|
Posted: July 12, 2004 By Privacy Rights Clearinghouse |
|
|
|
| Comments on the FACT Act Document Disposal Rule July 12, 2004
Dear Ms. Baker: The Privacy Rights Clearinghouse (PRC) and the above-listed consumer organizations appreciate the opportunity to comment on the NCUA's proposal to implement §216 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA §216, which adds §628 (15 U.S.C 1681w) to the Fair Credit Reporting Act (FCRA), requires the Federal Trade Commission (FTC), the federal banking agencies, and the NCUA to adopt regulations about proper disposal of consumer records. Congress directed that final regulations be implemented not later than one year after enactment of FACTA. As discussed below, organizations here representing consumer interests consider the NCUA's proposal to be weak and inadequate to meet Congress' intended purpose of preventing identity theft and other fraud. The NCUA proposes to implement §216 of FACTA by amending its fair credit reporting and security program and the NCUA Guidelines for Safeguarding Member Information. The NCUA's guidelines will apply to Federal Credit Unions (FCUs) We submit the following on specific aspects of the Disposal Rule. A. Introduction Identity theft is often called the fasting growing crime in America. Only recently has the public and the government begun to realize the full economic and personal toll of identity theft. A widely reported FTC study released in September 2003 found that nearly 10 million Americans were the victims of identity theft in the previous year alone. The FTC found that U.S. business lost 47 billion dollars while consumers lost 5 billion from identity theft. As striking as they are, these figures quite likely represent only the tip of the iceberg since many instances of identity theft may go unreported. (www.ftc.gov/os/2003/09/synovatereport.pdf) Irresponsible handling of sensitive consumer data has long been cited as a contributing factor to identity theft. A practice known as "dumpster diving" is often claimed by thieves themselves as the source of the data that allowed them to commit the crime. Sensitive data discarded by a credit union or other financial institution provides a prime opportunity for a crook to access another's personal data. By enacting §216 requiring proper disposal of consumer information, Congress has given the public one of the strongest tools yet in combating the growing crime of identity theft. It is now up to the financial regulators and the FTC to carry out Congress' intent by adopting strong regulations to ensure identity theft is no longer fed by careless and irresponsible disposal of confidential consumer data. For 12 years, the PRC has worked directly with identity theft victims. We along with other consumer organizations commenting here have seen the devastation from this crime first-hand. We have also learned of the many instances where identity theft could have been prevented by strong disposal standards imposed on business for documents and electronic records. We are concerned that the NCUA's proposal to modify existing guidelines rather than issue strict requirements dictated by regulation will not have the preventive effect Congress intended by adopting §216. Unlike the existing guidelines for disposal of "customer" data adopted pursuant to the undefined security provisions of GLBA, FACTA §216 has the stated objective of preventing identity theft. Moreover, §216 specifically requires the NCUA and other federal agencies to adopt:
Although the Guidelines, which include a provision for proper disposal of "customer" data, have been in effect since February of 2001, this has obviously not been an effective deterrent on identity theft. The number of victims and financial losses continue to rise. We urge the NCUA to do more. The Disposal Rule, as proposed, defines "consumer information" as any record about an individual, in any form, including information that is derived from a consumer report. To fully encompass the scope of information included in §216, the NCUA should revise this definition to say "..any record containing personally identifying information about an individual." The NCUA has qualified the definition of "consumer information" by stating that information "derived from consumer reports but that does not identity any particular consumer would not be covered under the proposal." (Guidelines proposed §C.2.a.) In adopting the final Rule, the NCUA must recognize that an individual's identity is not necessarily limited to just the individual's name. The NCUA should be clear, for example, that the Social Security number (SSN) is identifying information. A list of SSNs, with nothing more, is sufficient data to allow a thief to open a new credit account, or start the process of assembling a consumer's identity for any number of illegal activities. Another example, would be a list of consumer telephone numbers. Although generally included in the category of publicly available information, a telephone number itself may be the key to identifying a consumer and, moreover, opens the door to stalking and other harassment. There are now many Internet sites where entering a telephone number will readily reveal an address and even a map to the consumer's door. With the telephone number and address in hand, it is a short step to tying that telephone number and address to property records or other databases that reveal the consumer's name and much more. In adopting the final Rule, the NCUA must be ever mindful of the resourcefulness of criminals to combine bits and pieces of personal information from several sources to create a consumer profile adequate to assume that consumer's identity. As the growing number of victims indicates, and as some identity thieves themselves often readily admit, assuming another's identity for fraudulent purposes is not a difficult task. The crime is made all the easier by the vast array of Internet databases that allow thieves to quickly assemble a consumer's profile. This information may also be purchased provided the purchaser has a limited amount of identifying information. And, a telephone number may be the only bit of information a criminal needs to get started. A further example is one's electronic mail address. More and more, an individual's e-mail address is being used as a key identifier linking identities across multiple points of information. As individuals are getting their own domain names and using e-mail addresses attached to their domains, anyone can look up the domain and obtain an individual's street address in many cases. Until the WhoIs registration data is no longer published, which is not likely, this will continue to be a persistent problem. The very nature of consumer report data creates a very narrow category