Recent Developments in Financial Privacyapps.americanbar.org/buslaw/newsletter/0066/materials/pp4.pdf · GLB Act–Gramm-Leach-Bliley Act ... RPP–Return Preparer Program ... Commission

RECENT DEVELOPMENTS IN FINANCIAL PRIVACY

Committee on Investment Services and Committee on Federal Regulation of Securities

ABA Section of Business Law Fall Meeting Washington, DC

November 16, 2007

Chair:

Robert A. Robertson Partner Dechert LLP Newport Beach, CA

Panelists:

Amy Friend Assistant Chief Counsel Office of the Comptroller of the Currency Washington, D.C. Loretta H. Garrison Senior Attorney Division of Privacy and Identity Protection Federal Trade Commission Washington, D.C. Penelope Saltzman Branch Chief U.S. Securities and Exchange Commission Washington, D.C.

RECENT DEVELOPMENTS IN FINANCIAL PRIVACY

TABLE OF CONTENTS

President’s Task Force

I. President’s Identity Theft Task Force, “Combating Identity Theft: A Strategic Plan” (Apr. 2007) (executive summary).

Joint Agency II. Joint Agency Press Release, “Federal Regulators Seek Public Comment on Model

Privacy Notice” (Mar. 21, 2007).

III. Proposed Model Privacy Form for Financial Institutions (Mar. 2007).

OCC

IV. OCC Press Release, “Comptroller of the Currency Praises Effort to Improve Privacy Notices, Calls for Financial Industry Feedback” (Mar. 21, 2007).

V. OCC White Paper, “Privacy Laws and Regulations” (Sept. 8, 2000).

FTC

VI. FTC Website, “Financial Privacy Rule: Interagency Notice Research Project” (2007).

VII. FTC Enforcement Cases Involving Privacy of Consumer Information Under the FTC Act (through Nov. 2006).

VIII. Opening Remarks of Deborah Platt Majoras, FTC Chairman, “Maintaining Momentum in the Fight Against Identity Theft,” National Cyber Security Awareness Summit, Washington, D.C. (Oct. 1, 2007).

SEC

IX. SEC Staff Letter, “Funds Use of Rule 22c-2 Information for Marketing Purposes” (Aug. 21, 2007).

X. SEC Regulation S-P Enforcement Case, “In the Matter of NEXT Financial Group, Inc.,” Admin. Proc. File No. 3-12738 (Aug. 24, 2007).

FDIC

XI. FDIC Board Meeting Notice Regarding Financial Privacy Incentives (Oct. 10, 2007).

XII. FDIC Memorandum Regarding Interagency Final Rule Regarding Affiliate Marketing - Section 214 of the Fair and Accurate Credit Transactions Act of 2003 (Sept. 18, 2007).

XIII. FDIC Memorandum Regarding Interagency Final Rule Regarding Identity Theft Red Flags and Address Discrepancies under Section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (Oct. 16, 2007).

13924440.1.BUSINESS

The President’s Identity Theft Task Force

April 2007

CombatingA Strategic PlanIDENTITY THEFT

iii

COMBATING IDENTITY THEFT A Strategic Plan

Table of ContentsGlossary of Acronyms.................................................................v

Identity Theft Task Force Members............................................... vii

Letter to the President .............................................................. viii

I. Executive Summary.............................................................. 1

A. Introduction .................................................................................. 1

B. The Strategy .................................................................................. 2

II. The Contours of the Identity Theft Problem ............................. 10

A. Prevalence and Costs of Identity Theft ......................................... 11

B. Identity Thieves: Who They Are .................................................. 12

C. How Identity Theft Happens: The Tools of the Trade ................... 13

D. What Identity Thieves Do With the Information They Steal: The Different Forms of Identity Theft ........................ 18

III. A Strategy to Combat Identity Theft....................................... 22

A. Prevention: Keeping Consumer Data out of the Hands of Criminals ..................................................................... 22

1. Decreasing the Unnecessary Use of Social Security Numbers ........................................................ 23

2. Data Security in the Public Sector .......................................... 27

a. Safeguarding of Information in the Public Sector ............... 27

b. Responding to Data Breaches in the Public Sector.............. 28

3. Data Security in the Private Sector.......................................... 31

a. The Current Legal Landscape ........................................... 31

b. Implementation of Data Security Guidelines and Rules ..... 32

c. Responding to Data Breaches in the Private Sector............. 34

4. Educating Consumers on Protecting Their Personal Information..................................................... 39

B. Prevention: Making It Harder to Misuse Consumer Data.............. 42

C. Victim Recovery: Helping Consumers Repair Their Lives ............. 45

1. Victim Assistance: Outreach and Education ........................... 45

2. Making Identity Theft Victims Whole ..................................... 49

3. Gathering Better Information on the Effectiveness of Victim Recovery Measures ................................................................ 51

iv

D. Law Enforcement: Prosecuting and Punishing Identity Thieves .......... 52

1. Coordination and Intelligence/Information Sharing................ 53

a. Sources of Identity Theft Information................................ 54

b. Format for Sharing Information and Intelligence................ 55

c. Mechanisms for Sharing Information ................................ 55

2. Coordination with Foreign Law Enforcement ......................... 58

3. Prosecution Approaches and Initiatives................................... 62

4. Statutes Criminalizing Identity-Theft Related Offenses: The Gaps ................................................................ 65

a. The Identity Theft Statutes ................................................ 65

b. Computer-Related Identity Theft Statutes ......................... 66

c. Cyber-Extortion Statute .................................................... 66

d. Sentencing Guidelines Governing Identity Theft ................ 67

5. Training of Law Enforcement Officers and Prosecutors ........... 69

6. Measuring Success of Law Enforcement Efforts ...................... 70

IV. Conclusion: The Way Forward ............................................. 72

APPENDICES

Appendix A: Identity Theft Task Force’s Guidance Memorandum on Data Breach Protocol ................................................................... 73

Appendix B: Proposed Routine Use Language .......................................... 83

Appendix C: Text of Amendments to 18 U.S.C. §§ 3663(b) and 3663A(b) ................................................... 85

Appendix D: Text of Amendments to 18 U.S.C. §§ 2703, 2711 and 3127, and Text of New Language for 18 U.S.C. § 3512 ................................ 87

Appendix E: Text of Amendments to 18 U.S.C. §§ 1028 and 1028A .......... 91

Appendix F: Text of Amendment to 18 U.S.C. § 1032(a)(2) ...................... 93

Appendix G: Text of Amendments to 18 U.S.C. §§ 1030(a)(5), (c), and (g) and to 18 U.S.C. 2332b ......................................................... 94

Appendix H: Text of Amendments to 18 U.S.C. § 1030(a)(7) .................... 97

Appendix I: Text of Amendment to United States Sentencing Guideline § 2B1.1 ............................................................................ 98

Appendix J (Description of Proposed Surveys) ......................................... 99

ENDNOTES ...................................................................................... 101

TABLE OF CONTENTS

v


Glossary of AcronymsAAMVA–American Association ofMotor Vehicle Administrators

AARP–American Association ofRetired Persons

ABA–American Bar Association

APWG–Anti-Phishing Working Group

BBB–Better Business Bureau

BIN–Bank Identification Number

BJA–Bureau of Justice Assistance

BJS–Bureau of Justice Statistics

CCIPS–Computer Crime andIntellectual Property Section (DOJ)

CCMSI–Credit Card Mail SecurityInitiative

CFAA–Computer Fraud and Abuse Act

CFTC–Commodity Futures TradingCommission

CIO–Chief Information Officer

CIP–Customer Identification Program

CIRFU–Cyber Initiative and ResourceFusion Center

CMRA–Commercial Mail ReceivingAgency

CMS–Centers for Medicare andMedicaid Services (HHS)

CRA–Consumer reporting agency

CVV2–Card Verification Value 2

DBFTF–Document and Benefit FraudTask Force

DHS–Department of Homeland Security

DOJ–Department of Justice

DPPA–Drivers Privacy ProtectionAct of 1994

FACT Act–Fair and Accurate CreditTransactions Act of 2003

FBI–Federal Bureau of Investigation

FCD–Financial Crimes Database

FCRA–Fair Credit Reporting Act

FCU Act–Federal Credit Union Act

FDI Act–Federal Deposit Insurance Act

FDIC–Federal Deposit InsuranceCorporation

FEMA–Federal EmergencyManagement Agency

FERPA–Family and Educational Rightsand Privacy Act of 1974

FFIEC–Federal Financial InstitutionsExamination Council

FIMSI–Financial Industry Mail SecurityInitiative

FinCEN–Financial Crimes EnforcementNetwork (Department of Treasury)

FISMA–Federal Information SecurityManagement Act of 2002

FRB–Federal Reserve Board ofGovernors

FSI–Financial Services, Inc.

FTC–Federal Trade Commission

FTC Act–Federal Trade CommissionAct

GAO–Government AccountabilityOffice

GLB Act–Gramm-Leach-Bliley Act

HHS–Department of Health and HumanServices

HIPAA–Health Insurance Portabilityand Accountability Act of 1996

IACP–International Association ofChiefs of Police

IAFCI–International Association ofFinancial Crimes Investigators

IC3–Internet Crime Complaint Center

ICE–U.S. Immigration and CustomsEnforcement

IRS–Internal Revenue Service

IRS CI–IRS Criminal InvestigationDivision

vi

IRTPA–Intelligence Reform andTerrorism Prevention Act of 2004

ISI–Intelligence Sharing Initiative (U.S.Postal Inspection Service)

ISP–Internet service provider

ISS LOB–Information Systems SecurityLine of Business

ITAC–Identity Theft Assistance Center

ITCI–Information TechnologyCompliance Institute

ITRC–Identity Theft Resource Center

MCC–Major Cities Chiefs

NAC–National Advocacy Center

NASD–National Association ofSecurities Dealers, Inc.

NCFTA–National Cyber ForensicTraining Alliance

NCHELP–National Council of HigherEducation Loan Programs

NCUA–National Credit UnionAdministration

NCVS–National Crime VictimizationSurvey

NDAA–National District AttorneysAssociation

NIH–National Institutes of Health

NIST–National Institute of Standardsand Technology

NYSE–New York Stock Exchange

OCC–Office of the Comptroller of theCurrency

OIG–Office of the Inspector General

OJP–Office of Justice Programs (DOJ)

OMB–Office of Management andBudget

OPM–Office of Personnel Management

OTS–Office of Thrift Supervision

OVC–Office for Victims of Crime (DOJ)

PCI–Payment Card Industry

PIN–Personal Identification Number

PMA–President’s Management Agenda

PRC–Privacy Rights Clearinghouse

QRP–Questionable Refund Program(IRS CI)

RELEAF–Operation Retailers & LawEnforcement Against Fraud

RISS–Regional Information SharingSystems

RITNET–Regional Identity TheftNetwork

RPP–Return Preparer Program (IRS CI)

SAR–Suspicious Activity Report

SBA–Small Business Administration

SEC–Securities and ExchangeCommission

SMP–Senior Medicare Patrol

SSA–Social Security Administration

SSL–Security Socket Layer

SSN–Social Security number

TIGTA–Treasury Inspector General forTax Administration

UNCC–United Nations CrimeCommission

USA PATRIOT Act–Uniting andStrengthening America by ProvidingAppropriate Tools Required to Interceptand Obstruct Terrorism Act of 2001(Pub. L. No. 107-56)

USB–Universal Serial Bus

US-CERT–United States ComputerEmergency Readiness Team

USPIS–United States Postal InspectionService

USSS–United States Secret Service

VHA–Veterans Health Administration

VOIP–Voice Over Internet Protocol

VPN–Virtual private network

WEDI–Workgroup for Electronic DataInterchange

GLOSSARY OF ACRONYMS

vii

Identity Theft Task Force MembersAlberto R. Gonzales, Chairman

Attorney General

Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

Henry M. PaulsonDepartment of Treasury

Carlos M. GutierrezDepartment of Commerce

Michael O. LeavittDepartment of Health and Human Services

R. James NicholsonDepartment of Veterans Affairs

Michael ChertoffDepartment of Homeland Security

Rob PortmanOffice of Management and Budget

John E. PotterUnited States Postal Service

Ben S. BernankeFederal Reserve System

Linda M. SpringerOffice of Personnel Management

Sheila C. BairFederal Deposit Insurance Corporation

Christopher CoxSecurities and Exchange Commission

JoAnn JohnsonNational Credit Union Administration

Michael J. AstrueSocial Security Administration

John C. DuganOffice of the Comptroller of the Currency

John M. ReichOffice of Thrift Supervision

viii

LETTER TO THE PRESIDENT

Letter to the President

APRIL 11, 2007

The Honorable George W. BushPresident of the United StatesThe White HouseWashington, D.C.

Dear Mr. President:

By establishing the President’s Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government’s efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

Alberto R. Gonzales, ChairmanAttorney General

Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

ix


The views you expressed in the Executive Order are widely shared. Thereis a consensus that identity theft’s damage is widespread, that it targets alldemographic groups, that it harms both consumers and businesses, and thatits effects can range far beyond financial harm. We were pleased to learn thatmany federal departments and agencies, private businesses, and universitiesare trying to create a culture of security, although some have been faster thanothers to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinatedstrategic plan can go a long way toward stemming the injuries caused byidentity theft and, we hope, putting identity thieves out of business. Taken asa whole, the recommendations that comprise this strategic plan are designedto strengthen the efforts of federal, state, and local law enforcement officers;to educate consumers and businesses on deterring, detecting, and defendingagainst identity theft; to assist law enforcement officers in apprehending andprosecuting identity thieves; and to increase the safeguards employed byfederal agencies and the private sector with respect to the personal data withwhich they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work isongoing, but we now have the honor, under the provisions of your ExecutiveOrder, of transmitting the report and recommendations of the President’sTask Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, Chairman Deborah Platt Majoras, Co-ChairmanAttorney General Chairman, Federal Trade Commission

1


I. Executive SummaryFrom Main Street to Wall Street, from the back porch to the front office, fromthe kitchen table to the conference room, Americans are talking about identitytheft. The reason: millions of Americans each year suffer the financial andemotional trauma it causes. This crime takes many forms, but it invariablyleaves victims with the task of repairing the damage to their lives. It is a prob-lem with no single cause and no single solution.

