: Our first international effort to identify insecure mail servers • Operation Secure Your Server: Worldwide effort to close spammers’ access to anonymity
Top Priorities • Do Not Call Enforcement • FCRA • Information Security • Spam
Federal Trade Commission For the Consumer 1-877-FTC-HELP www.ftc.gov