of information that -- used alone or in combination with other data - would not reveal a consumer's identity. We suggest the NCUA's final Rule give examples of information from a consumer report or derived from a consumer report that does not identify a consumer and thus would not be subject to the Guidelines. The proposal gives one example, a mean credit score, that is derived from a group of consumer reports but that would not identity individual consumers. Other examples are needed. The NCUA also seeks comment on the proposed definition of "consumer information" that includes the qualification that the information is "for a business purpose." The NCUA interprets the phrase "for a business purpose" to encompass any commercial purpose for which a FCU might maintain or possess "consumer information." The NCUA should clarify that a "business purpose" is not limited to consumer report information received solely to obtain credit or assess a consumer's continuing eligibility to meet the terms of an existing account. Rather, consumer report information may apply to information received from potential or current employees as well. The NCUA should recognize that consumer report information may be obtained through an employment background check for a current or prospective employee. FCUs and other financial institutions may also receive consumer report information from a consumer reporting agency that tracks consumers' use of checking accounts. Thus, the NCUA should be clear that "consumer information" includes information included in or derived from any "consumer report," not just a credit report obtained from a credit reporting agency. C. Flagging Consumer Information It is clear from §216 that Congress recognized the role proper document disposal plays in preventing identity theft. Congress recognized, in addition, that the sensitive information included in consumer reports and information derived from consumer reports provides the only information a thief needs to access existing accounts or set up new accounts in the victim's name. To fully implement the preventive measures adopted by Congress, consumer report data as well as data derived from a consumer report must be flagged for proper disposal in the records of the FCU. The need to properly flag and track information subject to this rule is crucial in ensuring compliance. Information obtained in a consumer report originally obtained by a FCU or other financial institution in response to a consumer's loan application may subsequently flow to other entities and be used in any number of ways. Information may be manipulated and combined with other information or may be shared among affiliates or disclosed to third-party non-affiliates assuming the FCU shares information with outside entities and the consumer does not opt-out. Information may also be sent to a records storage facility and later on to an information disposal facility, either directly from the financial institution or through a storage facility. Information may also be shared with any number of service providers that perform billing, auditing, customer service, check printing and a range of other support activities. For the Disposal Rule to have the intended effect, information should be clearly flagged by the FCU or other financial institution as it is received from a consumer reporting agency, reseller, affiliate, the consumer, or third-party. If the NCUA finds it too burdensome for FCUs to flag all existing "consumer information," as a minimum, this requirement should be made of all new information received after the effective date of the Disposal Rule. To effect the disposal requirements of FACTA §216, the NCUA proposes to amend the Guidelines to require financial institutions to modify existing security measures. The NCUA has declined to adopt a prescriptive rule to describe proper methods of disposal or to define what is meant by "proper disposal." The NCUA seeks comment on whether the use of the phrase "proper disposal" is sufficiently clear. The NCUA's proposal to implement FACTA §216 by amending the existing Guidelines falls far short of standards needed to have an impact on identity theft. The Guidelines, now in effect for a number of years, already require FCUs and other financial institutions to properly dispose of customer data. This vague standard has apparently had little or no effect on the crime of identity theft as the numbers of victims continue to rise. The NCUA should define the term "proper disposal" with examples of procedures that would meet the definition of "proper disposal" for data maintained in paper as well as electronic form. The NCUA should also adopt strict standards so that neither FCUs nor members/customers are left to speculate about what the NCUA considers "proper disposal." As a minimum, the NCUA should be clear that "proper disposal" means a method of disposal that would render the information unreadable and incapable of being reconstructed. The NCUA should also follow the lead of the FTC and include in the definition of "disposal":
Given the staggering amount in economic loss that has resulted from identity theft in recent years, it makes good sense, for both business and for consumers, for the NCUA to adopt strong standards for proper disposal of sensitive data. Great emphasis has been placed on giving consumers tips on steps to protect personal information against identity theft and other fraud. However, no matter how cautious a consumer is about guarding personal information, these efforts will be of little use if consumers cannot have confidence that personal information will be properly handled by institutions. Existing versions of the Guidelines, adopted pursuant to GLBA, include disposal as a subordinate factor in a FCU's overall security program. Now, with the passage of FACTA §216, proper disposal has become a major, independent factor in preventing identity theft and other fraud. We believe this change in focus on proper disposal requires the NCUA to adopt strong prescriptive measures for FCUs. E. Proposed Implementation Schedule The NCUA proposes to require FCUs to implement proper disposal for "consumer information" within three months after the final regulation is published. In proposing the three-month compliance date, the NCUA states that any changes to an institution's existing information security program to accommodate "consumer information" will likely be minimal. Given the scope of the NCUA' proposal, we agree that changes to the financial institution's program will be minimal. Indeed, this is our chief criticism of the proposed rule. We do not agree that three months is needed to effect these changes. FCUs have been on notice for over six months, since FACTA was signed by the President in December 2003, that