Submitted June 15, 2004, to:
Federal Trade Commission
Office of the Secretary, Room H-159 (Annex H)
600 Pennsylvania Avenue, N.W.
Washington, D.C. 20580
Filed electronically: www.regulations.gov
By six California consumer advocacy organizations:
Consumer Federation of California
Identity Theft Resource Center
Privacy Rights Clearinghouse
World Privacy Forum
RE: Comments on the FACTA Disposal Rule, R-411007
To the Commission:
The Privacy Rights Clearinghouse (PRC)1 appreciates the opportunity to comment on the Federal Trade Commission's ("FTC" or "Commission") proposed regulations to implement §216 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA §216, which adds §628 (15 U.S.C 1681w) to the Fair Credit Reporting Act (FCRA), requires the FTC along with federal financial regulators to adopt regulations about proper disposal of consumer records. Congress directed that final regulations be implemented not later than one year after enactment of FACTA.
Joining the Privacy Rights Clearinghouse in submitting these comments are the following California nonprofit consumer advocacy organizations:
Consumer Federation of California
Identity Theft Resource Center
World Privacy Forum
Publishing the proposal at this time indicates that the Commission recognizes the crucial role proper document destruction plays in combating consumer fraud, particularly identity theft. We trust this means the Disposal Rule will take effect long before Congress' one-year deadline.We note, in addition, that we fully support and incorporate by reference the comments and suggested language changes submitted on May 24, 2004, by Consumers Union, U.S. PIRG, and Consumer Federation of America (CU Comments). We submit the following on specific aspects of the Disposal Rule.
- Costs and Benefits
- Consumer Information
- Meaning of "Disposal"
- Entities Covered by the Disposal Rule
- Service Providers
- Need for Consumer Education and Business Guidance
By enacting §216 requiring proper destruction of consumer information, Congress has given the public one of the strongest tools yet in combating the growing crime of identity theft. It is now up to the Commission and the financial regulators to carry out Congress' intent by adopting strong regulations to ensure identity theft is no longer fed by careless and irresponsible disposal of confidential consumer data.
We note that the proposed Rule covers a wide range of activities, including consumer reporting agencies, users of consumer reports, and service providers. Regrettably, the Rule does not extend to the first link in the chain--the furnishers of consumer information to consumer reporting agencies. Even without the authority to include furnishers, some of which may be covered by the Safeguards Rule, 16 CFR Part 314, the Commission has indicated its intent to impose proper disposal requirements on a great many entities that until now have been under no obligation to consider the consequences of irresponsible information handling.
2. Costs and Benefits
Proper destruction of confidential consumer data makes good economic sense, both for consumers and for business. By the Commission's own account, business and financial institutions lost 47.6 billion dollars from identity theft in the year 2002 alone. Victims of identity theft paid 5 billion in out-of-pocket expenses. www.ftc.gov/os/2003/09/synovatereport.pdf
From these numbers, it is readily apparent that the cost of identity theft is very high and rising daily. On the other hand, the cost of record destruction is getting cheaper. Many professional disposal companies have sprung up, meaning that even the smallest entity should now be able to afford the services of a reputable disposal service.
Furthermore, as the national repository of identity theft complaints, the Commission itself has a unique perspective on the costs and burdens experienced by victims. In adopting final rules, the Commission should weigh this first-hand knowledge against claims by commenters on the burden of complying with the rule.
3. Consumer Information
The Disposal Rule, as proposed, defines "consumer information as any record about an individual, in any form, including information that is derived from a consumer report. The proposal goes on to say that information that is "derived from consumer reports but that does not identity any particular consumer would not be covered under the proposed Rule."
The final Rule should acknowledge that information that identifies an individual is not necessarily limited to just the consumer's name. The CU Comments give a good example of the Social Security Number as identifying information that should not be excluded from the definition of "consumer information."
