PRIVACY RIGHTS CLEARINGHOUSE
July 22, 2004
Robert E. Feldman, Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
RE: Comments to FACTA Disposal Rule RIN 3064-AC77
Submitted by:
Privacy Rights Clearinghouse
and
Calegislation
CALPIRG
Consumer Action
Consumers Union
Electronic Privacy Information Center
Identity Theft Resource Center
U.S. PIRG
Dear Mr. Feldman:
The Privacy Rights Clearinghouse (PRC) and the above-listed nonprofit
consumer advocacy organizations appreciate the opportunity to comment on
the Federal Deposit Insurance Corporations (FDIC)1 proposal to implement
§216 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
(Organization descriptions are at the end of this document.)
FACTA §216, which adds §628 (15 U.S.C 1681w) to the Fair Credit
Reporting Act (FCRA), requires the federal banking agencies, the National
Credit Union Administration (NCUA), and the Federal Trade Commission (FTC)2
to adopt regulations about proper disposal of consumer information.
Congress directed that final regulations be implemented not later than one
year after enactment of FACTA. As discussed below, organizations here
representing consumer interests consider the Agencies proposal to be weak
and inadequate to meet Congress intended purpose of preventing identity
theft and other fraud.
The Agencies propose to implement §216 of FACTA by amending the
Interagency Guidelines for Safeguarding Customer Information (Guidelines)
published pursuant to the Gramm-Leach-Bliley Act (GLBA) (Pub. L.106-102).
When amended, the Guidelines would require financial institutions to adopt
measures to properly dispose of consumer information. We submit the
following on specific aspects of the Agencies proposed Disposal Rule.
(Agencies consist of the FDIC, the Office of the Comptroller of the
Currency (OCC), Board of Governors of the Federal Reserve System (Board),
and Office of Thrift Supervision (OTS).)
A. Introduction
B. Consumer Information
C. Flagging Consumer Information
D. Proper Disposal
E. Proposed Implementation Schedule
F. Service Providers
A. Introduction
Identity theft is often called the fasting growing crime in America.
Only recently has the public and the government begun to realize the full
economic and personal toll of identity theft. A widely reported FTC study
released in September 2003 found that nearly 10 million Americans were the
victims of identity theft in the previous year alone.3 The FTC found that
U.S. business lost 47 billion dollars while consumers lost 5 billion from
identity theft. As striking as they are, these figures quite likely
represent only the tip of the iceberg since many instances of identity
theft may go unreported. (www.ftc.gov/os/2003/09/synovatereport.pdf)
Irresponsible handling of sensitive consumer data has long been cited
as a contributing factor to identity theft. A practice known as dumpster
diving is often claimed by thieves themselves as the source of the data
that allowed them to commit the crime. Sensitive data discarded by a
financial institution provides a prime opportunity for a crook to access
anothers personal data.
By enacting §216 requiring proper disposal of consumer information,
Congress has given the public one of the strongest tools yet in combating
the growing crime of identity theft. It is now up to the financial
regulators and the FTC to carry out Congress intent by adopting strong
regulations to ensure identity theft is no longer fed by careless and
irresponsible disposal of confidential consumer data.
For 12 years, the PRC has worked directly with identity theft victims.
We along with other consumer organizations submitting these comments have
seen the devastation from this crime. We have learned of the many
instances where identity theft could have been prevented by strong
disposal standards imposed on business for documents and electronic
records. We are concerned that the Agencies proposal to modify existing
guidelines rather than issue strict requirements dictated by regulation
will not have the preventive effect Congress intended by adopting §216.
Unlike the existing guidelines for disposal of customer data adopted
pursuant to the undefined security provisions of GLBA, FACTA §216 has the
stated objective of preventing identity theft. Moreover, §216 specifically
requires the Agencies to adopt:
regulations requiring any person that maintains or otherwise possesses
consumer information or any compilation of consumer information, derived
from consumer reports for a business purpose to properly dispose of any
such information or compilation. (FACTA §216)
Although the Guidelines, which include a guideline for proper disposal
of customer data, have been in effect since February of 2001, this has
obviously not had a deterrent effect on identity theft. The number of
victims and financial losses continue to rise. Had Congress not intended a
strong standard for disposal, it would not have adopted §216. We urge the
Agencies to do more.