A. INTRODUCTIONEight years ago, Congress enacted the Identity Theft and AssumptionDeterrence Act,1 which created the federal crime of identity theft andcharged the Federal Trade Commission (FTC) with taking complaints fromidentity theft victims, sharing these complaints with federal, state, and locallaw enforcement, and providing the victims with information to help themrestore their good name. Since then, federal, state, and local agencies havetaken strong action to combat identity theft. The FTC has developed theIdentity Theft Data Clearinghouse into a vital resource for consumers andlaw enforcement agencies; the Department of Justice (DOJ) has prosecutedvigorously a wide range of identity theft schemes under the identity theftstatutes and other laws; the federal financial regulatory agencies2 haveadopted and enforced robust data security standards for entities under theirjurisdiction; Congress passed, and the Department of Homeland Securityissued draft regulations on, the REAL ID Act of 2005; and numerous otherfederal agencies, such as the Social Security Administration (SSA), haveeducated consumers on avoiding and recovering from identity theft. Manyprivate sector entities, too, have taken proactive and significant steps to protectdata from identity thieves, educate consumers about how to prevent identitytheft, assist law enforcement in apprehending identity thieves, and assistidentity theft victims who suffer losses.

Over those same eight years, however, the problem of identity thefthas become more complex and challenging for the general public, thegovernment, and the private sector. Consumers, overwhelmed with weeklymedia reports of data breaches, feel vulnerable and uncertain of how toprotect their identities. At the same time, both the private and public sectorshave had to grapple with difficult, and costly, decisions about investmentsin safeguards and what more to do to protect the public. And, at every levelof government—from the largest cities with major police departments to thesmallest towns with one fraud detective—identity theft has placed increasinglypressing demands on law enforcement.

Public comments helped the Task Force define the issues and challengesposed by identity theft and develop its strategic responses. To ensure that theTask Force heard from all stakeholders, it solicited comments from the public.

2

In addition to consumer advocacy groups, law enforcement, business, andindustry, the Task Force also received comments from identity theft victimsthemselves.3 The victims wrote of the burdens and frustrations associatedwith their recovery from this crime. Their stories reaffirmed the need for thegovernment to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Forcestrongly affirmed the need for a fully coordinated approach to fighting theproblem through prevention, awareness, enforcement, training, and victimassistance. Consumers wrote to the Task Force exhorting the public andprivate sectors to do a better job of protecting their Social Security numbers(SSNs), and many of those who submitted comments discussed the challengesraised by the overuse of Social Security numbers as identifiers. Others,representing certain business sectors, pointed to the beneficial uses of SSNsin fraud detection. The Task Force was mindful of both considerations, andits recommendations seek to strike the appropriate balance in addressing SSNuse. Local law enforcement officers, regardless of where they work, wroteof the challenges of multi-jurisdictional investigations, and called for greatercoordination and resources to support the investigation and prosecution ofidentity thieves. Various business groups described the steps they have takento minimize the occurrence and impact of the crime, and many expressedsupport for risk-based, national data security and breach notificationrequirements.

These communications from the public went a long way toward informingthe Task Force’s recommendation for a fully coordinated strategy. Only anapproach that encompasses effective prevention, public awareness and edu-cation, victim assistance, and law enforcement measures, and fully engagesfederal, state, and local authorities will be successful in protecting citizens andprivate entities from the crime.

B. THE STRATEGY Although identity theft is defined in many different ways, it is, fundamentally,the misuse of another individual’s personal information to commit fraud.Identity theft has at least three stages in its “life cycle,” and it must be attackedat each of those stages:

First, the identity thief attempts to acquire a victim’s personal information.

Criminals must first gather personal information, either through low-techmethods—such as stealing mail or workplace records, or “dumpster diving”—or through complex and high-tech frauds, such as hacking and the useof malicious computer codes. The loss or theft of personal information byitself, however, does not immediately lead to identity theft. In some cases,thieves who steal personal items inadvertently steal personal information

EXECUTIVE SUMMARY

3


that is stored in or with the stolen personal items, yet never make use of thepersonal information. It has recently been reported that, during the past year,the personal records of nearly 73 million people have been lost or stolen, butthat there is no evidence of a surge in identity theft or financial fraud as aresult. Still, because any loss or theft of personal information is troubling andpotentially devastating for the persons involved, a strategy to keep consumerdata out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim’s personal information andnow attempt to sell the information or use it themselves. The misuse of stolenpersonal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain accountinformation involving credit, brokerage, banking, or utility accountsthat are already open. Existing account fraud is typically a less costly,but more prevalent, form of identity theft. For example, a stolen creditcard may lead to thousands of dollars in fraudulent charges, but thecard generally would not provide the thief with enough information toestablish a false identity. Moreover, most credit card companies, as amatter of policy, do not hold consumers liable for fraudulent charges,and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as SocialSecurity numbers, birth dates, and home addresses, to open newaccounts in the victim’s name, make charges indiscriminately, and thendisappear. While this type of identity theft is less likely to occur, itimposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information toobtain government, medical, or other benefits to which the criminal is notentitled.

Third, an identity thief has completed his crime and is enjoying the

At this point in the life cycle of the theft, victims are first learning of thecrime, often after being denied credit or employment, or being contacted by adebt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this lifecycle, the Identity Theft Task Force is recommending a plan that marshalsgovernment resources to crack down on the criminals who traffic in stolenidentities, strengthens efforts to protect the personal information of ournation’s citizens, helps law enforcement officials investigate and prosecuteidentity thieves, helps educate consumers and businesses about protectingthemselves, and increases the safeguards on personal data entrusted to federalagencies and private entities.

4

The Plan focuses on improvements in four key areas:

keeping sensitive consumer data out of the hands of identity thievesthrough better data security and more accessible education;

making it more difficult for identity thieves who obtain consumer data touse it to steal identities;

assisting the victims of identity theft in recovering from the crime; and

deterring identity theft by more aggressive prosecution and punishmentof those who commit the crime.

In these four areas, the Task Force makes a number of recommendationssummarized in greater detail below. Among those recommendations are thefollowing broad policy changes:

that federal agencies should reduce the unnecessary use of SocialSecurity numbers (SSNs), the most valuable commodity for an identitythief;

that national standards should be established to require private sectorentities to safeguard the personal data they compile and maintain andto provide notice to consumers when a breach occurs that poses asignificant risk of identity theft;

that federal agencies should implement a broad, sustained awarenesscampaign to educate consumers, the private sector, and the public sectoron deterring, detecting, and defending against identity theft; and

that a National Identity Theft Law Enforcement Center should becreated to allow law enforcement agencies to coordinate their effortsand information more efficiently, and investigate and prosecute identitythieves more effectively.

The Task Force believes that all of the recommendations in this strategicplan—from these broad policy changes to the small steps—are necessary towage a more effective fight against identity theft and reduce its incidence anddamage. Some recommendations can be implemented relatively quickly;others will take time and the sustained cooperation of government entitiesand the private sector. Following are the recommendations of the President’sTask Force on Identity Theft:

PREVENTION: KEEPING CONSUMER DATA OUT OF THEHANDS OF CRIMINALSIdentity theft depends on access to consumer data. Reducing the opportuni-ties for thieves to get the data is critical to fighting the crime. Government,the business community, and consumers have roles to play in protecting data.

EXECUTIVE SUMMARY

5


Data compromises can expose consumers to the threat of identity theft orrelated fraud, damage the reputation of the entity that experienced the breach,and carry financial costs for everyone involved. While “perfect security” doesnot exist, all entities that collect and maintain sensitive consumer informationmust take reasonable and appropriate steps to protect it.

Data Security in Public Sector

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

• Survey current use of SSNs by federal government

• Issue guidance on appropriate use of SSNs

• Establish clearinghouse for “best” agency practices that minimizeuse of SSNs

• Work with state and local governments to review use of SSNs

Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance

• Develop concrete guidance and best practices

• Monitor agency compliance with data security guidance

• Protect portable storage and communications devices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies

• Issue data breach guidance to agencies

• Publish a “routine use” allowing disclosure of information after abreach to those entities that can assist in responding to the breach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

• Hold regional seminars for businesses on safeguarding information

• Distribute improved guidance for private industry

Initiate Investigations of Data Security Violations

6

Initiate a Multi-Year Public Awareness Campaign

• Develop national awareness campaign

• Enlist outreach partners

• Increase outreach to traditionally underserved communities

• Establish “Protect Your Identity” Days

Develop Online Clearinghouse for Current Educational Resources

PREVENTION: MAKING IT HARDER TO MISUSECONSUMER DATABecause security systems are imperfect and thieves are resourceful, it is es-sential to reduce the opportunities for criminals to misuse the data they steal.An identity thief who wants to open new accounts in a victim’s name mustbe able to (1) provide identifying information to allow the creditor or othergrantor of benefits to access information on which to base a decision abouteligibility; and (2) convince the creditor that he is the person he purports to be.

Authentication includes determining a person’s identity at the beginning ofa relationship (sometimes called verification), and later ensuring that he isthe same person who was originally authenticated. But the process can fail:Identity documents can be falsified; the accuracy of the initial informationand the accuracy or quality of the verifying sources can be questionable; em-ployee training can be insufficient; and people can fail to follow procedures.

Efforts to facilitate the development of better ways to authenticate consum-ers without burdening consumers or businesses—for example, multi-factorauthentication or layered security—would go a long way toward preventingcriminals from profiting from identity theft.

Hold Workshops on Authentication

• Engage academics, industry, entrepreneurs, and governmentexperts on developing and promoting better ways to authenticateidentity

• Issue report on workshop findings

Develop a Comprehensive Record on Private Sector Use of SSNs

VICTIM RECOVERY: HELPING CONSUMERS REPAIRTHEIR LIVESIdentity theft can be committed despite a consumer’s best efforts at securinginformation. Consumers have a number of rights and resources available,but some surveys indicate that they are not as well-informed as they couldbe. Government agencies must work together to ensure that victims have theknowledge, tools, and assistance necessary to minimize the damage and beginthe recovery process.

EXECUTIVE SUMMARY

7


Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims

• Train law enforcement officers

• Provide educational materials for first responders that can be usedas a reference guide for identity theft victims

• Create and distribute an ID Theft Victim Statement of Rights

• Design nationwide training for victim assistance counselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims

• Conduct assessment of FACT Act remedies under FCRA

• Conduct assessment of state credit freeze laws

LAW ENFORCEMENT: PROSECUTING AND PUNISHINGIDENTITY THIEVESStrong criminal law enforcement is necessary to punish and deter identitythieves. The increasing sophistication of identity thieves in recent years hasmeant that law enforcement agencies at all levels of government have had toincrease the resources they devote to investigating related crimes. The inves-tigations are labor-intensive and generally require a staff of detectives, agents,and analysts with multiple skill sets. When a suspected theft involves a largenumber of potential victims, investigative agencies often need additional per-sonnel to handle victim-witness coordination.

Coordination and Information/Intelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector

• Enhance ability of law enforcement to receive information fromfinancial institutions

• Initiate discussions with financial services industry oncountermeasures to identity theft

• Initiate discussions with credit reporting agencies on preventingidentity theft

8

Coordination with Foreign Law Enforcement

Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft

Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Enhance the United States Government’s Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft

Assist, Train, and Support Foreign Law Enforcement

Prosecution Approaches and Initiatives

Increase Prosecutions of Identity Theft

• Designate an identity theft coordinator for each United StatesAttorney’s Office to design a specific identity theft program foreach district

• Evaluate monetary thresholds for prosecution

• Encourage state prosecution of identity theft

• Create working groups and task forces

Conduct Targeted Enforcement Initiatives

• Conduct enforcement initiatives focused on using unfair ordeceptive means to make SSNs available for sale

• Conduct enforcement initiatives focused on identity theft related tothe health care system

• Conduct enforcement initiatives focused on identity theft by illegalaliens

Review Civil Monetary Penalty Programs

EXECUTIVE SUMMARY

9


Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes

• Amend the identity theft and aggravated identity theft statutesto ensure that identity thieves who misappropriate informationbelonging to corporations and organizations can be prosecuted

• Add new crimes to the list of predicate offenses for aggravatedidentity theft offenses

• Amend the statute that criminalizes the theft of electronic data byeliminating the current requirement that the information must havebeen stolen through interstate communications

• Penalize creators and distributors of malicious spyware andkeyloggers

• Amend the cyber-extortion statute to cover additional, alternatetypes of cyber-extortion

Ensure That an Identity Thief’s Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim

Law Enforcement Training

Enhance Training for Law Enforcement Officers and Prosecutors

• Develop course at National Advocacy Center focused oninvestigation and prosecution of identity theft

• Increase number of regional identity theft seminars

• Increase resources for law enforcement on the Internet

• Review curricula to enhance basic and advanced training onidentity theft

Measuring the Success of Law Enforcement

Enhance the Gathering of Statistical Data Impacting the Criminal Justice System’s Response to Identity Theft

• Gather and analyze statistically reliable data from identity theftvictims

• Expand scope of national crime victimization survey

• Review U.S. Sentencing Commission data

• Track prosecutions of identity theft and resources spent

• Conduct targeted surveys

Joint Release

Board of Governors of the Federal Reserve System Commodity Futures Trading Commission

Federal Deposit Insurance Corporation Federal Trade Commission

National Credit Union Administration Office of the Comptroller of the Currency

Office of Thrift Supervision Securities and Exchange Commission

NR 2007-25 For Immediate Release March 21,2007

Federal Regulators Seek Public Comment on Model Privacy Notice

WASHINGTON - Eight federal regulators today released a notice of proposed rulemaking (NPR) requesting comment on a model privacy form that financial institutions can use for their privacy notices to consumers required by the Gramm- Leach-Bliley Act (GLB Act). The privacy notices must describe an institution's information sharing practices, and, for certain types of sharing, consumers have the right to opt out. The notices must be provided when a consumer first becomes a customer of a financial institution and then annually for as long as the customer relationship lasts.

Last October, President Bush signed into law the Financial Services Regulatory Relief Act of 2006, amending the GLB Act to require the agencies to propose a model form that is succinct and comprehensible to consumers, allows consumers easily to compare privacy practices of financial institutions, and uses easily readable type font.

The proposed model privacy form is the "prototype privacy notice" developed by six of these federal agencies after a year-long consumer testing process. A detailed report describing the testing and resulting prototype privacy notice was released by these agencies in March 2006. The NPR proposes that a financial institution that chooses to use the model form would satisfy the disclosure requirements for the notices and so could take advantage of a legal "safe harbor." The NPR also proposes to remove, after a transition period, the sample clauses now included in some of the agencies' privacy rules.

The NPR was developed jointly by the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the Securities and Exchange Commission.

A copy of the K R is attached. The NPR seeks comment on all aspects of the model form, including its content and format and whether it provides sufficient flexibility for financial institutions to disclose their sharing practices accurately.

Written comments on the proposed rule amendments may be submitted within 60 days after their publication in the Federal Register, which is expected in late March.