Another example, would be a list of consumer telephone numbers. Although generally included in the category of publicly available information, a telephone number itself may be the key to identifying a consumer. There are now many Internet sites where entering a telephone number will readily reveal an address and even a map to the consumer's door. With the telephone number and address in hand, it is a short step to tying that telephone number and address to property records or other databases that reveal the consumer's name and much more.
In adopting the final Rule, the Commission must be ever mindful of the resourcefulness of criminals to combine bits and pieces of personal information from several sources to create a consumer profile adequate to assume that consumer's identity. As the growing number of victims indicates, and as some identity thieves themselves often readily admit, assuming another's identity for fraudulent purposes is not a difficult task. The crime is made all the easier by the vast array of Internet databases that allow thieves to quickly assemble a consumer's profile. And, a telephone number may be the only bit of information a criminal needs to get started.
A further example is one's electronic mail address. More and more, an individual's e-mail address is being used as a key identifier linking identities across multiple points of information. As individuals are getting their own domain names and using e-mail addresses attached to their domains, anyone can look up the domain and obtain an individual's street address in many cases. Until the Whois registration data is no longer published, which is not likely, this will continue to be a persistent problem.
For the sake of entities covered by the Disposal Rule, we suggest the Commission's final Rule give examples of information from a consumer report that does not identify a consumer and thus would not be subject to the Rule.
4. Meaning of "Disposal"
The PRC supports the Commission's definition of "disposing" or "disposal" to include the discarding or abandonment of consumer information, as well as the sale, donation, or transfer of any medium, including computer equipment, upon which information is stored." In addition, we support the suggested language change supplied by the CU Comments.
We are concerned, however, about the Commission's reference in the Introduction Section to information being "redacted." In this section the Commission states:The purpose of this section is to prevent unauthorized disclosure of consumer information and to reduce the risk of fraud or related crimes, including identity theft, by ensuring that records containing sensitive financial or personal information are appropriately redacted or destroyed before being discarded. [emphasis added]
Typically redaction means sanitizing a paper record, which entails blacking out, taping over, or cutting away certain portions of the record. In the end, some portion of the record is still accessible. Not only a time-consuming process, redaction is a process most likely to allow sensitive information to be inadvertently disclosed.
We can find nothing in the subsequent sections of the proposal to indicate redaction is an appropriate means of compliance with the Disposal Rule. We do not believe such a procedure is adequate to protect against unauthorized access to or use of consumer information. Rather, to meet the objectives of Congress' intent, disposal for paper records should include only "burning, pulverizing, or shredding," as examples of "reasonable measures" in proposed rule §682.3(b)."
From the remainder of the proposal, we do not believe the Commission intended to suggest that an entity covered by the Disposal Rule could properly dispose of consumer information in paper format by simply redacting certain portions. This should be clarified in the final version of the rule to specifically state that redaction is not a "reasonable measure."
The final Rule should be clear that "disposal" means to destroy or obliterate a record in such a manner as to render the information incapable of being reconstructed or the document being reassembled. We understand the broad scope of coverage of the Disposal Rule and the fact that the Commission seeks to adopt a rule that would be flexible enough to meet the needs of entities large and small. We understand the Commission's reluctance to adopt specific types of disposal systems. However, the rule could remain flexible while at the same time requiring that whatever system is used is one that normally renders a document permanently unreadable.
The Commission must also factor in the ever-increasing sophistication and technological savvy of the new breed of identity thieves. Identity theft is no longer a crime of opportunity for a small-time criminal acting alone who, for example, snatches a purse or helps himself to an unattended wallet. Rather, identity theft is today more likely than not to result from a well-oiled criminal enterprise, quite capable of reconstructing haphazardly shredded or irresponsibly discarded records maintained in any format.