B. Consumer Information
The Disposal Rule, as proposed, defines consumer information as any
record about an individual, in any form, including information that is
derived from a consumer report. To fully encompass the scope of
information included in §216, the Agencies should revise this definition
to say any record containing personally identifying information about an
individual
.
The Agencies have qualified the definition of consumer information by
stating that information derived from consumer reports but that does not
identity any particular consumer would not be covered under the proposal.
(Guidelines proposed §C.2.a.)
In adopting the final Rule, the Agencies must recognize that an
individuals identity is not necessarily limited to just the individuals
name. The Agencies should be clear, for example, that the Social Security
number (SSN) is identifying information. A list of SSNs, with nothing
more, is sufficient data to allow a thief to open a new credit account, or
start the process of assembling a consumers identity for any number of
illegal activities.
Another example, would be a list of consumer telephone numbers.
Although generally included in the category of publicly available
information, a telephone number itself may be the key to identifying a
consumer and opening a door to stalking and harassment. There are now many
Internet sites where entering a telephone number will readily reveal an
address and even a map to the consumers door. With the telephone number
and address in hand, it is a short step to tying that telephone number and
address to property records or other databases that reveal the consumers
name and much more.
In adopting the final Rule, the Agencies must be ever mindful of the
resourcefulness of criminals to combine bits and pieces of personal
information from several sources to create a consumer profile adequate to
assume that consumers identity. This information may also be purchased
provided the purchaser has a limited amount of identifying information. As
the growing number of victims indicates, and as some identity thieves
themselves often readily admit, assuming anothers identity for fraudulent
purposes is not a difficult task. The crime is made all the easier by the
vast array of Internet databases that allow thieves to quickly assemble a
consumers profile. And, a telephone number may be the only bit of
information a criminal needs to get started.
A further example is ones electronic mail address. More and more, an
individuals e-mail address is being used as a key identifier linking
identities across multiple points of information. As individuals are
getting their own domain names and using e-mail addresses attached to
their domains, anyone can look up the domain and obtain an individual's
street address in many cases. Until the WhoIs registration data is no
longer published, which is not likely, this will continue to be a
persistent problem.
For the sake of financial institutions covered by the Agencies
proposal, we suggest the Agencies final Rule give financial institutions
examples of information from a consumer report or derived from a consumer
report that does not identify a consumer and thus would not be subject to
the Guidelines.
The Agencies also seek comment on the proposed definition of consumer
information that includes the qualification that the information is for
a business purpose. The Agencies interpret the phrase for a business
purpose to encompass any commercial purpose for which a financial
institution might maintain or possess consumer information.
The Agencies should clarify that a business purpose is not limited to
consumer report information received solely to obtain credit or assess a
consumers continuing eligibility to meet the terms of an existing
account. The Agencies should recognize that consumer report information
may be obtained through an employment background check for a current or
prospective employee.
Financial institutions may also receive consumer report information
from a consumer reporting agency that tracks consumers use of checking
accounts. Thus, the Agencies should be clear that consumer information
includes information included in or derived from any consumer report,
not just a credit report obtained from a credit reporting agency.
C. Flagging Consumer Information
It is clear from §216 that Congress recognized the role proper document
disposal plays in preventing identity theft. Congress recognized, in
addition, that the sensitive information included in consumer reports and
information derived from consumer reports provides the only information a
thief needs to access existing accounts or set up new accounts in the
victims name. To fully implement the preventive measures adopted by
Congress, consumer report data as well as data derived from a consumer
report must be flagged for proper disposal in the records of the financial
institution.4
The need to properly flag and track information subject to this rule is
crucial in ensuring compliance. Information obtained in a consumer report
originally obtained by a financial institution in response to a consumers
loan application may subsequently flow to other entities and be used in
any number of ways. As the Agencies recognize, information may be
manipulated and combined with other information or may be shared among
affiliates.
