PRC's Privacy Update No. 1, Iss. 8

In this issue . . .

[1] Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace

[2] Forty-five Consumer Privacy and Civil Liberties Groups Endorse Position Statement on RFID

[3] Do You Have the Background Check Blues? Tell Us Your Story

[4] Consumers on the Do Not Call Registry Allege Telemarketing Calls by Mortgage Concepts: A PRC Case Study

[5] Fair & Accurate Credit Transaction (FACT) Act of 2003 Signed into Law. The Good, the Bad, and the Irony

[1] Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace

PRC Director Beth Givens recently presented testimony to the Chairman’s Conference on Identity Theft for the San Diego Board of Supervisors and San Diego District Attorney.

In her testimony, Givens noted that consumers can only do so much to minimize their risk for identity theft. The real responsibility lies with the credit industry and with employers. The credit industry could prevent most identity theft, she stated, by drastically improving procedures for assessing the legitimacy of credit applications.

Employers also have a significant responsibility to safeguard employees’ and customers’ sensitive personal information. Breaches in workplace data security are a rich source of personal information for identity thieves.

Givens recommends among other things that employers:

--Adopt a comprehensive privacy policy that includes responsible information-handling practices.

--Appoint an individual and/or department responsible for the privacy policy.

--Store sensitive personal data in secure computer systems and locked file cabinets that are only accessible by qualified persons.

-- Properly discard documents that contain personal information by shredding paper documents and “wiping” electronic files.

--Conduct regular staff training and spot-checks to ensure proper information handling by everyone, including temporary employees and contractors. Screen office cleaning crews, contractors, and vendors.

The testimony offers additional resources for employers and highlights California laws that address workplace practices.

[2] Forty-five Consumer, Privacy, and Civil Liberties Groups Endorse Position Statement on RFID

Radio Frequency Identification (RFID) is an item-tagging technology with potentially profound societal implications for consumer profiling and location tracking. Called the next generation of bar codes by industry, an RFID tag is a small radio frequency-activated device containing a unique identification number. Tags can be as small as a speck of dust. When placed in consumer products, they are virtually invisible. When near a radio frequency reader, the device emits a signal that is captured by the reading device and stored in a computer database. Typically, the data is sent to a distributed computing system involved in, perhaps, supply chain management or inventory control.

Concerns revolve around these issues:
--The possible hidden placement of tags and their invisibility to consumers.
--The ramifications of uniquely identifying all objects worldwide.
--Aggregating massive amounts of consumer purchasing data linked to specific individuals.
--Hidden readers that could make it virtually impossible for consumers to know when they are "scanned."

Used improperly, RFID has the potential to jeopardize consumer privacy, reduce or eliminate purchasing anonymity, and threaten civil liberties.

Because of these concerns, 45 national and international consumer, privacy, and civil liberties organizations have endorsed a position statement on the deployment and uses of RFID. Endorsers request a voluntary moratorium on item-level RFID tagging until a formal technology assessment process involving all stakeholders, including consumers, occurs. They also support principles to guide the implementation of RFID technology. “Fair information practices” include consumers’ right to know when items contain RFID tags, no tag-reading in secret, “killing” tags at point of sale, and the ability of individuals to detect and disable tags on items in their possession.

The groups represent a broad spectrum of organizations including the PRC, CASPIAN, American Civil Liberties Union (ACLU), the Electronic Frontier Foundation, the Electronic Privacy Information Center (EPIC), PrivacyActivism, Privacy International, Junkbusters, Center for Democracy and Technology, and Meyda Online, along with organizations in the U.K., Finland, Germany, Austria, Canada, and Australia.

You can read the statement and see the list of those who signed the position paper on the Privacy Rights Clearinghouse and CASPIAN web sites:

[3] Do You Have the Background Check Blues? Tell Us Your Story.

Deferred judgements and expunged records are causing havoc for many job applicants. Several individuals who have had inaccurate information included in background investigations have contacted the PRC in recent months. Many have told us that inaccurate or improperly reported information has resulted in them not getting hired or of being fired from an existing job.

The common denominator in many of these cases is that the individual has participated in a court-supervised program that eventually results in the criminal conviction being expunged. Such programs are often used for first time offenders. Unfortunately, these job seekers have learned that “to expunge” does not necessarily mean “to erase.” We have learned that expunged records are finding their way onto employment screening reports.

Others have told us that convictions from prior years are reported on background checks, even though the law in their state prohibits the reporting of certain convictions over seven years old. We have also learned of situations where inaccurate criminal record information is reported on background checks due to identity theft, often resulting in no job offer.

We believe that inaccurate and improper information on background checks is a significant issue, potentially harming many individuals. Further, we have observed what appears to be a considerable amount of noncompliance with federal and state background check laws by employers. We are closely monitoring this situation and want to compile as much evidence as possible to share with lawmakers, regulatory agency officials, and employers.