# # #

Attachment

Media Contacts: CFTC FDIC Federal Reserve FTC NCUA occ OTS SEC

Ianthe Zabel David Barr Deborah Lagomarsino Claudia Bourne Farrell Cherie Umbel Bryan Hubbard Kevin Petrasic John J. Nester

WHAT DOES [name of financial institution] DO WITH YOUR PERSONAL INFORMATION?

us t o tell you how we collect, share, and protect your personal information. Please read this notice carefully t o understand what we do.

The types of personal information we collect and share depend on the product or service you have with us. This information can include:

Social Security number and income

m account balances and payment history

N credit history and credit scores

When you close your account, we continue t o share information about you according t o our policies.

All financial companies need t o share customers' personal information t o run their everyday business-to process transactions, maintain customer accounts, and report t o credit bureaus. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons [name of financial institution] chooses t o share; and whether you can limit this sharing.

1 For joint marketing with other financial companies 1 I I

For our everyday business purposes- t o process your transactions, maintain your account, and report to credit bureaus

For our marketing purposes- t o offer our products and services t o you

For our affiliates' everyday business purposes- information about your transactions and experiences

I

For our affiliates' everyday business purposes- information about your creditworthiness 1 For our affiliates to market to you

I I 1 For nonaffiliates to market t o you 1 1 1

1 !

Call [toll-free telephone] or go t o [web address]


How often does [name of financial institution] notify me about their practices?

...............................

How does [name of financial institution] protect my personal information?

How does [name of financial institution] collect my personal information?

Why can't I limit all sharing?

Everyday business purposes

Affiliates

Nonaffiliates

Joint marketing

We must notify you about our sharing practices when you open an account and each year while you are a customer.

.......................................................... ..

To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.

We collect your personal information, for example, when you

open an account or deposit money

pay your bills or apply for a loan

a use your credit or debit card

We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.

Federal law gives you the right to limit sharing only for

R affiliates' everyday business purposes-information about your creditworthiness

R affiliates to market to you

nonaffiliates to market to you

State laws and individual companies may give you additional rights to limit sharing.

The actions necessary by financial companies to run their business and manage customer accounts, such as

a processing transactions, mailing, and auditing services

providing information to credit bureaus

a responding to court orders and legal investigations

Companies related by common ownership or control. They can be financial and nonfinancial companies.

a [affiliate information]

Companies not related by common ownership or control. They can be financial and nonfinancial companies.

a [nonaffiliate information] -------------------------------------------------------------T-----------------~---~----~--.----------

A formal agreement between nonaffiliated financial companies that together market financial products or services to you.

a [joint marketing]

Contact us


By telephone: [toll-free telephone] -our menu will prompt you through your choices

On the web: [web address]

By mail: mark your choices below, fill in and send form to:

[mailing address]

Unless we hear from you, we can begin sharing your information 30 days from the date of this letter. However, you can contact us at any time to limit our sharing.

Your choices will apply to everyone on your account.

Check anylall you want to limit: (See page 1 )

D Do not share information about my creditworthiness with your affiliates for their everyday business purposes.

0 Do not allow your affiliates to use my personal information to market to me. (I will receive a renewal notice for this use for marketing in 5 years.)

0 Do not share my personal information with nonaffiliates to market their products and services to me.

0 NEWS RELEASE Comptroller of the Currency Administrator of National Banks

FOR IMMEDIATE RELEASE March 2 1, 2007

Contact: Bryan Hubbard (202) 874-5770

Comptroller of the Currency Praises Effort to Improve Privacy Notices, Calls for Financial Industry Feedback

WASHINGTON - Comptroller of the Currency John C. Dugan today praised an interagency effort to improve consumer privacy notices from financial institutions and urged financial institutions and others to provide feedback on the proposed rule. His statement follows:

Today's proposed rule on consumer privacy notices marks a significant step in the interagency effort to provide disclosures that people can easily read, understand, and use.

Effective consumer-oriented privacy disclosures make it easier for people to protect themselves and compare financial service providers based on facts about how companies protect, use, and share personal information. Clear, concise, and useful disclosures also benefit financial service providers by enhancing competitiveness and helping to build consumer confidence.

The participating agencies developed the model notice and proposed rule based on consumer-focused research that tested the language and design of the form. This research-based process ensures that notices are designed to meet the needs of the people who use them -the customers of our financial service providers.

While consumer feedback showed this model privacy notice to be effective, we are now soliciting feedback from consumers, industry groups, and others on implementing this standardized notice, possible approaches for the next phase of testing, and the likelihood that institutions will use the model notice. As we move forward, we want to support consumers' need for information without overburdening the industry.

The participating agencies include the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the Securities and Exchange Commission. In March 2006, the agencies published a report of their consumer research that showed consumers need a context for understanding information in financial privacy notices and presented a prototype notice that showed the required information could be

presented in a simple, standard, and useful format.

Related Link:

Interagency Proposal for Model Privacy Form under the Gramm-Leach- Bliley Act (http://www.occ.~ov/ftp/rele~e/2OO7-25a.~d~ Interagency research on financial privacy disclosures (http://www. ftc. ov/p~vacy/privac~initiatives/ftcfindrepo~060228 . pdf (PDF 14MB))

The Ofjce of the Comptroller of the Currency was created by Congress to charter national bank , to oversee a nationwide system of banking institutions, and to assure that national b a n k are safe and sound, competitive andprojitable, and capable of serving the banking needs of their customers in the best possible manner. OCCpress releases and other information are available at ht[~://www.occ.~ov. To receive OCCpress releases and issuances by email, subscribe at ht[u://ww.occ.zov/listse~. htm.

OOOOComptroller of the CurrencyAdministrator of National Banks

Privacy Laws and Regulations

September 8, 2000

Date: September 8, 2000 Page 2

CONTENTS

PURPOSE AND SUMMARY 3

BACKGROUND 3

SUMMARY OF GLBA PRIVACY PROVISIONS AND OTHER LAWS 5

GLBA Privacy Provisions 5

Fair Credit Reporting Act 7

Electronic Fund Transfer Act 8

Right to Financial Privacy Act 8

Children’s Online Privacy Protection Act 8

General Laws 9

COMPARISON OF GLBA AND FCRA PROVISIONS 10

SAFETY AND SOUNDNESS CONSIDERATIONS 12

CONTACT INFORMATION 13

NOTES 13


PURPOSE AND SUMMARY

This document is designed to assist national banks and their subsidiaries in complyingwith federal laws and regulations relating to the disclosure of consumer financialinformation. Accordingly, it summarizes the requirements of the relevant federal laws,particularly: Title V of the Gramm-Leach-Bliley Act (GLBA) (Pub. L. 106-102;15 U.S.C. 6801 et seq.); the Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681et seq.); the Electronic Fund Transfer Act (EFTA) (15 U.S.C. 1693 et seq.); the Rightto Financial Privacy Act (RFPA) (12 U.S.C. ��

Privacy Protection Act (COPPA) (15 U.S.C. 6501 et seq.). Because the GLBA and theFCRA contain the most extensive requirements governing the disclosure of consumerinformation by banks and other private entities, this document discusses therelationship between these laws to help banks better understand the scope of theirobligations under each statute.

BACKGROUND

The GLBA, signed into law on November 12, 1999, enacted new privacy-relatedprovisions applicable to financial institutions and authorized the federal financialinstitution regulatory agencies (Agencies) to adopt regulations to implement those newprovisions and the pre-existing provisions of the FCRA.1 The financial institutionscovered by the GLBA include national banks and their financial and operatingsubsidiaries, as well as a wide range of other businesses engaged in financial andfinancially-related activities. For ease of reference, this document frequently refers torelevant legal requirements (under the GLBA, the FCRA, or other laws) as beingapplicable to "banks;" as a general matter, these requirements also will be applicable tonational banks’ financial and operating subsidiaries.

The Agencies recently promulgated final rules to implement the GLBA provisions.The GLBA requirements will become effective on November 13, 2000, andcompliance with these requirements is mandatory as of July 1, 2001. To be incompliance with the regulations, prior to July 1, 2001, banks must have deliveredcopies of their privacy policies to their customers, and, as appropriate, provided themwith a reasonable opportunity to opt out of certain information sharing arrangementsbetween the bank and nonaffiliated third parties before such information sharingoccurs. Senior management and the boards of directors of national banks and theirsubsidiaries are strongly encouraged to ensure that their institutions take allappropriate steps before this mandatory compliance date so that they are prepared to


comply fully with the GLBA regulations at that time. These steps should include, asappropriate for the institution:

• conducting an inventory of information collection and disclosure practices;

• evaluating agreements with third parties that involve the disclosure of consumerinformation;

• establishing mechanisms to handle opt-out elections by consumers;

• developing or revising existing privacy policies to reflect the new regulatoryrequirements;

• determining how to deliver privacy notices to consumers;

• establishing employee training and compliance programs; and

• setting target dates for all features of the implementation program.

While the GLBA is the most extensive of the federal financial privacy laws, there are anumber of other statutes that bear upon the information sharing practices of nationalbanks and their subsidiaries, most notably the FCRA. These other laws are currently infull effect, and national banks and their subsidiaries are expected to be in compliancewith them and any applicable state privacy laws.


SUMMARY OF GLBA PRIVACY PROVISIONS AND OTHER LAWS

GLBA Privacy Provisions

Principal Privacy Requirements in the GLBA

The three principal requirements relating to the privacy of consumer financialinformation in the GLBA are:

• Financial institutions must provide their customers with notices describing theirprivacy policies and practices, including their policies with respect to thedisclosure of nonpublic personal information2 to their affiliates and to nonaffiliatedthird parties. The notices must be provided at the time the customer relationship isestablished and annually thereafter.

• Subject to specified exceptions, financial institutions may not disclose nonpublicpersonal information about consumers to any nonaffiliated third party unlessconsumers are given a reasonable opportunity to direct that such information notbe shared (to "opt out").

• Financial institutions generally may not disclose customer account numbers to anynonaffiliated third party for marketing purposes.

Privacy Notices. Under the GLBA, a bank must provide a notice that accuratelydescribes its privacy policies and practices to individual consumers who establish acustomer relationship with the bank, not later than the time the customer relationship isestablished. Unless an exception applies, this initial privacy notice also must beprovided to any other consumer, even if not a "customer" of the bank, before the bankdiscloses that consumer’s nonpublic personal information to a nonaffiliated third party.Banks also must provide their customers an annual privacy notice. All privacy noticesmust be clear and conspicuous, and must be provided so that each intended recipientcan reasonably be expected to receive actual notice. Notices must be in writing (unlessthe consumer agrees to electronic delivery). The notices must describe, among otherthings, the types of nonpublic personal information collected and disclosed, the typesof affiliated and nonaffiliated third parties with whom the information may be shared,and the consumer’s right to opt out and thereby limit certain information sharing bythe bank.


Opt-Out Requirements. Banks generally may not, directly or through an affiliate,disclose a consumer’s nonpublic personal information to any nonaffiliated third partyunless the consumer is given a reasonable opportunity to direct that such informationnot be disclosed, i.e., to opt out. Thus, before a bank may disclose nonpublic personalinformation about a consumer to a nonaffiliated third party, the bank must provide theconsumer with an initial privacy notice and an opt-out notice (which may be includedin the privacy notice). The GLBA contains a number of specific exceptions to theseopt-out requirements, however, to ensure that banks can continue to discloseinformation to nonaffiliated third parties to conduct routine business. These exceptionsinclude, for instance, the disclosure of information by banks to third parties who areproviding services to the bank or to their customers as the bank’s agent.

Other Restrictions. The GLBA also provides that a bank generally may not disclosean account number or similar form of access number or access code for a credit cardaccount, deposit account, or transaction account of a consumer to any nonaffiliatedthird party for use in telemarketing, direct mail, or other marketing through electronicmail to the consumer. The statute also limits the redisclosure or reuse of informationobtained from other nonaffiliated financial institutions.


Fair Credit Reporting Act

Principal FCRA Information Sharing Provisions

The FCRA sets standards for the collection, communication, and use of informationbearing on a consumer’s credit worthiness, credit standing, credit capacity, character,general reputation, personal characteristics, or mode of living. The communication ofthis type of information may be a "consumer report" subject to the FCRA’srequirements. The definition of consumer report contains a number of exceptions,however, including exceptions that permit a bank:

• To share with any other party information solely as to the bank’s transactions orexperiences with a consumer; and

• To share with bank affiliates other types of information, such as information froma credit report or from a consumer’s loan application, if it is clearly andconspicuously disclosed to the consumer that such information sharing may occur,and the consumer is given an opportunity to direct that the information not beshared, i.e., to "opt out."

Banks that share consumer report information among affiliates or with third partiesunder other circumstances may become consumer reporting agencies subject to theFCRA’s requirements applicable to those entities. These requirements relate tofurnishing consumer reports only for permissible purposes, maintaining high standardsfor ensuring the accuracy of information in consumer reports, resolving customerdisputes, and other matters.

As a general matter, a bank will not be subject to the FCRA’s substantial requirementsthat apply to consumer reporting agencies if the bank communicates only transactionor experience information to third parties or among its affiliates. Additionally, a bankwill not become a consumer reporting agency if it shares with its affiliates otherinformation that would ordinarily be considered consumer report information if it doesso in accordance with the consumer opt-out process noted above.

The FCRA does, however, impose a number of requirements on persons that useconsumer reports or furnish information to consumer reporting agencies, and theseprovisions can apply to national banks and their subsidiaries.3 Several of theseprovisions protect the privacy of consumer information, including one that requires abank to use or obtain consumer reports only for specific permissible purposes under


the statute. Another provision requires a bank that solicits consumers for offers ofcredit based on information in consumer reports ("prescreened offers") to provide aclear and conspicuous notice with each offer informing consumers, among otherthings, how they can opt out of further solicitations.

Electronic Fund Transfer Act

The EFTA and the Federal Reserve Board’s Regulation E (12 C.F.R. Part 205) requirethat banks make certain disclosures at the time a consumer contracts for an electronicfund transfer service or before the first electronic fund transfer is made involving theconsumer’s account. For example, the financial institution must disclose thecircumstances under which, in the ordinary course of business, the financial institutionmay provide information concerning the consumer’s account to third parties, whetheror not the third party is affiliated with the bank. This disclosure must encompass anyinformation that may be provided concerning the account (not just information relatingto the electronic fund transfers themselves). The EFTA and Regulation E requirementsapply with respect to demand deposit, savings deposit, and other consumer assetaccounts.

The OCC will treat an initial privacy notice that satisfies the GLBA regulations assufficient for compliance with the EFTA and Regulation E.

Right to Financial Privacy Act

The RFPA prohibits financial institutions from disclosing a customer’s financialrecords to the federal government except in limited circumstances such as pursuant tothe customer’s authorization, an administrative subpoena or summons, a searchwarrant, a judicial subpoena, or a formal written request in connection with alegitimate law enforcement inquiry, or to a supervisory agency in connection with itssupervisory, regulatory, or monetary functions.