Information may also be sent to a records storage facility and later on
to an information disposal facility, either directly from the financial
institution or through a storage facility. Information may also be shared
with any number of service providers that perform billing, auditing,
customer service, check printing and a range of other support activities.
For the Disposal Rule to have the intended effect, information should
be clearly flagged by the financial institution as it is received from a
consumer reporting agency, reseller, affiliate, the consumer, or
third-party. If the Agencies find it too burdensome for financial
institutions to flag all existing consumer information, as a minimum,
this requirement should be made of all new information received after the
effective date of the Disposal Rule
D. Proper Disposal.
To effect the disposal requirements of FACTA §216, the Agencies propose
to amend the Guidelines to require financial institutions to modify
existing security measures. The Agencies have declined to adopt a
prescriptive rule to describe proper methods of disposal or to define what
is meant by proper disposal. The Agencies seek comment on whether the
use of the phrase proper disposal is sufficiently clear.
The Agencies proposal to implement FACTA §216 by amending the existing
Guidelines falls far short of standards needed to have an impact on
identity theft. The Guidelines, now in effect for a number of years,
already require financial institutions to properly dispose of customer
data. This vague standard has apparently had no effect on the crime of
identity theft as the numbers of victims continue to rise.
The Agencies should define the term proper disposal with examples of
procedures that would meet the definition of proper disposal for data
maintained in paper as well as electronic form. The Agencies should also
adopt strict standards so that financial institutions are not left to
speculate about what the Agencies consider proper disposal. As a
minimum, the Agencies should be clear that proper disposal means a
method of disposal that would render the information unreadable and
incapable of being reconstructed. For paper records, the Agencies should
clearly state that use of a cross-cut shredder or burning of documents are
acceptable methods of disposal.
The Agencies should also follow the lead of the FTC and include in the
definition of "disposal":
The discarding or abandonment of consumer information, and
The sale, donation, or transfer of any medium, including computer
equipment, upon which consumer information is stored. (FTC Proposal to
amend 16 CFR 682.1(c))
In addition, the interagency guidance issued through the Federal
Financial Institutions Examination Council (FFIEC) should be adopted as
requirements rather than guidelines. The guidelines for disposal included
in the FFIEC IT Examination Handbook are fundamental to carrying out
Congress intent in adopting §216. For example, employees should always be
prohibited from discarding sensitive media along with regular garbage. We
also encourage the Agencies to adopt the FFIEC Handbook guideline that
adequate employee background checks be required. This requirement should
apply not just to employees of vendors, as the Handbook suggests, but
rather to all individuals whose work entails handling sensitive personal
information.5
Given the staggering amount in economic loss that has resulted from
identity theft in recent years, it makes good sense, for business and for
consumers, for the Agencies to adopt strong standards for proper disposal
of sensitive data. Great emphasis has been placed on giving consumers tips
on steps to protect personal information against identity theft and other
fraud. However, no matter how cautious a consumer is about guarding
personal information, these efforts will be of little use if consumers
cannot have confidence that personal information will be properly handled
by institutions.
Existing versions of the Guidelines, adopted pursuant to GLBA, included
disposal as a subordinate factor in a financial institutions overall
security program. Now, with the passage of FACTA §216, proper disposal has
become a major, independent factor in preventing identity theft and other
fraud. We believe this change in focus on proper disposal requires the
Agencies to adopt strong prescriptive measures for financial institutions.
E. Proposed Implementation Schedule
The Agencies propose to require each financial institution to implement
proper disposal for consumer information within three months after the
final regulation is published. In proposing the three-month compliance
date, the Agencies state that any changes to an institutions existing
information security program to accommodate consumer information will
likely be minimal.
Given the scope of the Agencies proposal, we agree that changes to the
financial institutions program will be minimal. We do not agree, however,
that three months is needed to effect these changes. Financial
institutions have been on notice for over six months, since FACTA was
signed by the President in December 2003, that proper disposal will be
required for consumer report data..
The Agencies proposed changes to the Guidelines, as far as we can
determine, place no additional burdens on financial institutions to adopt
new programs, hire new staff, or engage more thorough service providers.
