Submitted to FDIC and financial regulatory agencies, July 22, 2004
Robert E. Feldman, Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
by E-mail: Comments@FDIC.gov
By the following privacy and consumer organizations:
Calegislation
CALPIRG
Consumer Action
Consumers Union
Electronic Privacy Information Center
Identity Theft Resource Center
Privacy Rights Clearinghouse
U.S. PIRG
RE: Comments to FACTA Disposal Rule - RIN 3064-AC77
Dear Mr. Feldman:
The Privacy Rights Clearinghouse (PRC) and the above-listed nonprofit consumer advocacy organizations appreciate the opportunity to comment on the Federal Deposit Insurance Corporation's (FDIC) proposal to implement §216 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). (Organization descriptions are at the end of this document.)
FACTA §216, which adds §628 (15 U.S.C 1681w) to the Fair Credit Reporting Act (FCRA), requires the federal banking agencies, the National Credit Union Administration (NCUA), and the Federal Trade Commission (FTC) to adopt regulations about proper disposal of consumer information. Congress directed that final regulations be implemented not later than one year after enactment of FACTA. As discussed below, organizations here representing consumer interests consider the Agencies' proposal to be weak and inadequate to meet Congress' intended purpose of preventing identity theft and other fraud.
The Agencies propose to implement §216 of FACTA by amending the Interagency Guidelines for Safeguarding Customer Information (Guidelines) published pursuant to the Gramm-Leach-Bliley Act (GLBA) (Pub. L.106-102). When amended, the Guidelines would require financial institutions to adopt measures to properly dispose of consumer information. We submit the following on specific aspects of the Agencies' proposed Disposal Rule. (Agencies consist of the FDIC, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), and Office of Thrift Supervision (OTS).)
- Introduction Consumer Information
- Flagging Consumer Information
- Proper Disposal Proposed
- Implementation Schedule
- Service Providers
Identity theft is often called the fasting growing crime in America. Only recently has the public and the government begun to realize the full economic and personal toll of identity theft. A widely reported FTC study released in September 2003 found that nearly 10 million Americans were the victims of identity theft in the previous year alone. The FTC found that U.S. business lost 47 billion dollars while consumers lost 5 billion from identity theft. As striking as they are, these figures quite likely represent only the tip of the iceberg since many instances of identity theft may go unreported. (www.ftc.gov/os/2003/09/synovatereport.pdf)
Irresponsible handling of sensitive consumer data has long been cited as a contributing factor to identity theft. A practice known as "dumpster diving" is often claimed by thieves themselves as the source of the data that allowed them to commit the crime. Sensitive data discarded by a financial institution provides a prime opportunity for a crook to access another's personal data.
By enacting §216 requiring proper disposal of consumer information, Congress has given the public one of the strongest tools yet in combating the growing crime of identity theft. It is now up to the financial regulators and the FTC to carry out Congress' intent by adopting strong regulations to ensure identity theft is no longer fed by careless and irresponsible disposal of confidential consumer data.
For 12 years, the PRC has worked directly with identity theft victims. We along with other consumer organizations submitting these comments have seen the devastation from this crime. We have learned of the many instances where identity theft could have been prevented by strong disposal standards imposed on business for documents and electronic records. We are concerned that the Agencies' proposal to modify existing guidelines rather than issue strict requirements dictated by regulation will not have the preventive effect Congress intended by adopting §216.
Unlike the existing guidelines for disposal of "customer" data adopted pursuant to the undefined security provisions of GLBA, FACTA §216 has the stated objective of preventing identity theft. Moreover, §216 specifically requires the Agencies to adopt:
.regulations requiring any person that maintains or otherwise possesses consumer information or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation. (FACTA §216)
Although the Guidelines, which include a guideline for proper disposal of "customer" data, have been in effect since February of 2001, this has obviously not had a deterrent effect on identity theft. The number of victims and financial losses continue to rise. Had Congress not intended a strong standard for disposal, it would not have adopted §216. We urge the Agencies to do more.
The Disposal Rule, as proposed, defines "consumer information" as any record about an individual, in any form, including information that is derived from a consumer report. To fully encompass the scope of information included in §216, the Agencies should revise this definition to say " any record containing personally identifying information about an individual.".
The Agencies have qualified the definition of "consumer information" by stating that information "derived from consumer reports but that does not identity any particular consumer would not be covered under the proposal." (Guidelines proposed §C.2.a.)