Children’s Online Privacy Protection Act

The COPPA and the Federal Trade Commission’s implementing regulations(16 C.F.R. Part 312) generally apply to financial institutions that operate commercialweb sites or online services (or portions thereof) that are directed to children, or that


operate web sites or online services and knowingly collect personal information fromchildren under the age of 13.4

COPPA and the FTC’s regulations establish a number of requirements applicable tooperators of covered web sites and online services, including requirements that theoperator must provide online notice about its information practices with respect tochildren. With limited exceptions, the operator also must obtain verifiable parentalconsent prior to any collection, use, or disclosure of personal information fromchildren. The operator also must provide a reasonable means for a parent to review thepersonal information collected from a child and to refuse to permit its further use ormaintenance. Operators also are prohibited from conditioning a child’s participation ina game, the offering of a prize, or any other activity upon the child’s disclosing morepersonal information than is reasonably necessary to participate in such activity.Finally, operators must establish and maintain reasonable procedures to protect theconfidentiality, security, and integrity of personal information collected from children.

General Laws

National banks and their subsidiaries also should be aware of other federal and statelaws that may affect their practices relating to consumer financial information. Forexample, on the federal level, the Federal Trade Commission Act (15 U.S.C. � 41 etseq.) prohibits unfair or deceptive acts or practices in or affecting commerce, andprovides a basis for government enforcement actions against deception resulting frommisleading statements concerning a company’s privacy practices or policies, orfailures to abide by a stated policy. A number of states have enacted privacy laws thatspecifically relate to the disclosure of consumer financial information, as well as lawsthat more generally target unfair and deceptive acts and practices. The GLBAmaintains that state laws that afford greater protection for consumer privacy than thatprovided by the GLBA are not preempted by Title V of the GLBA. The FCRA,however, provides that state laws that prohibit or impose requirements on theexchange of information among affiliates are preempted unless enacted afterJanuary 1, 2004.


COMPARISON OF GLBA AND FCRA DISCLOSURE PROVISIONS

Types of Information CoveredGLBA applies to "nonpublic personal information" which is broadly defined byregulation to cover any information that is provided to a bank by a consumer to obtaina financial product or service, that results from a transaction with a bank involving afinancial product or service, or that is otherwise obtained by a bank in connection withproviding a financial product or service to a consumer. In some circumstances,"publicly available" information is also considered "nonpublic personal information."

FCRA more narrowly applies to the disclosure of "consumer reports," which containinformation on a consumer’s credit worthiness, credit standing, credit capacity,character, general reputation, personal characteristics, or mode of living.

Types of Disclosures CoveredGLBA restricts disclosures to nonaffiliated third parties.

FCRA, more broadly, restricts disclosures to both affiliates and nonaffiliated thirdparties.

Types of Restrictions on Information DisclosuresGLBA prohibits a bank from disclosing nonpublic personal information tononaffiliated third parties unless the bank has provided consumers with a privacynotice and an opportunity to opt out of such information sharing.

FCRA provides that a bank may become a consumer reporting agency if it disclosesconsumer report information to its affiliates without providing consumers notice of thedisclosure and an opportunity to opt out. Additionally, a bank may become a consumerreporting agency if it discloses consumer reports to nonaffiliated third parties. There isno notice and opt-out provision that would permit a bank to share consumer reportswith nonaffiliated third parties without becoming a consumer reporting agency.

Scope of Consumer’s Opt-Out RightGLBA opt-out permits consumers to limit a bank’s sharing nonpublic personalinformation with nonaffiliated third parties.FCRA opt-out permits consumers to limit a bank’s sharing information that wouldotherwise be a "consumer report" with affiliates. Scope of ExceptionsGLBA contains a number of specific exceptions to the consumer’s opt-out right.FCRA explicitly permits banks to share freely only information relating solely totransactions or experiences between the bank and the consumer.


It is critical that national banks remain cognizant of the differences between the GLBAand the FCRA provisions to reduce compliance risks in this area. The GLBA and theFCRA both govern the disclosure of consumer information by banks and other entities.The statutes, however, differ in the scope of their coverage, as well as in theirrequirements with respect to a bank’s treatment of consumer information. As a result,what may be a permissible disclosure under one statute may be prohibited or subject todifferent conditions under the other statute. Because compliance with one statute willnot entail compliance with the other, banks are therefore strongly advised to evaluatethe requirements of both laws in connection with their disclosures of consumerinformation.

In certain respects, each statute is broader in scope than the other. For example, whilethe FCRA restricts only the disclosure of "consumer report" information (informationbearing on a consumer’s credit worthiness, credit standing, credit capacity, character,general reputation, personal characteristics, or mode of living that is used or expectedto be used or collected for certain specified purposes), the GLBA applies to allpersonally identifiable financial information of a consumer that is not publiclyavailable, including information about the bank’s transactions and experiences withthe consumer, and even the fact that the bank has a relationship with the consumer. Asa result, although a bank could disclose information about its transactions andexperiences with its consumers to nonaffiliated third parties under the FCRA withoutcondition, such a disclosure would trigger notice and opt-out requirements under theGLBA (subject to specific exceptions, such as reporting to credit bureaus inaccordance with the FCRA).

On the other hand, the GLBA is narrower than the FCRA to the extent that it restrictsthe disclosure of information only to nonaffiliated third parties. By contrast, ifinformation is consumer report information, the FCRA restricts its disclosure both tononaffiliated third parties and to affiliates. Thus, while the GLBA may permit a bankto disclose consumer report information to nonaffiliated third parties in accordancewith the notice and opt-out requirements, such a disclosure could turn a bank into aconsumer reporting agency under the FCRA, triggering numerous statutoryobligations.

The consumer’s opt-out right also functions differently under the two statutes. Underthe GLBA, a bank is prohibited, subject to specific exceptions, from sharinginformation with nonaffiliated third parties unless the bank has provided consumerswith a privacy notice and an opportunity to opt out of the information sharing. If theconsumer does not opt out, a bank may share information with nonaffiliated thirdparties. Additionally, if a consumer opts out of third-party sharing, a bank may


nonetheless share such information with affiliates because the GLBA does not provideconsumers with an option to limit a bank’s sharing of information with the bank’saffiliates.

Under the FCRA, a bank may share consumer report information with its affiliates if itprovides consumers with a notice about the intended disclosure and an opportunity forconsumers to opt out of the information sharing. Unlike the GLBA, a bank is notprohibited from making such disclosures without providing notice and opt-out. Rather,failure to provide a notice and opt-out may turn a bank into a consumer reportingagency. With respect to nonaffiliated third parties, the FCRA provides no similaropportunity for banks to disclose consumer report information without becoming aconsumer reporting agency. There is no option to provide consumers with a notice andopt-out. Accordingly, if a bank shares consumer reports with nonaffiliated third partiesthe bank may become a consumer reporting agency.

Finally, while the FCRA contains no significant explicit exceptions to the notice andopt-out rights other than that for transaction or experience information, the GLBA setsforth a number of specific exceptions to its general restrictions on informationdisclosure, including exceptions for sharing information with service providers andjoint marketers, for disclosures necessary to process or service transactions, and for avariety of other circumstances. It should be noted, however, that although the GLBAhas many more exceptions, the transaction or experience information that is notcovered by the FCRA is subject to the GLBA restrictions.

SAFETY AND SOUNDNESS CONSIDERATIONS

In addition to legal and compliance risks associated with the handling of consumerinformation, a failure to respect customers’ expectations of privacy could severelydamage a bank’s customer relationships and its overall reputation. Thus, it is criticalfor the boards of directors and senior management of national banks and theirsubsidiaries -- in consultation with legal counsel, where appropriate -- to establishpolicies and procedures to meet legal requirements and otherwise control these risks.


CONTACT INFORMATION

For further information about the matters discussed in this document, contact AmyFriend, Assistant Chief Counsel (202-874-5200), Michael S. Bylsma, Director,Community and Consumer Law Division (202-874-5750), or Stephen Van Meter,Senior Attorney, Community and Consumer Law Division (202-874-5750).

NOTES1Before passage of the GLBA, no agency had rulemaking authority with respect to the FCRA.The OCC is currently working with the other Agencies in drafting proposed FCRA regulations.

2Generally, this means any information that is provided by a consumer to a bank in order toobtain a financial product or service, that results from a transaction between a bank and aconsumer involving a financial product or service, or that is otherwise obtained by a bank inconnection with providing a financial product or service to the consumer. If a bank obtainsinformation about its consumers from a publicly available source, that information will not beprotected (i.e., subject to notice and opt-out) unless the information is disclosed as part of a list,description, or other grouping of a bank’s consumers.

3Among the more important requirements that banks should be mindful of are the following:

Consumer Reports only for Permissible Purposes. A bank may not use or obtain aconsumer report for any purpose unless the report is obtained for a permissiblepurpose under the FCRA and the purpose is certified by the user to the consumerreporting agency through a general or specific certification.

Special Requirements for Employment Purposes. A bank must follow specialprocedures when obtaining a consumer report for employment purposes and whentaking adverse action, in whole or in part on the basis of a consumer report, inconnection with a consumer’s employment.

Special Requirements for Investigative Reports. A bank must meet particularrequirements to obtain an “investigative consumer report.”

Requirements When Adverse Action is Taken. A bank that takes adverse actionbased on information in a consumer report (or, in certain circumstances, based oninformation obtained from affiliates or from third parties) must provide certain noticesto the consumer relating to the nature of the adverse action and the basis of thedecision.

Prescreened Transactions. A bank that uses consumer reports in connection withcredit or insurance transactions not initiated by the consumer must provide certainclear and conspicuous notices relating to the consumer’s right to opt out of suchsolicitations.


Duties of Furnishers of Information. A bank that furnishes information to consumerreporting agencies has particular duties relating to the completeness and accuracy ofthe information provided, including duties to investigate consumer disputes.

4 National banks are expected to comply with the regulations that the FTC issues under COPPAin accordance with 15 U.S.C. 6502(b). The OCC is authorized to enforce these regulationswith respect to national banks under section 8 of the Federal Deposit Insurance Act as set forthin 15 U.S.C. 6505(b)(1)(A).

Financial Privacy Rule: Interagency Notice Research Project Protecting Personal Information: A Guide for Business FTC Issues Report to Congress on the First Five Years of the Children’s Online Privacy Protection Act Guidance Software, Inc. Settles FTC Charges Xanga.com to Pay $1 Million for Violating Children’s Online Privacy Protection Rule

The FTC, FRB, OCC, FDIC, SEC, NCUA, and OTS are currently engaged in an interagency notice research project to develop, through consumer testing, alternative forms of privacy notices for consumers.

In August 2004, six of the agencies issued a statement of work describing the research design for the first phase, or form development phase, of the project. In September 2004, the agencies selected Kleimann Communication Group to conduct the phase one research. On March 31, 2006, the agencies released the Kleimann report on the form development research.

On March 21, 2007, eight federal GLB agencies jointly issued a notice of proposed rulemaking, pursuant to section 728 of the Financial Services Regulatory Relief Act of 2006, proposing as a model privacy form the prototype notice developed in the phase one research conducted by Kleimann. Commenters have until May 29, 2007, to submit comments on the proposal.

3/21/07 Notice of Proposed Rulemaking [Arial Typefont Format] [Federal Register Format] Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act, Federal Register

Joint Press Release Proposed Model Privacy Form [PDF] Public Comments

3/31/06 Report by Kleimann Communication Group, "Evolution of a Prototype Financial Privacy Notice"

Executive Summary of Report by Kleimann Communication Group, "Evolution of a Prototype Financial Privacy Notice Joint Press Release

12/30/03 Advance Notice of Proposed Rulemaking [PDF] Interagency Proposal to Consider Alternative Forms of Privacy Notices under the Gramm-Leach-Bliley Act, Federal Register

Public Comments January and February 2004 Meetings with interested groups and individuals in connection with the ANPR

1/20/04 Center for Information Policy Leadership Proctor & Gamble, MBNA, Citigroup, IBM Corporation, Chase, Fidelity Investments [PDF] 1/26/04 National Association of Insurance Commissioners [PDF]

Financial Privacy Financial Privacy Rule: Interagency Notice Research Project

Page 1 of 2Privacy Initiatives

10/17/2007http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html

1/29/04 Center for Democracy and Technology, National Consumers League, and Robert Gellman [PDF] Larry Ponemon, Ponemon Institute [PDF] Mark Hochhauser, Readability Consultant [PDF] 2/4/04 Independent Community Bankers Association and the America’s Community Bankers [PDF] National Association of Attorneys General [PDF] Joseph Turow, University of Pennsylvania [PDF] 2/5/04 Mary Culnan, Bentley College [PDF] Peter Swire, Ohio State University [PDF] Jim Harper, Privacilla.org [PDF] 2/17/04 Securities Industry Association [PDF] North American Securities Administrators Association [PDF] Credit Union National Association [PDF] Keystone Expressions, Ltd. [PDF] 2/18/04 TRUSTe [PDF] National Retail Federation [PDF] Direct Marketing Association [PDF] American Bankers Association, Consumer Bankers Association, Wachovia, Wells Fargo, and Bank of America [PDF] 2/25/04 Electronic Privacy Information Center, Privacy Rights Clearinghouse, Consumers Union, and Consumer Federation of America [PDF]

Home | Unfairness & Deception | Financial Privacy | Credit Reporting | Children's privacy

Page 2 of 2Privacy Initiatives

10/17/2007http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html

Privacy Initiatives Page 1 of 6

Financial Privacy Rule: Interagency Notice Research Project

Protecting Personal Information: A Guide for Business

FTC Issues Report to Congress on the First Five Years of the Children's Online Privacy Protection Act

Guidance Software, lnc. Settles FTC Charges

Xanga.com to Pay $1 Million for Violating Children's Online Privacy Protection Rule

Unfairness & Deception Enforcement

Cases

For additional security cases under the Safeguards Rule, see.,

The Commission has brought the following cases involving the privacy of consumer information under Section 5 of the FTC Act:

I 111 6106 Guidance Software, lnc. Settles FTC Charges Company Failed to Use Reasonable Security Measures to Protect Consumers' Data

Agreement Containing Consent Orders [PDF] Complaint [PDF] Exhibits A and B [PDF] Analysis of Proposed Consent Order to aid Public Comment [PDF] News Release

311 4106 DSW lnc. Settles FTC Charges Agency Says Company Failed to Protect Sensitive Customer Data

Complaint [PDF] Agreement [PDF] Analysis to Aid Public Comment [PDF] Press Release (3114106) Press Release (12101105)

2/23/06 Cardsystems Solutions Settles FTC Charges Tens of Millions of Consumer Credit and Debit Card Numbers Compromised