The thrust of the Agencies proposal seems to be business as usual for
financial institutions with only the requirement that information
identified as consumer information be included in existing disposal
plans already established for customer information.
Assuming the final Disposal Rules is effective one year after enactment
of FACTA, as required by the statute, financial institutions will have,
under the Agencies proposal, three additional months to carry out the
minimum changes required by the Agencies proposal. This means that
measures would not even be in effect until March of 2005. This is an
unnecessary delay in implementation, while the number of identity theft
victims continues to mount.
We have even greater concerns about the Agencies proposal to allow
financial institutions one year after publication of the financial
Disposal Rule to modify existing contracts with service providers. This
means -- assuming again that the final regulations will be effective in
December, 2004 that financial institutions will have until the end of
2005 to modify service provider contracts.
More likely than not, disposal will be accomplished by a service
provider and not the financial institution itself. Disposal may also be
accomplished by a disposal company retained by a service provider of the
financial institution. As consumer information travels outside the
institutions own files and from one service provider to another, the risk
of inappropriate or fraudulent use of that information increases. It is
thus crucial that financial institutions amend service provider contracts,
where needed, within a more reasonable period of time. If the Agencies
continue to allow financial institutions three months to implement proper
disposal for consumer information, it should also require that the
institutions service provider contracts are modified by this time.
Given the minimum changes the Agencies have imposed on financial
institutions for disposal, there seems to be nothing substantial, under
this proposal, that would have to be modified in a service provider
agreement. Disposal is already a part of the Guidelines for that category
of information defined as customer data. A delay of two years for
effective implementation of §216 is an excessive amount of time for
consumers to expect reasonable disposal of their personal information.
F. Service Providers
The Agencies have proposed to add a new section of the Guidelines to
require service providers by contract to implement appropriate measures
designed to meet the objectives of the Guidelines. The Agencies further
state that this requirement applies to both domestic and foreign-based
service providers. We believe the Agencies are correct in requiring proper
disposal to be included in service provider contracts.
The Agencies should also amend the Guidelines to apply to all service
providers and not just those that provide services directly to the
financial institution. This limitation was imposed when the Agencies
adopted the joint Guidelines in February 2001. The joint release states:
a financial institution will be responsible under the
final Guidelines for overseeing its service provider arrangements only
when the service is provided directly to the financial institution. The
Agencies clarified this point by amending the definition of ``service
provider'' in the final Guidelines to state that it applies only to a
person or entity that maintains, processes, or otherwise is permitted
access to customer information through its provision of services
directly to the financial institution [emphasis added]. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2001_register&docid=01-1114-filed
This exclusion does not provide adequate assurance that consumer
information will receive proper disposal as required by §216. If a
financial institution contracts some of its functions out, the financial
institution should also be responsible to ensure that further disclosure
to yet another service provider will be also subject to strict disposal
standards. Such requirements should be included in contracts entered into
between the financial institution and its first-line service provider.
We appreciate the opportunity to comment on the Agencies proposal to
implement the FACTA Disposal Rule. We again urge the Agencies to adopt
stronger standards for the proper disposal of all data that includes
sensitive personal information. These standards should apply to the
financial institution and any service providers that possess information
through the disposal process.
Sincerely,
Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse
3100 5th Ave., Suite B
San Diego, CA 92103
AND
Dian Black, Director
Calegislation
P.O. Box 1198 No. 1127
Sacramento, CA 95812
Jennette Gayer, Consumer Advocate
CALPIRG
3435 Wilshire Blvd., Suite 380
Los Angeles, CA 90010
Ken McEldowney, Executive Director
Consumer Action
717 Market St., Suite 310
San Francisco, CA 94103
Gail Hillebrand, Senior Attorney
Consumers Union
1535 Mission St.
San Francisco, CA 94103
Chris Hoofnagle, Associate Director
Electronic Privacy Information Center
1718 Connecticut Ave., N.W.
Washington, D.C. 20009
Linda Foley and Jay Foley, Co-Executive Directors
Identity Theft Resource Center
P.O. Box 26833
San Diego, CA 92196
Ed Mierzwinski, Consumer Program Director
U.S. PIRG
218 D St., S.E.
Washington, D.C. 20003
Organization descriptions:
The Privacy Rights Clearinghouse is a nonprofit consumer information
and advocacy organization based in San Diego, CA, and established in 1992.