proper disposal will be required for consumer report data. The NCUA' proposed changes to the Guidelines, as far as we can determine, place no additional burdens on financial institutions to adopt new programs, hire new staff, or engage more thorough service providers. The thrust of the NCUA' proposal seems to be business as usual for FCUs with only the requirement that information identified as "consumer information" be included in existing disposal plans already established for "customer information." Assuming the final Disposal Rules is effective one year after enactment of FACTA, as required by the statute, FCUs will have, under the NCUA's proposal, three additional months to carry out the minimum changes required by the proposal. This means that measures would not even be in effect until March of 2005. This is an unnecessary delay in implementation, while the number of identity theft victims continues to mount. We have even greater concerns about the NCUA' proposal to allow FCUs one year after publication of the financial Disposal Rule to modify existing contracts with service providers. This means -- assuming again that the final regulations will be effective in December, 2004 - that FCUs will have until the end of 2005 to modify service provider contracts. More likely than not, disposal will be accomplished by a service provider and not the financial institution itself. Disposal may also be accomplished by a disposal company retained by a service provider of the financial institution. As consumer information travels outside the institution's own files and from one service provider to another, the risk of inappropriate or fraudulent use of that information increases. It is thus crucial that financial institutions amend service provider contracts, where needed, within a more reasonable period of time. If the NCUA continues to allow FCUs three months to implement proper disposal for "consumer information," it should also require that the institution's service provider contracts are modified by this time. Indeed many existing contracts, if properly drafted, may already require the provider to comply with existing law. Given the minimum changes the NCUA has imposed on financial institutions for disposal, there seems to be nothing substantial under this proposal that would have to be modified in a service provider agreement. Disposal is already a part of the Guidelines for that category of information defined as "customer" data. A delay of two years for effective implementation of §216 is an excessive amount of time for consumers to expect reasonable disposal of their personal information. The NCUA has proposed to add a new section of the Guidelines to require service providers by contract to implement appropriate measures designed to meet the objectives of the Guidelines. The NCUA should also amend the Guidelines to apply to all service providers and not just those that provide services directly to the financial institution. This exclusion does not provide adequate assurance that consumer information will receive "proper disposal" as required by §216. If a financial institution contracts some of its functions out, the financial institution should also be responsible to ensure that further disclosure to yet another service provider will be also subject to strict disposal standards. Such requirements should be included in contracts entered into between the financial institution and its first-line service provider. We appreciate the opportunity to comment on the NCUA's proposal to implement the FACTA Disposal Rule. We again urge the NCUA to adopt stronger standards for the proper disposal of all data that includes sensitive personal information. These standards should apply to the financial institution and any service providers that possess information through the disposal process. Sincerely, Beth Givens, Director AND Dian Black, Director Ken McEldowney, Executive Director Gail Hillebrand, Senior Attorney Chris Hoofnagle, Associate Director Linda Foley and Jay Foley, Co-Executive Directors Ed Mierzwinski, Consumer Program Director Organization descriptions: The Privacy Rights Clearinghouse is a nonprofit consumer information and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy. It represents consumers' interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org Calegislation is a resource center that provides consumer privacy information with a focus on public safety. Based in San Diego, the center provides educational information to consumers, legislators, and governmental agencies and is part of a national information sharing network of domestic violence advocates. Consumer Action is a non-profit consumer education and advocacy organization serving consumers since 1971. It provides consumers with information and education on matters of telecommunications, privacy, predatory lending and banking/credit issue through its national network of 7,000 community based organizations. Consumer Action advocates at the state and federal legislative levels for consumer rights in the policy areas of banking and credit, product safety, privacy and identity theft and other issues affecting the quality of life of California consumers. www.consumer-action.org Consumers Union is a nonprofit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education, and counsel about goods, services, health and personal finance; and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life for consumers. Consumers Union has actively supported a wide variety of state consumer protection laws, including in the areas of credit, finance, and disclosure, including identity theft prevention laws and anti-predatory lending laws. www.consumer.org The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. www.epic.org The Identity Theft Resource Center is a national nonprofit organization that focuses exclusively on identity theft. It was established in 1999. ITRC's mission is to research, analyze and distribute information about the growing crime of identity theft. It serves as a resource and advisory center of identity theft information for consumers, victims, law enforcement, the business and financial sectors, legislators, media and governmental agencies. www.idtheftcenter.org U.S. Public Interest Research Group (U.S. PIRG) was created by the state PIRGs in 1983 to act as watchdog for the public interest in our nation's capital, much as PIRGs have worked to safeguard the public interest in state capitals since 1971. www.uspirg.org
|
| Copyright © 2004-2006. Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This document should be used as an information source and not as legal advice. PRC documents contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our information is applicable to consumers nationwide. |