Complaint [PDF] Agreement [PDF] Analysis to Aid Public Comment [PDF] Press Release (2123105)

I126106 Choicepoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress At Least 800 Cases of Identity Theft Arose From Company's Data Breach

Complaint [PDF] Stipulated Final Judgment and Order [PDF] Press Release (1126105)


611 6105 BJ'S Wholesale Club Settles FTC Charges Agency Says Lax Security Compromised Thousands of Credit and Debit Cards

Complaint [PDF] a Agreement [PDF] a Analysis to Aid Public Comment [PDF] a Press Release (611 6105)

311 0105 Internet Service Provider Settles FTC Privacy Charges Company Disclosed Personal lnformation of Nearly One Million Consumers

a Complaint [PDF] a Agreement [PDF] a Analysis to Aid Public Comment [PDF] a Press Release (311 0105)

3/8/05 Petco Settles FTC Charges Security Flaws Allowed Hackers to Access Consumers' Credit Card lnformation

a Decision and Order [PDF] a Approval of Issuance of Final Consent Order a Complaint [PDF] a Exhibit A [PDF]

Agreement [PDF] Analysis to Aid Public Comment [PDF]

a Press Release ( I Ill 7104)

911 7104 Gateway Learning Settles FTC Privacy Charges Company Rented Customer lnformation it Pledged to Keep Private

a Decision and Order [PDF] a Approval of lssuance of F~na l Consent Order a Complaint [PDF] a Exhibits A-C [PDF] a Agreement [PDF]

Analysis to Aid Public Comment [PDF] a Press Release (7R104) a Letter t o Commenter [PDF]

612104 Tower Records Security Flaw Allegedly Exposed Customer's Personal lnformation to Other Web Users

Decision and Order [PDF] a Approval of lssuance of Final Consent Order

Complaint [PDF] a Exhibit t o Complaint [PDF] a Agreement [PDF]

Privacy Jnitiatives Page 3 of 6

Analysis t o Aid Public Comment [PDF] Press Release (4121104)

8105103 Guess.com, lnc. Guess Settles FTC Security Charges; Third FTC Case Targets False Claims about Information Security

Approval of lssuance o f Final Consent Order Complaint [PDF] Exhibits t o Complaint [PDF] Decision and Order [PDF] Agreement Containing Consent Order [PDF] Analysis of Proposed Consent Order to A I ~ Public Comment Press Release (611 8103)

5/09/03 Educational Research Center o f America, lnc.; Student Marketing Group, lnc.; Marian Sanjana; and Jan Stumacher Student Survey Companies Settle FTC Charges Data Collected For "Educational Purposes" Also Sold To Marketers Who Targeted Kids

Approval of lssuance of Final Consent Order Complaint [PDF] Exhibits t o Complaint [PDF] Decision and Order [PDF] Agreement Containing Consent Order Analysis of Proposed Consent Order to Aid Public Comment Press Release (1129103) Public Comments

1129103 The National Research Center for College & University Admissions; Don Munce; and American Student List High School Student Survey Companies Settle FTC Charges that Personal Data Collected For Educational Purposes Was Sold to Commercial Marketers

Approval of lssuance of Final Consent Order NRCCUA Complaint Exhibits t o Complaint[PDF] NRCCUA Decision and Order NRCCUA Agreement Containing Consent Order [PDF] ASL Complaint Exhibits t o Complaint [PDF] ASL Decision and Order ASL Agreement Containing Consent Order [PDF] Press Release ( I 012102) Analysis of Proposed Consent Orders to Aid Public Comment Public Comments

12124102 Microsoft Corp. Microsoft Settles FTC Charges Alleging False Security and Privacy Promises


Approval of Issuance of Final Consent Order Complaint [PDF] Exhibits to Complaint [PDF] Decision and Order [PDF] Agreement Containing Consent Order[PDF] Analysis of Proposed Consent Order to Aid Public Comment Press Release (818102) Public Comments

511 0102 Eli Lilly and Company Eli Lilly Settles FTC Charges Concerning Security Breach; Company Disclosed E- mail Addresses of 669 Subscribers to its Prozac Reminder Service

Approval of lssuance of Final Consent Order Complaint Exhibits to Complaint [PDF] Decision and Order Agreement Containing Consent Order [PDF] Analysis of Proposed Consent Order to Aid Public Comment Press Release (1118102) Concurring Statement of Commissioner Swindle Public Comments

711 2100 FTC v. Sandra L. Rennert, Philip Rennert, Lyle Mortensen, International Outsourcing Group, lnc., Focus Medical Group, lnc., Trimline, lnc., Affordable Accents, lnc., World Wide RX, lnc., World Wide Medicine, lnc., PSRenn, lnc., and Doctors A.S.A.P., lnc. (District of Nevada) Online Pharmacies Settle FTC Charges Viagra, Propecia Prescriptions Promoted With False Medical Claims Consumers' Medical and Financial Data Collected With False Privacy Assurances

Complaint Stipulated Final Order as xo Lyle Mortensers Stipulated Final Order as to Sandra L. and Philip Rennert and Corporate Defendants Statement of Chairman Pitofsky and Commissioner Thompson Statement of Commissioner Swindle Press Release (711 2100)

711 0100 FTC v. Toysmart.com, LLC, and Toysmart.com, lnc. (District of Massachusetts) FTC Sues Failed Web Site, Toysmart.com, for Deceptively Offering for Sale Personal lnformation of Web Site Owners.

First Amended Complaint Exhibit to Complaint [PDF] Press Release (7121100)

1106100 FTC v. ReverseAuction.com, lnc. (District of Columbia) Online Auction Site Settles FTC Privacy Charges; Personal Identifying lnformation Hijacked From Competitor's Site; Many Consumers Sent Deceptive Spam

h~p://~.fic.gov/privacy/privacyinitiatives/promises~enf. html 1011 112007


Complaint Stipulated Final Order Statement of Commissioner Thompson Statement of Commissioners Swindle and Leary Press Release (1/06100)

811 2/99 Liberty Financial Companies, Inc. Young Investor Website Settles FTC Charges; Agency Alleged Website Made False Promises About Collection of Personal Information from Children and Teens

Complaint [PDF] Exhibit to Complaint [PDF] Decision and Order [PDF] Agreement Containing Consent Order Analysis of Proposed Consent Order to Aid Public Comment Press Release (5/6/99)

211 2/99 GeoCities Internet Site Agrees to Settle FTC Charges of Deceptively Collecting Personal Information in Agency's First Internet Privacy Case; Commission Establishes Strong Mechanisms for Protecting Consumers' Privacy Online

Complaint 0 Exhibits to Complaint [PDF]

Decision and Order Concurring Statement of Commissioner Swindle Agreement Containing Consent Order Analysis of Proposed Consent Order to Aid Public Comment Press Release (8113198)

Closing Letters

The staff has issued the following public letters closing investigations related to consumer information privacy:

1 11 3/03 Longs Drug Store Corp.

1 11 3/03 Rite Aid Corp.

111 3103 Wal-Mart Stores, Inc.

1211 3102 Compaq Computer Corp. (Hewlett-Packard Co.)

513 1 102 Earthlink, Inc.

5/25/01 Amazon.com and Alexa Internet [PDF]

Privacy Initiatives

512410 1 FTC Staff Letter to EPIC and Junkbusters on Arnazon.com

Letter to staff from Amazon.com (Exhibit A) [PDF] Petition from EPIC and Junkbusters (1214100) Amazon.com privacy policy (pre-9100) (Exhibit B) [PDF]

1 I2210 1 Doubleclick, Inc. [PDF]

1 1 107100 Yahoo! Inc. [PDF]

Home 1 Unfairness & Deception 1 Financial Privacy I Credit Reporting I Children's privacy

Page 6 of 6

1 See News Release, Most Americans Worry About Identity Theft (April 3, 2007), available athttp://interactive.zogby.com/index.cfm.

Federal Trade Commission

Opening Remarks of Deborah Platt MajorasChairman, Federal Trade Commission

“Maintaining Momentum in the Fight Against Identity Theft”National Cyber Security Awareness Summit

Washington, D.C.October 1, 2007

I. Introduction

Good morning. I am pleased to have this opportunity to help kick off National Cyber

Security Awareness Month. Summits like this provide fertile ground for new ideas to germinate

and grow. I hope that today we can plant the seeds for developing new approaches to increase

cybersecurity awareness. I am delighted to be here with Greg Garcia, the Department of

Homeland Security’s Assistant Secretary for Cybersecurity and Communications. Although our

missions differ in certain important respects, our efforts are complementary, and we share the

common goal of ensuring that we in public service do everything in our power to address

cybersecurity threats.

Consumers continue to be concerned about cybersecurity and identity theft. One recent

survey revealed that more than 90 percent of adults fear that their identities might be stolen and

used for unauthorized transactions.1 Over a third of those surveyed were not confident that

companies are taking appropriate steps to protect their personal information. Unfortunately, a

recent survey of information technology professionals suggests that consumers are right to be

2 See Press Release, New Research by Oracle and Ponemon Institute Shows Organizations CanImprove Processes to Protect Against Privacy Breaches (June 18, 2007), available athttp://www.oracle.com/corporate/press/2007_jun/oracle-ponemon-survey.html.

3 See News Release, Study Shows Banks Could Increase Profitability by $8.3 Billion Per Year ifStronger Security Measures Implemented, available at http://www.tricipher.com/news/pr134.htm.

4 See News Release, U.S. Consumers Lose More Than $7 Billion to Online Threats, ConsumerReports Survey Finds, available at http://www.consumersunion.org/pub/core_telecom_and_utilities/004797.html.

2

concerned. Over 40 percent of those surveyed believed that their organizations were not doing an

adequate job of protecting confidential information.2 In 2007, these numbers are unacceptable.

Recent news reports reinforce these concerns. A recent survey of on-line banking

customers revealed that nearly 1 in 5 respondents had been victims of identity theft or fraud.3

Another recent survey estimated that consumers lost more than $7 billion over the last two years

to viruses, spyware and phishing.4 And news reports in the past few weeks indicate that millions

of customers of two major online businesses may have had their personal information

compromised. The reports describe a host of exotic-sounding cyber attacks that may have been at

play - Trojan horses, phishing, spear phishing, money mules, spyware, and, ultimately, account

theft. Plain old, non-exotic-sounding theft, a crime in any era. While we know that organizations

increasingly are reinforcing their data security, given all of the reports of breaches, it nonetheless

is hardly surprising that consumers fear that the information they provide will be improperly

disclosed or, even worse, lead to identity theft and account fraud.

Today’s summit is intended to devise and examine new ways to address cybersecurity

awareness and prevention. The FTC supports this effort and continues to confront these issues on

several fronts.

II. Identity Theft Task Force

As you likely know, last year the President established his Identity Theft Task Force,

5 Exec. Order No. 13,402, 71 FR 27945 (May 10, 2006).

6 The President’s Identity Theft Task Force, Combating Identity Theft: A StrategicPlan (“Strategic Plan”), available at http.//www.idtheft.gov.

3

charging 17 federal departments and agencies with the mission of developing a comprehensive

national strategy to combat identity theft.5 As co-chairman of the Task Force, I have had the

opportunity to work with representatives from across the U.S. government, including the

Department of Homeland Security.

In April, the Task Force submitted its Strategic Plan with 31 recommendations, organized

around the life cycle of identity theft, to the President.6 The first series of recommendations is

targeted at identity theft prevention by keeping sensitive data out of the hands of criminals and

making it more difficult for them to use such data when they do manage to steal it. For example,

the Plan recommends several actions in both the public and private sectors to limit the

unnecessary use, transfer, and display of Social Security numbers. It also encourages the

development of national data security and breach notification standards. In addition, the Task

Force recommends a national awareness campaign to teach consumers how to protect their

information.

The second set of recommendations relates to victim recovery - helping victims to

reestablish their financial identities. Some of these recommendations include the implementation

of a standard police report for victims, and assistance and training for “first responders” and

victim assistance counselors.

Third, the Plan recommends a number of actions to strengthen law enforcement’s ability

to deter and punish identity thieves, including stronger penalties and enhanced cooperation

among local, state, federal, and foreign authorities.

4

The Task Force has made considerable progress in carrying out the recommendations. In

the area of data security, the government is investing significant resources to bring its own house

in order. The Office of Management and Budget (OMB) has developed a list of the “Top Ten”

things about data security that government agencies should be aware of and required all agencies

to develop a formal incident response plan by September 30 (yesterday), aided by guidance that

the Task Force provided.

Endeavoring to set an example, the FTC has developed an improved information privacy

and security program, spearheaded by our Privacy Steering Committee (PSC), a network of senior

staff and managers from throughout the Agency who are led by our Chief Privacy Officer and

Chief Information Security Officer. I can tell you that they worry about cybersecurity - a lot. The

PSC establishes and communicates FTC policies from data collection to data disposal, covering

every place information can be found, from major systems and applications, to faxes and file

folders. Our Breach Notification Response Plan was completed this past June. This Plan

provides a high-level strategy to handle data security breaches, including those incidents posing a

potential risk of identity theft. FTC employees are required to report any confirmed or potential

breaches of nonpublic information, an obligation reinforced at a week-long awareness campaign

the agency held in July. The Plan also establishes the FTC Breach Notification Response Team,

whose mission is to provide advance planning and guidance, and a recommended course of action

in response to a breach. To date, two dozen federal agencies have requested materials from the

FTC’s privacy program and plan to implement practices from it.

In other Task Force work, the Office of Personnel Management is developing unique

federal employee identification numbers in an effort to move away from unnecessary uses of

7 See http://www.ftc.gov/opa/2007/07/ssn.shtm.

8 Available at www.idtheft.gov.

5

social security numbers. Similarly, the Defense Department, which has used social security

numbers since the 1960s, is migrating away from their use and overhauling its identification

system. The FTC is leading efforts to develop a comprehensive record on the use of Social

Security numbers in the private sector, with the goal of developing recommendations on how we

can limit the availability of this valuable information to criminals while at the same time

preserving the many beneficial purposes for which SSNs are collected, used, and shared. The

Commission solicited and received more than 300 public comments on this issue and will hold a

workshop on SSN usage on December 10 and 11.7 Many of the comments we received reflect

the dilemma we face: while the public is rightly concerned about misuse of their Social Security

numbers, these unique identifiers have many important uses - - uses that enable hospitals, banks,

and universities to link us accurately to our data. At the workshop, we will explore ways to make

the SSN less valuable to identity thieves, while still retaining its use in detecting fraud and

ensuring accurate matches of data. This past Spring, the Commission also hosted a workshop on

authentication, bringing together academics, business groups, consumer advocates, and others to

explore new developments in the rapidly changing field of identity management. FTC staff is

working on a report that will describe what we learned at this workshop, such as information

about technological and policy requirements for developing better authentication processes.