The PRC advises consumers on a variety of informational privacy issues,
including financial privacy. It represents consumers interests in
legislative and regulatory proceedings on the state and federal levels.
www.privacyrights.org
Calegislation is a resource center that provides consumer privacy
information with a focus on public safety. Based in San Diego, the center
provides educational information to consumers, legislators, and
governmental agencies and is part of a national information sharing
network of domestic violence advocates.
CALPIRG is a 30 year old statewide non-profit and non-partisan
membership organization that stands up for California consumers.
www.calpirg.org
Consumer Action is a non-profit consumer education and advocacy
organization serving consumers since 1971. It provides consumers with
information and education on matters of telecommunications, privacy,
predatory lending and banking/credit issue through its national network of
7,000 community based organizations. Consumer Action advocates at the
state and federal legislative levels for consumer rights in the policy
areas of banking and credit, product safety, privacy and identity theft
and other issues affecting the quality of life of California consumers. www.consumer-action.org
Consumers Union is a nonprofit membership organization chartered in
1936 under the laws of the State of New York to provide consumers with
information, education, and counsel about goods, services, health and
personal finance; and to initiate and cooperate with individual and group
efforts to maintain and enhance the quality of life for consumers.
Consumers Union has actively supported a wide variety of state consumer
protection laws, including in the areas of credit, finance, and
disclosure, including identity theft prevention laws and anti-predatory
lending laws. www.consumer.org
The Electronic Privacy Information Center (EPIC) is a public interest
research center in Washington, D.C. It was established in 1994 to focus
public attention on emerging civil liberties issues and to protect
privacy, the First Amendment, and constitutional values. www.epic.org
The Identity Theft Resource Center is a national nonprofit organization
that focuses exclusively on identity theft. It was established in 1999. ITRC's mission is to research, analyze and distribute information about
the growing crime of identity theft. It serves as a resource and advisory
center of identity theft information for consumers, victims, law
enforcement, the business and financial sectors, legislators, media and
governmental agencies. www.idtheftcenter.org
U.S. Public Interest Research Group (U.S. PIRG) serves as the national
lobbying office for state Public Interest Research Groups. PIRGs are
non-profit, non-partisan public interest advocacy organizations with
members around the country. www.uspirg.org
1 The FDIC proposal is made jointly with the Office of the
Comptroller of the Currency (OCC); Board of Governors of the Federal
Reserve System (Board); and Office of Thrift Supervision (OTS). (Agencies)
As instructed by the joint proposal, these comments are submitted only to
the FDIC with the understanding that comments will be shared among all the
Agencies.
2 On June 15, 2004, the PRC, along with five other consumer
organizations, submitted comments in response to the FTCs proposed
Disposal Rule. www.privacyrights.org/ar/FTC-DocDisposal.htm On July 13,
2004, the PRC, along with six other consumer organizations, submitted
comments in response to the NCUAs proposed Disposal Rule.
www.privacyrights.org/ar/NCUADocDisposal.htm.
3 Similar studies conducted in 2003 confirm that identity
theft claimed many more victims and resulted in far greater economic loss
to both victims and business than previously thought. See e.g. Privacy and
American Business survey, July, 2003, , www.pandab.org/id_theftpr.html;
Gartner survey, July, 2003, www3.gartner.com/5_about/press_releases/pr21july2003a.jsp,
Identity Theft Resource Center, September, 2003,
www.idtheftcenter.org/pr092303.pdf
4 In comments on the
FTCs proposed disposal rule, we similarly suggested that consumer
reporting agencies and resellers of consumer reports be required to
identify consumer reports as subject to proper disposal.
http://www.privacyrights.org/ar/FTC-DocDisposal.htm
5 An alarming study published in May 2004 by Michigan State
University professor Judith Collins found that up to 70% of identity theft
starts with theft of personal data from a company by an employee.
http://msnbc.msn.com/id/5015565.