Please let us know if you’ve experienced the Background Check Blues. Contact the PRC by using our online inquiry form [Jan. 2007: The PRC's online inquiry form is now inactive].

Our Fact Sheet 16, “Employment Background Checks: A Jobseeker’s Guide” provides information on consumers’ rights regarding employment screening.

[4] Consumers on the Do Not Call Registry Allege Telemarketing Calls by Mortgage Concepts: A PRC Case Study

We relay the next story to you, not only to alert you to the tactics of a wily telemarketer, but also to give you an idea of the kind of work we do every day on two fronts – (1) assisting consumers and (2) working with government authorities to investigate and crack down on privacy abuses.

Masquerading as a survey research company, Mortgage Concepts is contacting individuals who have signed up for the National Do Not Call Registry, in apparent violation of federal law. Several individuals have complained to the Privacy Rights Clearinghouse about this company.

When individuals respond to the company’s pre-recorded message, they are contacted by Mortgage Concepts employees who attempt to sell them a loan product, all the while claiming that the company is engaging in survey research which is exempt from federal telemarketing law.

We attempted to locate Mortgage Concepts and called an outfit with that name in Virginia. This business told us it has received many calls from irate consumers who are on the Registry. But it is not the offending telemarketer, just a company with the bad fortune of having the same name. We learned that the Virginia company is working with another company in Massachusetts with the same name which is also receiving angry calls from Do Not Call registrants. It has hired a private investigator to track down the offending company. Both legitimate companies are referring consumers to the PRC for assistance.

The PRC is instructing consumers to file complaints with the FTC. We are also suggesting that they contact their state Attorney General’s office. If an AG’s office were to take action against the company, it could establish important case law regarding what is and is not considered a “survey” and thus exempt from complying with the Do Not Call Registry.

If you have received a call from Mortgage Concepts, we’d like to hear about it, especially if you have additional information such as the company’s phone number and details about the company’s location or mortgage brokerage license. You can contact us via our inquiry form [Jan. 2007: The PRC's online inquiry form is now inactive].

[5] Fair and Accurate Credit Transaction (FACT) Act of 2003 Signed into Law. The Good, the Bad, and the Irony

On December 4, the Fair and Accurate Credit Transaction (FACT) Act of 2003 was signed into law by President Bush. The bill amends the Fair Credit Reporting Act (FCRA) which was first enacted in 1970 and later updated in 1996. The law governs consumers’ rights regarding credit reporting agencies including the accuracy of and access to credit reports. And it addresses identity theft prevention and victim assistance. The following is an overview of some of the new provisions of the FCRA.

The Good:
--Allows consumers nationwide to receive a free copy of their credit report once a year. Checking one’s credit report regularly is an important early-warning strategy for detecting identity theft.

--Allows consumers to receive their credit score for a “reasonable fee” yet to be determined. The credit score is used by most creditors to determine if credit should be extended and at what interest rate. Until recently it has been kept a secret from consumers. Currently, access to one’s credit score can cost as much as $13.

--Provides notification to consumers before negative account information is posted to their credit report, allowing them the ability to dispute inaccurate accounts before they affect a consumer’s credit rating. Being notified about negative information beforehand is another good way to be alerted to possible identity theft. The law has additional provisions for preventing the “re-pollution” of credit reports with fraudulent accounts.

--Allows victims of identity theft to get access to applications and transaction documents related to fraudulent accounts if they show a police report.

--Requires the truncation of credit card numbers on customers’ transaction receipts by 2007.

The Bad:
--Requires victims of identity theft to have a police report to prove they are truly victims. California law requires law enforcement to write police reports for victims of identity theft, but most other states do not. Unfortunately, all too many police departments refuse to write police reports for identity theft victims, claiming that the financial institutions are the true victims, not them.

----And the “baddest” of the bad … Permanently preempts stronger states’ laws in some key areas. Though the dust hasn’t settled yet on how the new federal law affects California and other states’ laws, it appears that some laws will be preempted. We will keep you posted.

The Irony:
--Most of the provisions regarding identity theft prevention and victim assistance were “borrowed” from the states. Yet, FACT preempts the states from enacting new laws in areas covered by the federal law. And it appears to nullify some state laws already on the books. The irony? By preempting the states, Congress has cut off the source of a great deal of innovative and effective consumer protection legislation. Compared with the states, Congress is slow to enact meaningful privacy protection laws. As such, the new law represents a significant step backward for consumers nationwide. Unfortunately, the tens of millions of dollars in campaign contributions from the financial industry is a significant factor in Congress’s weak record regarding consumer protection.

  To subscribe to our free email newsletter, go to