With respect to victim assistance, the Commission has already implemented many of the

Task Force recommendations, including publishing a “Victims’ Statement of Rights,”8 and

launching a standard police report for identity theft victims. The FTC and DOJ are coordinating

6

with the American Bar Association to support more victim assistance through pro bono programs

and are developing a training curriculum for victim assistance counselors in the court system.

And just last week, the FTC worked with DOJ, the Secret Service, the U.S. Postal Inspection

Service, and the American Association of Motor Vehicle Administrators to provide training for

local law enforcement in the Chicago area; in December, we will conduct similar training in

North and South Carolina.

Finally, with respect to criminal law enforcement, every U.S. Attorney’s Office now has

designated an identity theft point of contact, and they are coordinating with state and local law

enforcement to prosecute cases and conduct outreach. In fact, some offices recently announced

cases against people who used malware to engage in identity theft, as well as cases involving the

low-tech bribing of employees to obtain data to commit identity theft.

III. Law Enforcement

A. Data Security

The FTC remains vigilant on the law enforcement front, battling inadequate data security

practices, spam and spyware. Over the past few years, the FTC has brought 14 enforcement

actions against businesses for their failure to provide reasonable data security. A number of these

cases have addressed an issue of particular relevance to the cybersecurity community - the failure

by companies to implement readily-available defenses to well-known Web-based hacker attacks,

such as Structured Query Language (SQL) injection attacks. As these cases make clear,

companies may not ignore their responsibilities to take precautions against reasonably foreseeable

cyber-crime techniques. In bringing these cases, we hope that, by now, the message is clear: Be

aware of common and well-known security threats and protect against them.

9 http://www.ftc.gov/bcp/workshops/spamsummit/index.shtml.

7

Other data security cases have involved less complex but still significant security

deficiencies, such as storing sensitive information in multiple files when there was no longer a

business need to keep the information; storing such information in unencrypted files that could be

easily accessed using commonly-known user IDs and passwords; and failing to use readily

available security measures to prevent unauthorized wireless connections to their networks.

Two points bear emphasizing in connection with our data security cases. First, none of

the cases was a close call - in each case, vulnerabilities were multiple and systemic, and in most

cases simple, low cost measures were readily available to prevent them. Second, the violation in

each of the cases was not the data breach itself, but the failure to take reasonable precautions to

prevent it. The Commission today has more than two dozen open data security investigations;

where appropriate, we will take enforcement action, continuing our efforts to ensure that

companies maintain reasonable safeguards to protect sensitive consumer information.

B. Spam and Phishing

The Commission has maintained an aggressive anti-spam program, bringing nearly 100

cases against 243 companies and individuals engaged in deceptive and unfair spamming practices

in the last ten years. This summer the Commission hosted a workshop, “Spam Summit: The Next

Generation of Threats and Solutions,” to examine how spam has evolved and what stakeholders

can do to address it.9 We learned that, in some respects, consumers seem to be getting the

message about the importance of protecting themselves. For example, a Consumer Reports study

previewed at the Summit indicates that fewer consumers are replying to spam, and more of them

10 As reported by Jeffrey Fox, Technology Editor of Consumer Reports, on Day 2 of the SpamSummit. A copy of this portion of the transcript is available at:http://www.ftc.gov/bcp/workshops/spamsummit/draft_transcript_day2.pdf. A copy of the study from ConsumerReports is available athttp://www.consumerreports.org/cro/electronics-computers/computers/internet-and-other-services/net-threats-9-07.

11 Seehttp://www.consumerreports.org/cro/electronics-computers/computers/internet-and-other-services/net-threats-9-07/overview/0709_net_ov.htm.

8

are using spam blocking technology and firewalls on their home computers.10 In the bad news

category, however, workshop participants described how spam is being used increasingly as a

vehicle for more pernicious conduct, such as phishing and the delivery of viruses and spyware.

This spam goes beyond mere annoyance to consumers – it can result in significant harm by

shutting down consumers’ computers, enabling keystroke loggers to steal identities, and

undermining the stability of the Internet. As one of our staff stated during the two-day event, the

Spam Summit was aptly named. When climbing a mountain, the Summit is a place where you

can look back to see where you have come from; you can also look forward to see where you are

going. Indeed, the Spam Summit took stock of the excellent work stakeholders have done thus

far to combat spam. It also re-affirmed a forward-looking commitment to step up law

enforcement efforts, improve technological tools, and enhance public-private cooperation, both

domestically and internationally.

We are endeavoring, for example, to target “phishing,” to which too many consumers still

are falling prey. According to the Consumer Reports study, the number of consumers who

submitted personal information in phishing-related identity theft scams remained constant since

last year, at about 8 percent of the study respondents.11 In three of our cases, we have targeted

“phishers” - identity thieves who used deceptive spam to con consumers out of credit card

numbers and other financial data. In these cases, we charged the defendants with violating the

12 See http://www.ftc.gov/os/caselist/0323102/0323102zkhill.shtm.

13 According to the Anti-phishing Working Group, the financial services sector was the most targetedindustry sector at 95.2% of all attacks in the month of June.

9

FTC Act, which prohibits unfair and deceptive practices, and the Gramm-Leach-Bliley Act,

which protects the privacy of consumers’ sensitive financial information. Of course, given that

the underlying behavior in phishing scams is typically criminal, we have worked with DOJ. For

example, in one of our phishing cases, FTC v. Zachary Hill, the Department of Justice brought a

parallel criminal case leading to a 46-month prison sentence for the defendant.12

The Commission is redoubling its efforts to stop illegal spam and phishing schemes.

Phishing is one practice that drives me crazy, because if we could just educate every consumer

and train them to hit “delete” rather than “reply,” we could wipe this out. First, in the upcoming

months, we plan to convene a half-day anti-phishing roundtable with the goals of identifying

opportunities for outreach and securing commitments from key stakeholders in the anti-phishing

community, including consumer and industry groups.

Second, we plan to produce a video with important information about phishing. With

your help, it should reach millions of people across the Web.

Third, we are working with the anti-phishing community to mobilize members of the

financial sector and revitalize consumer education outreach efforts, including promotion of the

OnGuardOnline materials. In our view, working with the financial sector will be critical, given

that financial services is the industry sector most targeted by phishers.13

Finally, we continue to encourage the industry’s adoption of domain-level email

authentication as a significant anti-spam and anti-phishing tool. At our Spam Summit this

summer, we learned that industry has made great strides with email authentication - 50 percent of

14 See http://www.ftc.gov/bcp/workshops/spamsummit/draft_transcript_day2.pdf. at 85.

15 See http://www.dmnews.com/cms/dm-news/e-mail-marketing/42251.html.

10

legitimate email is now authenticated.14 A recent study indicates that Internet Service Providers

are now applying negative scoring to unauthenticated messages.15 We look forward to working

with industry as they continue to advance in their email authentication efforts.

C. Spyware

The Commission also has been active on the spyware front, bringing eleven enforcement

actions in the past two years. These actions have reaffirmed three key principles: First, a

consumer’s computer belongs to him or her, not the software distributor. Second, buried

disclosures do not work, just as they have never worked in more traditional areas of commerce.

And third, if a distributor puts a program on a consumer’s computer that the consumer does not

want, the consumer must be able to uninstall or disable it.

The Commission’s settlement against four defendants in the Media Motor case, filed just

last week, illustrates these principles. These defendants used malware to silently download

dozens of unwanted programs onto more than 15 million consumers’ computers on others’ behalf.

These downloaded programs, among other things, hijacked the Internet browser home page;

installed a toolbar that displayed disruptive advertising; disseminated a number of pop-up ads,

including pornographic ads; monitored Internet use; collected personal information; and even

disabled security software. Moreover, once installed, many of these programs were very difficult

to remove from computers.

In settling the case, the defendants agreed to clearly and conspicuously disclose the name

and function of all software to be installed and provide an option to prevent the installation. They

16 See FTC News Release, FTC Launches Nationwide ID Theft Education Campaign (May 10,2006), available at http://www.ftc.gov/opa/2006/05/ddd.htm.

17 Available at http://onguardonline.gov/index.html.

11

also agreed to refrain from distributing software that “interferes with a consumer’s computer use.”

and making any false or misleading representations in connection with any product or service.

The defendants will pay a total of $330,000 in disgorgement. The Commission will continue to

bring enforcement actions in this area.

IV. Consumer and Business Education

I mentioned consumer education as a way to wipe out phishing. In fact, ensuring

maximum cybersecurity more generally requires a trained populace. The FTC last year launched

a nationwide identity theft consumer education program - “Avoid ID Theft: Deter, Detect,

Defend.”16 The message for consumers is that they can “deter” identity thieves by safeguarding

their personal information; “detect” suspicious activity by monitoring their financial accounts,

billing statements, and credit reports; and “defend” against ID theft by taking action as soon as

they suspect it. This campaign includes both direct-to-consumer outreach materials, as well as a

kit with multi-media training materials for employers, community groups, and others to teach

their constituents. The FTC to date has distributed more than 2.6 million brochures, has recorded

more than 3.2 million visits to the program’s Web site, and has disseminated 55,000 training kits.

Several organizations, including the National Association of Realtors, have co-branded and

reproduced copies of the materials to distribute among their members. And, you may have seen

posters for the campaign on subway cars in Washington, New York, Chicago, and San Francisco.

The FTC also sponsors an innovative multimedia website, OnGuardOnline, designed to

educate consumers about basic computer security.17 The site features interactive quizzes,

18 Available at http://www.ftc.gov/infosecurity/.

12

articles, and videos on a range of topics – such as spyware and phishing – as well as information

about other resources available to help consumers navigate the world of cybersecurity.

OnGuardOnline was developed in partnership with other governmental agencies and the

technology sector. The Department of Homeland Security, for example, provided a series of

computer security alerts, which can be found on the site.

We branded OnGuardOnline independently of the FTC so that other organizations may

make the information their own and disseminate it in ways that reach the most people and suit

their particular needs. Since its launch in late 2005, OnGuardOnline has attracted more than 3.5

million visits. Microsoft, Ebay, the National Consumers League, California’s Bank of Stockton,

and the Web site of my home state, the Commonwealth of Pennsylvania, are just a few of the

entities that are either using or linking to OnGuardOnline materials.

In an effort to educate businesses as well, earlier this year the FTC released a new

business guide on data security, which has proven to be very popular.18 The guide articulates the

key steps that businesses should take as part of a sound data security plan:

• “Take stock” - Know what personal information you have in your files and on your

computers,

• “Scale down” - Keep only what you need for your business,

• “Lock it” - Protect the information that you keep,

• “Pitch it” - Properly dispose of what you no longer need, and

• “Plan ahead” - Create a plan to respond to security incidents.

We also are putting the final touches on an interactive online tutorial based on the data

13

security business guide. Through the tutorial, users will learn about data security from business

people in a fictional small town. They share experiences and find answers to common questions

about protecting personal information in their care. For example, in one scene, a sales executive

gets practical advice on scaling down the amount of personal financial data about his customers

he keeps in his files and on his company's computer network. Business employees who watch the

tutorial can create and download their own customized tip sheets so they can apply the same

advice in their office. Look for the tutorial at www.ftc.gov/infosecurity in about a month.

Also, as recommended by the Identity Theft Task Force, Commission staff is planning to

hold regional data security conferences for businesses. We anticipate launching these

conferences early next year.

As you can probably tell, I am proud of the efforts we have undertaken in consumer and

business education. Other federal agencies also have made great efforts. For example, DHS’s

Computer Emergency Readiness Team, or US-CERT, provides a valuable resource to consumers

and businesses in identifying cyber threats, preventing cyber attacks, and limiting the damage

done by such attacks. But it is not enough. We need every stakeholder joining in the outreach

efforts so that we can hit every consumer who touches a computer. It is only through

complementary efforts targeted at many different audiences that we will have the most impact.

V. Conclusion

As all of us recognize, data security and identity theft continue to present evolving and

complex challenges. Data thieves are constantly developing new ways to overcome security

measures and obtain sensitive personal information. Much like the best football coaches, we must

14

constantly update our playbook with new defensive schemes to counter the opposing team’s

shifting offensive plans. But an updated playbook is insufficient by itself. The playbook will

work only if every member of the team is properly educated and trained to execute the plays.

And this is where this summit comes into play. We are here with the common goal of educating

members of our team - consumers, businesses, educational institutions, and government agencies

- to ensure that all are best prepared for the season ahead, whatever the identity thieves and fraud

artists throw at us. I am excited to help open this campaign, and I know that, working together,

we can expect a winning season ahead.

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION WASHINGTON. D C 20549

D I V I S I O N O F INVESTMENT MANAGEMENT

August 2 1,2007

Ms. Mary Podesta Acting General Counsel Investment Company Institute 1401 H Street, NW Washington, DC 20005

Re: Funds Use of Rule 22c-2 Information for Marketing Purposes

Dear Ms. Podesta:

The enclosed newspaper article drew our attention by suggesting that funds may use for marketing purposes the shareholder identity and trading information they receive from intermediaries under rule 22c-2.' Please share with your membership a reminder that funds' use or disclosure of rule 22c-2 information for marketing purposes is prohibited under the Gramm-Leach-Bliley Act's privacy rules, unless the intermediaries' consumers have been given notice and the opportunity to opt out of this information sharing.

As you know, rule 22c-2 requires funds to enter into written agreements with their financial intermediaries, including those holding shares through omnibus accounts, under which the intermediaries must agree to provide funds with certain shareholder identity and transaction information upon request2 Under the rule, funds must be able to request and promptly receive shareholder identity and transaction information pursuant to these agreements by October 16,2007.

As was noted in the release adopting rule 22c-2, funds' use of this shareholder identity and transaction information for marketing purposes is governed by the Gramm-

1 Daisy Maxey, Funds' OutsourcingMay Be Boon to Investors, Wall St. J. (May 29,2007) at C2 ("rule [22c-21 may provide mutual-fund companies with 'a treasure trove ofdata they can mine to market directly to customers"'). See also Lee Barney, Rule 22c-2 Offers Funds Great Marketing Prospects, Money Management Executive (Jun. 4,2007) ("While the mutual fund industry has wrangled over, and largely resisted, the logistics and the estimated $617 million cost of complying with Rule 22c-2 for the past three years, funds should actually view the perceived regulatory onus in a new light: As a tremendous marketing opportunity.")

2 17 CFR 270,22~-2(a)(2)(i).