In adopting the final Rule, the Agencies must recognize that an individual's identity is not necessarily limited to just the individual's name. The Agencies should be clear, for example, that the Social Security number (SSN) is identifying information. A list of SSNs, with nothing more, is sufficient data to allow a thief to open a new credit account, or start the process of assembling a consumer's identity for any number of illegal activities.
Another example, would be a list of consumer telephone numbers. Although generally included in the category of publicly available information, a telephone number itself may be the key to identifying a consumer and opening a door to stalking and harassment. There are now many Internet sites where entering a telephone number will readily reveal an address and even a map to the consumer's door. With the telephone number and address in hand, it is a short step to tying that telephone number and address to property records or other databases that reveal the consumer's name and much more.
In adopting the final Rule, the Agencies must be ever mindful of the resourcefulness of criminals to combine bits and pieces of personal information from several sources to create a consumer profile adequate to assume that consumer's identity. This information may also be purchased provided the purchaser has a limited amount of identifying information. As the growing number of victims indicates, and as some identity thieves themselves often readily admit, assuming another's identity for fraudulent purposes is not a difficult task. The crime is made all the easier by the vast array of Internet databases that allow thieves to quickly assemble a consumer's profile. And, a telephone number may be the only bit of information a criminal needs to get started.
A further example is one's electronic mail address. More and more, an individual's e-mail address is being used as a key identifier linking identities across multiple points of information. As individuals are getting their own domain names and using e-mail addresses attached to their domains, anyone can look up the domain and obtain an individual's street address in many cases. Until the WhoIs registration data is no longer published, which is not likely, this will continue to be a persistent problem.
For the sake of financial institutions covered by the Agencies' proposal, we suggest the Agencies' final Rule give financial institutions examples of information from a consumer report or derived from a consumer report that does not identify a consumer and thus would not be subject to the Guidelines.
The Agencies also seek comment on the proposed definition of "consumer information" that includes the qualification that the information is "for a business purpose." The Agencies interpret the phrase "for a business purpose" to encompass any commercial purpose for which a financial institution might maintain or possess "consumer information."
The Agencies should clarify that a "business purpose" is not limited to consumer report information received solely to obtain credit or assess a consumer's continuing eligibility to meet the terms of an existing account. The Agencies should recognize that consumer report information may be obtained through an employment background check for a current or prospective employee.
Financial institutions may also receive consumer report information from a consumer reporting agency that tracks consumers' use of checking accounts. Thus, the Agencies should be clear that "consumer information" includes information included in or derived from any "consumer report," not just a credit report obtained from a credit reporting agency.
C. Flagging Consumer Information
It is clear from §216 that Congress recognized the role proper document disposal plays in preventing identity theft. Congress recognized, in addition, that the sensitive information included in consumer reports and information derived from consumer reports provides the only information a thief needs to access existing accounts or set up new accounts in the victim's name. To fully implement the preventive measures adopted by Congress, consumer report data as well as data derived from a consumer report must be flagged for proper disposal in the records of the financial institution.
The need to properly flag and track information subject to this rule is crucial in ensuring compliance. Information obtained in a consumer report originally obtained by a financial institution in response to a consumer's loan application may subsequently flow to other entities and be used in any number of ways. As the Agencies recognize, information may be manipulated and combined with other information or may be shared among affiliates.
Information may also be sent to a records storage facility and later on to an information disposal facility, either directly from the financial institution or through a storage facility. Information may also be shared with any number of service providers that perform billing, auditing, customer service, check printing and a range of other support activities.
For the Disposal Rule to have the intended effect, information should be clearly flagged by the financial institution as it is received from a consumer reporting agency, reseller, affiliate, the consumer, or third-party. If the Agencies find it too burdensome for financial institutions to flag all existing "consumer information," as a minimum, this requirement should be made of all new information received after the effective date of the Disposal Rule.
To effect the disposal requirements of FACTA §216, the Agencies propose to amend the Guidelines to require financial institutions to modify existing security measures. The Agencies have declined to adopt a prescriptive rule to describe proper methods of disposal or to define what is meant by "proper disposal." The Agencies seek comment on whether the use of the phrase "proper disposal" is sufficiently clear.