5. Entities Covered By the Disposal Rule
The proposed regulations apply to consumer reporting agencies (CRAs), resellers, and generally "users" of consumer reports, as well as companies engaged in service activities such as records management or waste disposal. The proposal identifies these as examples of entities that ".maintain or otherwise possess consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose." (FCRA §628)
The proposal states that the Commission considers a "business purpose" to be broader than a "permissible purpose" as set out in §604 of the FCRA. If so, a "business purpose" should include any user of a consumer report, even a user that obtains a report "in accordance with the written instructions of the consumer to whom it relates." Furnishing a consumer report in accordance with the written instructions of the consumer to whom it relates is a "permissible purpose" under §604(a)(2) of the FCRA.To illustrate the need to view coverage of the Disposal Rule even more broadly than the Commission has proposed, we give the following examples.
Example 1. A community association has a stated purpose of providing after-school activities and local field trips for the neighborhood children. Other than being joined in a common interest, this association has no "official" status. The association is recruiting for a number of volunteer positions. One of the positions is for Association Treasurer, which involves handing money for the group raised through bake sales, car washes, and pet sitting. The other volunteer positions involve daily contact with the children. The association wants to run a credit check on the applicant for the treasurer job, and a criminal background check on all volunteers who will work with the children. Since the association does not have an identified "permissible purpose," a consumer reporting agency may not furnish a consumer report directly to the association. Instead, because the association requires the report, the consumer gives "written instructions" to the consumer reporting agency to furnish reports to the association.
Example 2. A community youth sports organization is recruiting for volunteer coaches. The organization requires all coaches to submit to a criminal background check. In addition, the organization's treasurer is asked to submit to a credit check. The background checks are conducted in accordance with the written instructions of the consumer.
An organization's requirement for a background check is perfectly understandable, especially when the subject works with children. However, the need for proper destruction of information is as great in these instances as in the report collected for employment purposes, insurance or credit.
In the above examples the organization becomes the "user" of a consumer report and should be subject to the requirements of the "Disposal Rule" just like any other user. Although not considered a "business purpose" in the commercial sense, the organizations described in the above examples are using consumer reports to carry out the business of the organization. From the Commission's inclusion of "government" in the types of users subject to the Disposal Rule, we do not believe the Commission intended "business purpose" to be strictly limited to an entity that uses consumer reports in connection with a commercial activity. Thus, we believe the Commission should include in the final rule a statement that all "users" of consumer reports are subject to the Disposal Rule.
We at the PRC believe the uses of consumer reports in situations described above are becoming more common. Again, the reasons for such checks are quite valid in today's society. From our direct contact with consumers through our telephone hotline and online inquiry form, we have learned that consumer reports are being required for a wide array of purposes for which the individual would have to consent as a condition of involvement in the activity. Generally, the individuals who contact us are concerned about the threat of identity theft because it appears to them that documents containing sensitive personal information are not properly safeguarded from illegitimate access and are not properly destroyed when no longer needed. Some individuals have told us that they have declined to participate in community activities because of such concerns.
At the same time, we have heard some "horror stories" about sloppy information handling practices by organizations that require volunteers to supply a consumer report. In one such instance, an organization official kept the accumulated consumer reports in the trunk of his car. In another instances, files were kept in the home of one of the volunteers. Although these "horror stories" might be said to involve "security" of information rather than disposal, it does not take a great leap of the imagination to see that documents kept in such manner would not be destined for proper disposal.
Indeed, consumer reporting agencies long in the business of performing background checks for employment purposes are now adopting programs specifically geared to background checks for volunteers.
6. Service Providers
The proposed Disposal Rule applies not only to entities that own and use consumer information, but also to companies that provide such services as waste disposal and storage. Service providers under the Disposal Rule may or may not be covered by the Safeguard Rule adopted by the Commission to comply with the Gramm-Leach-Bliley Act (GLBA) (15 USC .§§6801-6809)
The Disposal Rule, as proposed, requires entities covered by the rule to take "reasonable measures" to protect against unauthorized access to or use of information in connection with disposal. Examples of "reasonable measures" in retaining a disposal company would include due diligence, reference checking, certification by a recognized trade association, an independent audit, and a written contract. Given the highly sensitive nature of information included in and derived from consumer reports, we believe the examples should be mandatory rather than discretionary.