Leach-Bliley Act's privacy rules.3 In general, the privacy rules require that financial institutions, including investment companies, provide consumers with notice and an opportunity to opt out before institutions arc permitted to share consumers' nonpublic personal information with nonaffiliated third parties.4 In response to commenters' concerns that these restrictions would prohibit or interfere with rule 22c-2's shareholder information agreements, the Commission noted its view that rule 22c-2 information disclosures are permitted under certain of the privacy rules' exceptions.' In particular, the Commission noted that these disclosures are within the scope of the privacy rules' exceptions for (1) processing and servicing transactions at the consumers' request and

6 (2) complying with applicable legal requirements.

This finding has two practical consequences. First, it means that most intermediaries will not have to change their privacy or opt out notices in order to comply with rule 22c-2. This is because the privacy rules permit information sharing under the exceptions if financial institutions include in their privacy notices a statement that they make disclosures to "other nonaffiliated third parties as permitted by law."7 As a matter of routine practice, most financial institutions currently include this statement in their privacy notices.

Second, it means that funds receiving rule 22c-2 information under the exceptions are permitted to use or redisclose this information only for purposes of the exception, which does not include marketing purposes, unless permitted under the intermediary's privacy policy.8 This is because the privacy rules limit the redisclosure and reuse of

3 See Mutual Fund Redemption Fees, Investment Company Act Release No. 27504 (Sept. 27, 2006) [71 FR 58257 (Oct. 3,2006)] at 11.44. See also Mutual Fund Redemption Fees, Investment Company Act Release No. 26375A (Mar. 5,2004) [69 FR 11762 (Mar. 11, 2004)] at 11.47; Mutual Fund Redemption Fees, Investment Company Act Release No. 26782 (Mar. 11, 2005) [70 FR 13328 (Mar. 18, 2005)l at 11.47; Mutual Fund Redemption Fees, Investment Company Act Release No. 27255 (Feb. 28,2006) [71 FR 11351 (Mar. 7, 2006)] at nn. 16, 19.

4 See 15 U.S.C. 6802. The Commission's limitation on the disclosure of nonpublic personal information to nonaffiliated third parties can be found in section 10(a)(l) of Regulation S-P (1 7 CFR 248.10(a)(l)). Regulation S-P applies to brokers, dealers, investment companies and investment advisers registered with the Commission. Privacy rules that are consistent and comparable apply to other financial institutions who may act as intermediaries. For example, limitations on national banks' disclosure of nonpublic personal information to nonaffiliated third parties can be found in the Comptroller of the Currency's privacy rule. See 12 CFR 40.10(a)(l).

5 See supra note 3. 6 See, e.g., 17 CFR 248.14(a), (bj(2) and 17 CFR 248.15(a)(7)(i). 1 See 17 CFR 248.6(b). 8 See Privacy of Consumer Financial Information (Regulation S-P), Securities Exchange

Act Release No. 42974, Investment Company Act Release No. 24543, Investment Advisers Act Release No. 1883 (Jun. 22, 2000) [65 FR40334 (Jun. 29, 2000)l at text accompanying n, 150.

information received under an exception to the purposes for which the information was r e ~ e i v e d . ~ Thus, unless the intermediaries' privacy policies disclose this information sharing and the consumer has not opted out, investment companies are prohibited from using rule 22c-2 information for marketing purposes under the privacy rules' general restrictions on sharing nonpublic personal information with nonaffiliated third parties.10

Thank you in advance for your attention to this matter. If your members have questions concerning the disclosure or use of rule 22c-2 information for marketing purposes, those questions should be addressed to the Office of Regulatory Policy.

Sincerely,

Robert Plaze Associate Director

9 See, e.g., 17 CFR 248.11(a) and (c). The privacy rules also contain an example prohibiting the use of information received under the relevant exceptions for marketing purposes. See 17 CFR 248.1 l(a)(2).

I 0 See, e.g., 17 CFR 248.10(a)(l).

SECURITIES AND EXCHANGE COMMISSION Washington, D.C.

SECURITIES EXCHANGE ACT OF 1934 Release No. 563 16 1 August 24,2007

Administrative Proceeding File No, 3- 12738

In the Matter of NEXT Financial Group, Inc.

The United States Securities and Exchange Commission (Commission) announced the issuance of an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 15(b) and 2 1 C of the Securities Exchange Act of 1934 (Order) against NEXT Financial Group, Inc. (NEXT).

The Order alleges that NEXT, a registered broker-dealer headquartered in Houston, Texas, willfully violated Regulation S-P by disclosing nonpublic personal information about its customers to nonaffiliated third parties, without allowing the customer the opportunity to opt out of such disclosure, by allowing registered representatives to take customer nonpublic personal information with them when leaving NEXT'S employment. The Order also alleges that NEXT willfully aided and abetted and caused other broker- dealers' violations of Regulation S-P by encouraging, and in many cases facilitating newly employed registered representatives to bring their customers' personal nonpublic information, such as social security numbers, account numbers, passport numbers, drivers license numbers, dates of birth and customer financial information, to NEXT without proper notice to the customer and a reasonable opportunity to opt out of such disclosure.

A hearing will be scheduled before an administrative law judge to determine whether the allegations contained in the Order are true, to provide NEXT an opportunity to respond to these allegations, and to determine what sanctions, if any, are appropriate and in the public interest. The Order directs the administrative law judge to issue an initial decision within 300 days from the date of service of the Order Instituting Proceedings.

Enter Search TextSubmitSearch

Home > News & Events > FDIC Board Meetings

FDIC Board Meetings

LocationBoard Room on the sixth floor of the FDIC Building located at 550 - 17th Street, N.W., Washington, D.C.

DateOctober 16, 2007

DescriptionPursuant to the provisions of the “Government in the Sunshine Act” (5 U.S.C. 552b), notice is hereby given that the Federal Deposit Insurance Corporation’s Board of Directors will meet in open session at 10:00 a.m. on Tuesday, October 16, 2007, to consider the following matters:

Summary Agenda: No substantive discussion of the following items is anticipated. These matters will be resolved with a single vote unless a member of the Board of Directors requests that an item be moved to the discussion agenda. PDF Help - Information on downloading and using the PDF reader.

Disposition of minutes of previous Board of Directors’ meetings.

Memorandum and resolution re: Proposed FDIC Liquidation Investment Policy - PDF. 745k 1

Memorandum- PDF and resolution re: Final Rule Adopting Amendment to Part 344 to Extend the Time Period to Report Quarterly Personal Securities Transactions - PDF. 1

Memorandum - PDF and resolution re: Proposed Amendments to Annual Audit and Reporting Requirements (Part 363) and Related Technical Amendment (Part 308, Subpart U) - PDF.416k 1

Memorandum and resolution re: Notice of New and Revised Privacy Act Systems of Records -PDF. 351k 1

Discussion Agenda:

Memorandum - PDF 253k and resolution re: Interagency Final Rule Regarding AffiliateMarketing - Section 214 of the Fair and Accurate Credit Transactions Act of 2003 - PDF. 369k 1

Memorandum - PDF and resolution re: Interagency Final Rule Regarding Identity Theft Red Flags and Address Discrepancies under Section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 - PDF. 386k 1

The meeting will be held in the Board Room on the sixth floor of the FDIC Building located at 550 - 17th Street,N.W., Washington, D.C.

The FDIC will provide attendees with auxiliary aids (e.g., sign language interpretation) required for this meeting. Those attendees needing such assistance should call (703) 562-6067 (Voice or TTY), to make necessary arrangements.

Page 1 of 2FDIC: Board Meetings

10/17/2007http://www.fdic.gov/news/board/notice16Oct2007.html

Requests for further information concerning the meeting may be directed to Mr. Robert E. Feldman, Executive Secretary of the Corporation, at (202) 898-7122.

Point of ContactMr. Robert E. Feldman Executive Secretary ______________________________

1 Note: Links are to draft documents which are subject to change prior to publication in the Federal Register. Once the finalized document is published in the Federal Register, we will update this page to link to the Federal Register document.

Last Updated 10/16/2007 [email protected]

Home Contact Us Search Help SiteMap FormsFreedom of Information Act (FOIA) Service Center Website Policies USA.gov

Page 2 of 2FDIC: Board Meetings

10/17/2007http://www.fdic.gov/news/board/notice16Oct2007.html

September 18, 2007

MEMORANDUM TO: The Board of Directors /

FROM: Sandra L. Thompson Director Division of Supervision and Consumer protection

/ -^-f Sara A. Kelsey '4'- 1

Genera COY SUBJECT: Interagency Final Rule Regarding Affiliate Marketing Section 214 of the

Fair and Accurate Credit Transactions Act of 2003

RECOMMENDATION:

We recommend that the Board of Directors (Board) of the Federal Deposit Insurance Corporation authorize the Executive Secretary to publish in the Federal Register a joint final rule with the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the National Credit Union Administration (collectively, the Agencies) to implement Section 214 of the Fair and Accurate Credit Transactions Act of 2003 (FACT ~ c t ) . ' The attached final rule contains regulations, required by section 214, to provide consumers with notice and the opportunity to opt out of certain marketing conducted by affiliated financial institutions.

P- We also recommend that the Board authorize the Executive Secretary and the General Counsel to make technical, nonsubstantive, or conforming changes to the text of the rule where necessary to ensure that the Agencies can jointly publish the rule, and to take such other actions and issue such other documents as they deem necessary or appropriate to fulfill the Board's objectives.

DISCUSSION:

1. Background.

Section 214, which created Section 624 of the Fair Credit Reporting Act (FCRA), provides a consumer with the ability to limit the circumstances under which an affiliated institution may use certain information received from another affiliate to market to the consumer. Defined as "eligibility information" in the rule, this information includes a person's own transaction and experience information, such as account history, and other information, such as data gathered from consumer reports or applications. An affiliate that receives eligibility information may not use it to market to the consumer until the consumer has been

provided with a notice that explains that the information may be transferred among affiliates for marketing purposes; provided with a reasonable opportunity and a simple method by which to opt out; and has not opted out within the time period provided in the notice.

r- ' The Securities and Exchange Commission and the Federal Trade Commission also are required to publish rules under section 214 and will do so in separate notices in the Federal Register.

The notice described in section 214 is not required in certain circumstances, such as when an affiliate never uses the information it receives to market to consumers, or when the receiving affiliate has a pre-existing business relationship with consumers.

Pursuant to Section 214, the notice is to be clear, conspicuous, and concise. The method by which a consumer may opt out must be simple. In addition, the opt out must be effective for a period of at least five years. A consumer who elects to opt out is entitled to a subsequent notice and opportunity to extend the opt out for at least an additional five years before any receiving affiliate may use information about the consumer for marketing purposes following the expiration of any opt out period.

The disclosures required by this section may be combined with any other disclosures required by law, including the privacy disclosures required by title V of the Gramm-Leach-Bliley Act (GLBA).

2. Proposal. On July 15,2004, the Agencies published a joint notice of proposed rulemaking (NPR) in the Federal Register, at 69 FR 42502.

Section 214 does not specify which institution is required to provide the opt out notice. However, the Agencies stated in the preamble to the proposal that the notice would be meaningful only if it came from an institution with which the consumer has an existing relationship. Consequently, the proposed rule assigned responsibility for providing the notice to the institution that is sharing eligibility information with its affiliates. The proposed rule also prohibited the affiliate that receives information from using it for marketing unless the affected consumers have been given the opportunity to opt out, but have not elected to do so.

As required by Section 214, the proposal provided certain exceptions when an opt out notice is not required. Under these exceptions, an opt out notice is not required where the marketing affiliate: (1) has a pre-existing business relationship with the consumer; (2) already provides benefits to the consumer under an employee benefit plan; (3) responds to a communication initiated by the consumer; or (4) responds to an affirmative authorization or request by the consumer.

The proposed rule provided that a financial institution may use a third party to provide the required notice on its behalf. For example, a group of affiliates could rely on an affiliate engaged solely in marketing activities. In this situation, the marketing affiliate may provide opt out notices for the entire group. Alternatively, the opt out notice could be provided by the affiliate that actually intends to do the marketing. However, if a third party transmits the notice, it must clearly explain that it is doing so on behalf of the entity with which the consumer has a relationship. The notice must either identify that entity by name or be sent on behalf of a group of affiliates that share a common name. Moreover, where a third party is used, that entity may not combine the opt out notice with marketing material from any financial institution other than the affiliate with which the consumer already has a relationship.

The proposal asked for comment about whether notices would be required for "constructive sharing," which is when one affiliate provides another with specific eligibility criteria for a solicitation and then asks that second affiliate to make the solicitation on its behalf to consumers that meet the eligibility criteria.

r 3. Comments Received. The FDIC received 29 comments. The cornrnenters included eight financial institutions or financial institution holding companies, eight financial institution trade

associations, eight other business entities, one community group, the National Association of

r- Attorneys General, and three individuals. Although many commenters sent copies of the same letter to more than one Agency, the other Agencies received other comment letters, which were also reviewed by FDIC staff.

Most industry conunenters raised questions about which affiliate would be responsible for providing the notice, the scope of certain exceptions to the notice and opt-out requirement, and the reach of certain definitions such as "pre-existing business relationship." Consumer groups and the National Association of Attorneys General generally supported the proposal, although these commenters expressed concern that the Agencies would read certain exceptions to the general rule too expansively. They were particularly interested in how the Agencies would apply the t'constructive sharing" concept.

4. Final Rule

When Notice and Ovt Out Is Reauired

The FDIC's final rule will apply to state non-member banks and their subsidiaries. As in the proposal, the final rule sets out three conditions that must be met before an affiliate may use eligibility information for marketing purposes. First, an affected consumer must receive clear, conspicuous, concise, written notice that the affiliate may use shared eligibility information to make solicitations to himher. Second, the consumer must be provided with a reasonable opportunity and a reasonable and simple method to direct the affiliate not to use hisher eligibility information for this purpose. Third, the consumer must not have exercised his/her opportunity to opt out.

Under the rule, these notice and opt out requirements come into play in the situation when an affiliated entity receives eligibility information from an affiliate; uses the information to identify the type of consumer to receive a solicitation; and, as a result of the use of the information, provides a solicitation to consumers.

An entity may receive eligibility information from its affiliate in various ways, including when the affiliate places that information into an accessible common database.

After considering the comments received about "constructive sharing," the Agencies concluded that no notice was required because no information is shared before the marketing affiliate sends marketing material to its own customers. In contrast, the opt out notice is required when an affiliate accesses a joint database, reviews data about its affiliate's consumers and, based on its review, decides to market to some of these customers regardless of whether the affiliate handles its own marketing or asks its affiliate to send it.

Under the final rule, an opt out must be valid for at least five years. After the opt-out period expires, marketing restrictions apply. Specifically, an entity that has received eligibility information from an affiliate about a consumer who previously opted out may not solicit that consumer until hdshe has been given a renewal notice and a reasonable opportunity to opt out, and does not renew the opt-out.