The Agencies' proposal to implement FACTA §216 by amending the existing Guidelines falls far short of standards needed to have an impact on identity theft. The Guidelines, now in effect for a number of years, already require financial institutions to properly dispose of customer data. This vague standard has apparently had no effect on the crime of identity theft as the numbers of victims continue to rise.
The Agencies should define the term "proper disposal" with examples of procedures that would meet the definition of "proper disposal" for data maintained in paper as well as electronic form. The Agencies should also adopt strict standards so that financial institutions are not left to speculate about what the Agencies consider "proper disposal." As a minimum, the Agencies should be clear that "proper disposal" means a method of disposal that would render the information unreadable and incapable of being reconstructed. For paper records, the Agencies should clearly state that use of a cross-cut shredder or burning of documents are acceptable methods of disposal.
The Agencies should also follow the lead of the FTC and include in the definition of "disposal":
- The discarding or abandonment of consumer information, and
- The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. (FTC Proposal to amend 16 CFR 682.1(c))
In addition, the interagency guidance issued through the Federal Financial Institutions Examination Council (FFIEC) should be adopted as requirements rather than guidelines. The guidelines for disposal included in the FFIEC IT Examination Handbook are fundamental to carrying out Congress' intent in adopting §216. For example, employees should always be prohibited from discarding sensitive media along with regular garbage. We also encourage the Agencies to adopt the FFIEC Handbook guideline that adequate employee background checks be required. This requirement should apply not just to employees of vendors, as the Handbook suggests, but rather to all individuals whose work entails handling sensitive personal information.
Given the staggering amount in economic loss that has resulted from identity theft in recent years, it makes good sense, for business and for consumers, for the Agencies to adopt strong standards for proper disposal of sensitive data. Great emphasis has been placed on giving consumers tips on steps to protect personal information against identity theft and other fraud. However, no matter how cautious a consumer is about guarding personal information, these efforts will be of little use if consumers cannot have confidence that personal information will be properly handled by institutions.
Existing versions of the Guidelines, adopted pursuant to GLBA, included disposal as a subordinate factor in a financial institution's overall security program. Now, with the passage of FACTA §216, proper disposal has become a major, independent factor in preventing identity theft and other fraud. We believe this change in focus on proper disposal requires the Agencies to adopt strong prescriptive measures for financial institutions.
E. Proposed Implementation Schedule
The Agencies propose to require each financial institution to implement proper disposal for "consumer information" within three months after the final regulation is published. In proposing the three-month compliance date, the Agencies state that any changes to an institution's existing information security program to accommodate "consumer information" will likely be minimal.
Given the scope of the Agencies' proposal, we agree that changes to the financial institution's program will be minimal. We do not agree, however, that three months is needed to effect these changes. Financial institutions have been on notice for over six months, since FACTA was signed by the President in December 2003, that proper disposal will be required for consumer report data.
The Agencies' proposed changes to the Guidelines, as far as we can determine, place no additional burdens on financial institutions to adopt new programs, hire new staff, or engage more thorough service providers. The thrust of the Agencies' proposal seems to be business as usual for financial institutions with only the requirement that information identified as "consumer information" be included in existing disposal plans already established for "customer information."
Assuming the final Disposal Rules is effective one year after enactment of FACTA, as required by the statute, financial institutions will have, under the Agencies' proposal, three additional months to carry out the minimum changes required by the Agencies' proposal. This means that measures would not even be in effect until March of 2005. This is an unnecessary delay in implementation, while the number of identity theft victims continues to mount.
We have even greater concerns about the Agencies' proposal to allow financial institutions one year after publication of the financial Disposal Rule to modify existing contracts with service providers. This means -- assuming again that the final regulations will be effective in December, 2004 - that financial institutions will have until the end of 2005 to modify service provider contracts.
More likely than not, disposal will be accomplished by a service provider and not the financial institution itself. Disposal may also be accomplished by a disposal company retained by a service provider of the financial institution. As consumer information travels outside the institution's own files and from one service provider to another, the risk of inappropriate or fraudulent use of that information increases. It is thus crucial that financial institutions amend service provider contracts, where needed, within a more reasonable period of time. If the Agencies continue to allow financial institutions three months to implement proper disposal for "consumer information," it should also require that the institution's service provider contracts are modified by this time.