In particular, all service provider contracts should be in writing and the owner of the consumer information should be required to document all efforts at due diligence such as audits and reference checks and verification of membership in a recognized trade association. In addition, the written contract should specify that all employees of the service provider who have direct contact with materials subject to the Disposal Rule will undergo background checks.
The Disposal Rule should also specify that written contracts identify the service provider's practices about outsourcing all or some of its functions. If the service provider contacts with a third-party to perform certain functions, the Disposal Rule should apply to the third-party as it would to the service provider. Under the Safeguard Rule, a service provider would be limited to a person or entity that provided services directly to a financial institution. (16 CFR §314.2(d)).
As the Commission noted in May 2002, when it adopted the Safeguard Rule, companies increasingly rely on third parties to support core functions. (67 FR 36490). Since that time, use of third-party vendors or "outsourcing" has become a major public policy issue. The topic of "outsourcing" is particularly explosive when it comes to use of third parties and the transfer of sensitive financial and medical information.
Accordingly, the final rule should specifically state that the provisions apply not just to the service provider itself, but to any third-party engaged to perform some or all of the service provider's functions. Recognizing the need for sound disposal procedures to thwart the growing crime of identity theft, we believe Congress intended a broad application to include all players along the path to document destruction.
The Disposal Rule, as proposed, covers a wide array of entities that compile and use consumer data. Once finalized, the Rule will impose records disposal requirements on entities that before had no reason to consider the consequences of irresponsible information handling practices.
We appreciate the Commission's concern that small entities, in particular, not be unnecessarily burdened by the Rule. However, the threat to identity theft from poor disposal practices is equally great regardless of the size of the entity that maintains the information. The Commission apparently recognizes this fact in saying "any company, regardless of industry or size, that obtains consumer reports for a business purpose would be subject to the proposed Rule." This is consistent with Congress' intent that disposal requirements be imposed on any entity that uses or compiles consumer reports.
As an example of the extent of coverage of the Disposal Rule, the Commission states ".any employer, regardless of industry or size, that obtains a consumer report (whether a full credit report or a pre-employment background check of public records) would be subject to the proposed Rule." We believe the Commission is correct in identifying its intent to give the Disposal Rule broad-based application.
This interpretation potentially impacts nearly every employer in the country, since recent surveys report nearly 80% of employers now obtain pre-employment criminal background checks. We strongly recommend that the Commission take an aggressive stance to make sure employers and others covered by the Rule understand and comply with the Disposal Rule.
We believe this broad coverage is appropriate, but are concerned, however, about practical compliance with the Rule. Indeed, some very small entities may not be aware of the requirement to adopt disposal procedures. We suggest the Commission undertake an education program and publish guidance for consumer reporting agencies, resellers, and users of consumer reports.
In addition, to ensure as wide an application as possible for compliance, the Commission should include a provision in the Disposal Rule requiring any consumer reporting agency or a reseller that furnishes a consumer report to give the user specific notice of its obligation to comply with the Disposal Rule. We believe the Commission has authority under §216 of FACTA to impose such a requirement on consumer reporting agencies and resellers.
A specific notice to users should not present an undue burden and may be added along with other notices required to be given to users. The notice may simply give a summary of the user's obligations and direct the user to the Commission's web site for further information.
Again, we appreciate the opportunity to comment on the Disposal Rule.
Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse
3100 5th Ave., Suite B
San Diego, CA 92103
Ken McEldowney, Executive Director
717 Market St., Suite 310
San Francisco, CA 94103
Richard Holober, Executive Director
Consumer Federation of California
P.O. Box 981
Millbrae, CA 94030
Linda Foley and Jay Foley, Co-Executive Directors
Identity Theft Resource Center
P.O. Box 26833
San Diego, CA 92196
Deborah Pierce, Executive Director
452 Shotwell St.
San Francisco, CA 94110
Pam Dixon, Executive Director
World Privacy Forum
2033 San Elijo Ave. No. 402
Cardiff by the Sea, CA 92007
1 The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumers' interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org