Who Must Provide the Notice

The final rule provides that the opt-out notice must be provided by an affiliate that has or has previously had a pre-existing business relationship with the consumer.' This provision is important in the context of identity theft because sensitive information, such as a Social Security number, is likely to be requested to process an opt-out. Consequently, the requirement that an opt-out notice come from a party known to a consumer is consistent with the Agencies' advice against providing such information to persons or entities with whom a consumer is not familiar. However, inter-agency staff continues to work on these issues and contemplate recommending additional options to address the protection of sensitive information and the means of providing consumers with the opportunity to opt-out of information sharing and use.

Exceptions to the Notice and Opt Out Reouirement

The final rule sets out the statutory exceptions to the notice and opt out requirements:

Marketing to a consumer with whom an entity has a pre-existing business relationship; Facilitating communications to an individual for whose benefit an entity has provided employee benefit or other services; Performing services on behalf of an affiliate, except for marketing on behalf of an affiliate if the affiliate would not be permitted to do so; Responding to a communication about products or services initiated by the consumer; Responding to an authorization or request by the consumer to receive solicitations; or Complying with any provision of State insurance laws pertaining to unfair discrimination in any State in which the entity is lawfully doing business.

Apolicabilitv of the Rule to Shared Service Providers

The final rule also provides carefully crafted conditions that permit a service provider to receive eligibility information from an affiliate and market to the affiliate's customers without a notice and opt out. These conditions are designed to ensure that the affiliate with the pre-existing business relationship with the consumer responsibly controls the service provider's receipt and use of the consumer's eligibility information.

Consolidation with Other Notices

Consistent with the direction of Section 214, the final rule permits an affiliate marketing notice to be coordinated and consolidated with any other notice or disclosure required to be issued under any other provision of law, including the Gramm-Leach-Bliley Act privacy notice.

r 2 The notice may be part of a joint notice from two or more members of an affiliated group, as long as at least one of the affiliates has or has previously had a pre-existing business relationship with the consumer.

Effective Date

The final rules will become effective January 1,2008. Consistent with the statute's directive that the Agencies ensure that notices may be consolidated and coordinated, the mandatory compliance date is delayed to give institutions a reasonable amount of time to include the affiliate marketing opt-out notice with their initial and annual privacy notices. Accordingly, compliance is required not later than October 1,2008.

Staff members knowledgeable about this case:

David P. Lafleur Division of Supervision and Consumer Protection (~86569)

April Breslaw Division of Supervision and Consumer Protection (~86609)

Ruth R. Amberg Legal Division (~83736)

Richard M. Schwartz Legal Division (~87424)

Richard B. Foley Legal Division (~83784)

Attachments

MEMORANDUM TO: The Board of Directors

FROM: Sandra L. Thompson Director Division of Supervision and Consumer Protection

Sara A. Kelsey General Counsel

SUBJECT: Interagency Final Rule Regarding Identity Theft Red Flags and Address Discrepancies under Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003

RECOMMENDATION:

We recommend that the Board of Directors (Board) of the Federal Deposit Insurance Corporation (FDIC or Corporation) authorize the Executive Secretary to publish in the Federal Register a final rule jointly with the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the National Credit Union Administration, and the Federal Trade Commission (collectively, the Agencies) to implement Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act).

The rule would establish: (1) interagency regulations requiring financial institutions and creditors to develop and implement a written identity theft prevention program; (2) interagency guidelines describing factors that financial institutions and creditors should address in their programs’ policies and procedures; (3) interagency regulations requiring credit and debit card issuers to assess the validity of a request for a change of address under certain circumstances; and (4) interagency regulations addressing reasonable policies and procedures that a user of consumer reports should employ upon receiving a notice of address discrepancy from a consumer reporting agency.

We also recommend that the Board authorize the Executive Secretary and the General Counsel to make technical, nonsubstantive, or conforming changes to the text of the rule where necessary to ensure that the Agencies can jointly publish the rule, and to take such other actions and issue such other documents as they deem necessary or appropriate to fulfill the Board’s objectives.

DISCUSSION:

1. Background. The guidelines and regulations are required by sections 114 and 315 of the FACT Act, which amend the Fair Credit Reporting Act (FCRA). Section 114 of the FACT Act requires the Agencies to jointly issue guidelines for use by financial institutions and creditors regarding identity theft. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft, and they must consider requiring financial institutions and creditors to follow reasonable policies and procedures that provide for notice to a consumer when a transaction occurs with an inactive account. In addition to the guidelines themselves, the Agencies must issue regulations requiring financial institutions and creditors to establish reasonable policies and procedures for implementing the guidelines. The Agencies also must issue regulations requiring credit and debit card issuers to assess the validity of change of address requests.

Section 315 of the FACT Act requires the Agencies to issue regulations providing guidance regarding policies and procedures that users of consumer reports shall use when they receive notice from a consumer reporting agency of a substantial difference between the consumer address used to request the consumer report and the address for that consumer in the consumer reporting agency’s file. (The guidelines and regulations required by section 114 are referred to collectively as the Red Flag Regulations.)

2. Proposal. On July 18, 2006, the Agencies published a joint notice of proposed rulemaking (NPR) in the Federal Register, at 71 FR 40786, proposing rules and guidelines to implement section 114 and proposing rules to implement section 315 of the FACT Act.

Identity Theft Prevention Program

The Agencies proposed to implement section 114 through regulations requiring each financial institution and creditor to implement a written Identity Theft Prevention Program (Program) and setting forth certain requirements for that Program. The Agencies also proposed guidelines that identified 31 patterns, practices, and specific forms of activity that indicate a possible risk of identity theft (red flags). The proposed regulations required each financial institution and creditor to incorporate into its Program relevant red flags, including indicators from among those listed in the guidelines. To promote flexibility and responsiveness to the changing nature of identity theft, the proposed rule also stated that covered entities would need to include in their Programs relevant red flags from applicable supervisory guidance, their own experiences, and methods that the entity had identified that reflect changes in identity theft risks.

Change of Address Requests for Card Issuers

The proposal also required credit and debit card issuers to assess the validity of change of address requests. The rules related to this issue come into play when the card issuer receives a notice of change of address for an existing account, and within a short period of time (during at least the first 30 days after it receives such notification) receives a request for an additional or replacement card for the same account. In these cases, the card issuer may not honor the request and issue such a card, unless it assesses the validity of the change of address request in at least one of three ways. The proposal required that, in accordance with the card issuer’s reasonable policies and procedures, the card issuer must: (1) notify the cardholder of the request at the cardholder’s former address and provide to the cardholder a means of promptly reporting incorrect address changes; (2) notify the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or (3) use other means of assessing the validity of the change of address, in accordance with the policies and procedures that the card issuer has established. These factors were taken directly from Section 114 of the FACT Act.

Verifying Consumer Identity Upon Notice of Address Discrepancy

In addition, the Agencies proposed joint regulations under section 315 that required a user of a consumer report to develop and implement reasonable policies and procedures for “verifying the identity of the consumer for whom it has obtained a consumer report” whenever it receives a notice of substantial address discrepancy from a consumer reporting agency. Under the proposal, these policies and procedures would need to be designed to enable the user to form a reasonable belief that it knows the identity of the consumer for whom it has obtained a consumer report, or determine that it cannot do so. Under the proposal, the user may reasonably confirm an address is accurate by verifying the address with the person to whom the consumer report pertains, reviewing its own records of the address provided to request the consumer report, verifying the address through third-party sources, or using other reasonable means. This section provided that if a user employed the policies and procedures regarding identification and

2

verification set forth in the customer identification program (CIP) regulations implementing section 326 of the USA PATRIOT Act, it satisfied the requirement to have policies and procedures to verify the identity of the consumer. The proposal further provided that a user must develop and implement reasonable policies and procedures for furnishing to the consumer reporting agency an address for the consumer that the user has reasonably confirmed is accurate when certain conditions are satisfied.

3. Comments Received. The public comment period closed on September 18, 2006. The FDIC received 38 comments. The comments included 27 from financial institutions or financial institution holding companies, seven from financial institution trade associations, three from other business entities, and one from an intellectual property task force. The Agencies collectively received a total of 128 comments in response to the NPR (although many commenters sent copies of the same letter to each of the Agencies), including three comments from consumer groups.

With respect to the red flag regulations and guidelines most industry commenters asserted that the proposal was overly prescriptive, contained requirements beyond those mandated in the FACT Act, would be costly and burdensome to implement, and would complicate the existing efforts of financial institutions and creditors to detect and prevent identity theft. Some industry commenters asserted that the rulemaking was unnecessary because large businesses, such as banks and telecommunications companies, already are motivated to prevent identity theft and other forms of fraud in order to limit their own financial losses and are already doing most of what would be required by the proposal as a result of having to comply with the CIP rules and other existing requirements. Consumer groups maintained that the proposed regulations provided too much discretion to financial institutions and creditors. Some small financial institutions also expressed concern about the flexibility afforded by the proposal and stated that they preferred to have clearer, more structured guidance describing exactly how to develop and implement a Program and what they would need to do to achieve compliance.

Thirteen comment letters sent to the FDIC addressed the portion of the proposal concerning credit and debit card issuers who need to assess the validity of change of address requests followed shortly by a request for an additional or replacement card. All of the comments requested greater flexibility.

Sixteen comment letters sent to FDIC dealt with the proposal implementing Section 315. Many of these commenters stated that the proposal went too far, would be burdensome and expensive, and would hamper timely customer service. Consumer groups objected to the proposal because it did not go far enough with respect to verification and notification.

4. Final Rule

A. Red Flag Regulations.

Identity Theft Prevention Program

Under the final Red Flag Regulations, a financial institution or creditor must have a written Identity Theft Prevention Program for all accounts primarily for personal, family, or household purposes and for all other accounts in which the financial institution or creditor determines there is a reasonably foreseeable risk of identity theft. The final regulations provide that the Program must be designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The final Red Flag Regulations adopt a flexible risk-based approach similar to the approach used in the “Interagency Guidelines Establishing Information Security Standards” (Information Security Standards) issued by the federal banking agencies and the “Standards for Safeguarding Customer Information” issued by the Federal Trade Commission, to implement section 501(b) of the Gramm-Leach-Bliley Act. (The FDIC’s Information Security Standards are set forth at 12 C.F.R. Part 364,

3

Appendix B.) As with the program described in the Information Security Standards, the Program must be appropriate to the size and complexity of the institution and the nature and scope of its activities, and be flexible enough to address changing identity theft risks as they arise.

Some institutions and creditors may combine their Programs with their information security programs, as these programs are complementary in many ways. As with the Information Security Standards, the FDIC’s Red Flag Regulations will apply to state non-member banks and their subsidiaries.

The final regulations list the four basic elements that must be included in the Program of a financial institution or creditor. The Program must contain “reasonable policies and procedures” to:

Identify relevant red flags for covered accounts and incorporate those red flags into the Program; Detect red flags that have been incorporated into the Program; Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and Ensure the Program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.

The regulations also enumerate certain steps that financial institutions and creditors must take to administer the Program. These steps include obtaining approval of the initial written Program by the board of directors or a committee of the board, ensuring oversight of the development, implementation and administration of the Program, training staff, and overseeing service provider arrangements.

Appendix J to the final regulations contains detailed guidelines to financial institutions and creditors on how to formulate and maintain a Program that satisfies the requirements of the regulations to detect, prevent, and mitigate identity theft. Each covered financial institution or creditor must consider the guidelines and include in its Program those guidelines that are appropriate. The guidelines provide policies and procedures for use by institutions and creditors to satisfy the requirements of the final rules, including the four elements listed above. While an institution or creditor may determine that particular guidelines are not appropriate to incorporate into its Program, the Program must nonetheless contain reasonable policies and procedures to meet the specific requirements of the final rules. The illustrative examples of Red Flags formerly in Appendix J are now listed in a supplement to the guidelines.

Change of Address Requests for Card Issuers

The Red Flag Regulations also provide that a credit or debit card issuer who receives notification of a change of address for an account, and within a short period of time afterwards (during at least the first 30 days after it receives such notification) receives a request for an additional or replacement card for the same account, may not honor the request and issue such a card, unless it assesses the validity of the change of address request in at least one of three ways:

Notifying the cardholder of the request at the cardholder’s former address and provide to the cardholder a means of promptly reporting incorrect address changes; Notifying the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or Using other means of assessing the validity of the change of address, in accordance with the policies and procedures that the card issuer has established pursuant to the Red Flag Regulations.

In order to provide some flexibility, the final rule clarifies that a card issuer may satisfy the requirements by validating an address whenever it receives an address change notification, even if that notification arrives before it receives a request for an additional or replacement card.

4

B. Address Discrepancy Regulations. Section 315 of the FACT Act requires that a nationwide consumer reporting agency (CRA), when providing consumer reports to a requesting user, must notify the requesting user of the existence of a discrepancy if the address provided by the user in its request “substantially differs” from the address the consumer reporting agency has in the consumer’s file. Section 315 also requires the Agencies to jointly issue regulations that provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy from the CRA.

To implement this provision, the final rules provide that a user must develop and implement reasonable policies and procedures that are designed to enable it to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report when the user receives a notice of address discrepancy. These policies and procedures apply both in connection with the opening of an account and in other circumstances when the user already has a relationship with the consumer, such as when the consumer applies for an increased credit line. If a user cannot establish a reasonable belief that the consumer report relates to the consumer about whom it has requested the report, the Agencies expect that the user will not use that report.

The final rule provides examples that a user may employ to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report. These examples include comparing information provided by the CRA with information that the user (1) obtains and uses to verify the consumer’s identity in accordance with the requirements of the CIP rules; (2) maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or (3) obtains from third-party sources. Another example is verifying the information in the consumer report provided by the consumer reporting agency with the consumer.

The final rule also contains a requirement that a user must develop and implement reasonable policies and procedures for furnishing an address for the consumer to the CRA that the user has reasonably confirmed is accurate, when the following three conditions are present: (1) the user forms a reasonable belief that a consumer report relates to the consumer about whom it requested the report; (2) the user “establishes” a continuing relationship with the consumer; and (3) the user regularly and in the ordinary course of business furnishes information to the CRA. The preamble to the final rule states that a similar requirement for existing accounts exists in Section 623 of the FCRA, which requires users to promptly provide to CRAs complete and accurate information about those accounts.

C. Effective Date. The final rules and guidelines discussed above will be effective the first day of the calendar quarter after publication in the Federal Register. The mandatory compliance date for rules and guidelines will be November 1, 2008.

5

Recent Developments in Financial Privacyapps.americanbar.org/buslaw/newsletter/0066/materials/pp4.pdf · GLB Act–Gramm-Leach-Bliley Act ... RPP–Return Preparer Program ... Commission

Documents