Given the minimum changes the Agencies have imposed on financial institutions for disposal, there seems to be nothing substantial, under this proposal, that would have to be modified in a service provider agreement. Disposal is already a part of the Guidelines for that category of information defined as "customer" data. A delay of two years for effective implementation of §216 is an excessive amount of time for consumers to expect reasonable disposal of their personal information.
The Agencies have proposed to add a new section of the Guidelines to require service providers by contract to implement appropriate measures designed to meet the objectives of the Guidelines. The Agencies further state that this requirement applies to both domestic and foreign-based service providers. We believe the Agencies are correct in requiring proper disposal to be included in service provider contracts.
The Agencies should also amend the Guidelines to apply to all service providers and not just those that provide services directly to the financial institution. This limitation was imposed when the Agencies adopted the joint Guidelines in February 2001. The joint release states:
A financial institution will be responsible under the final Guidelines for overseeing its service provider arrangements only when the service is provided directly to the financial institution. The Agencies clarified this point by amending the definition of ``service provider'' in the final Guidelines to state that it applies only to a person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the financial institution [emphasis added].
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2001_register&docid=01-1114-filed
This exclusion does not provide adequate assurance that consumer information will receive "proper disposal" as required by §216. If a financial institution contracts some of its functions out, the financial institution should also be responsible to ensure that further disclosure to yet another service provider will be also subject to strict disposal standards. Such requirements should be included in contracts entered into between the financial institution and its first-line service provider.
We appreciate the opportunity to comment on the Agencies' proposal to implement the FACTA Disposal Rule. We again urge the Agencies to adopt stronger standards for the proper disposal of all data that includes sensitive personal information. These standards should apply to the financial institution and any service providers that possess information through the disposal process.
Sincerely,
Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse
3100 5th Ave., Suite B
San Diego, CA 92103
AND
Dian Black, Director
Calegislation
P.O. Box 1198 No. 1127
Sacramento, CA 95812
Jennette Gayer, Consumer Advocate
CALPIRG
3435 Wilshire Blvd., Suite 380
Los Angeles, CA 90010
Ken McEldowney, Executive Director
Consumer Action
717 Market St., Suite 310
San Francisco, CA 94103
Gail Hillebrand, Senior Attorney
Consumers Union
1535 Mission St.
San Francisco, CA 94103
Chris Hoofnagle, Associate Director
Electronic Privacy Information Center
1718 Connecticut Ave., N.W.
Washington, D.C. 20009
Linda Foley and Jay Foley, Co-Executive Directors
Identity Theft Resource Center
P.O. Box 26833
San Diego, CA 92196
Ed Mierzwinski, Consumer Program Director
U.S. PIRG
218 D St., S.E.
Washington, D.C. 20003
Organization descriptions:
The Privacy Rights Clearinghouse is a nonprofit consumer information and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy. It represents consumers' interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org
Calegislation is a resource center that provides consumer privacy information with a focus on public safety. Based in San Diego, the center provides educational information to consumers, legislators, and governmental agencies and is part of a national information sharing network of domestic violence advocates.
CALPIRG is a 30 year old statewide non-profit and non-partisan membership organization that stands up for California consumers. www.calpirg.org
Consumer Action is a non-profit consumer education and advocacy organization serving consumers since 1971. It provides consumers with information and education on matters of telecommunications, privacy, predatory lending and banking/credit issue through its national network of 7,000 community based organizations. Consumer Action advocates at the state and federal legislative levels for consumer rights in the policy areas of banking and credit, product safety, privacy and identity theft and other issues affecting the quality of life of California consumers. www.consumer-action.org
Consumers Union is a nonprofit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education, and counsel about goods, services, health and personal finance; and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life for consumers. Consumers Union has actively supported a wide variety of state consumer protection laws, including in the areas of credit, finance, and disclosure, including identity theft prevention laws and anti-predatory lending laws. www.consumer.org
The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. www.epic.org
The Identity Theft Resource Center is a national nonprofit organization that focuses exclusively on identity theft. It was established in 1999. ITRC's mission is to research, analyze and distribute information about the growing crime of identity theft. It serves as a resource and advisory center of identity theft information for consumers, victims, law enforcement, the business and financial sectors, legislators, media and governmental agencies. www.idtheftcenter.org
U.S. Public Interest Research Group (U.S. PIRG) serves as the national lobbying office for state Public Interest Research Groups. PIRGs are non-profit, non-partisan public interest advocacy organizations with members around the country. www.uspirg.org