Está en la página 1de 6
FEDERAL TRADE COMMISSION WASHINGTON, 0.0. 20580 September 21, 2017 ‘The Honorable Mark R. Warner United States Senate Washington, DC 20510-4606 Dear Senator Warner: ‘Thank you for your letter of September 13, highlighting several concerns about the recently announced Equifax breach. I appreciate your leadership on data security legislation, and I share your concems about the breach at Equifax that may have exposed 143 million consumers” sensitive information, including Social Security numbers, birthdates, addresses, and, in some instances, driver's license numbers. The Federal Trade Commission (“Commission” or “FTC”) staff is investigating this matter. While I cannot comment on the details of the non-public investigation, I do note that the FTC enforces several laws relating to the security of consumer report information. For example, as you reference in your letter, the Fair Credit Reporting Act (*FCRA”) requires consumer reporting agencies to use reasonable procedures to ensure that the entities to which they disclose sensitive consumer information have a permissible purpose for receiving that information." It also imposes safe disposal obligations on entities that maintain consumer report information.” The Gramm-Leach-Bliley Act (“GLB Act”) provides data security requirements for non-bank financial institutions. which includes credit reporting agencies.’ Finally, the Commission enforces the FTC Act, which prohibits unfair or deceptive acts or practices, such as businesses making false or misleading claims about their data security procedures, or failing to employ reasonable security measures in a way that causes or is likely to cause substantial consumer injury.’ '1SUSC.§ 168le. 2 fd at § 1681w. The FTC's implementing rule is at 16 C.F.R, Part 682. +15 US.C. § 6801(b). The FTC’s implementing rule, the Safeguards Rule, is at 16 C.F.R. §§ 314.3 and 3144. “15 US.C. §45(@). Ifa company makes materially misleading statements or omissions about a matter, including data security, and such statements or omissions are likely to mislead reasonable consumers, they can be found to be deceptive in violation of Section 5. Further, if company’s data security practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing, ‘benefits to consumers or to competition, those practices can be found to be unfair and violate Section 5. ‘The Honorable Mark R. Wamer — Page 2 Since 2001, the Commission has brought approximately 60 cases in the data security area.* Most recently, Lenovo Inc., agreed to settle charges by the FTC and 32 State Attomeys General that the company harmed consumers by pre-loading software on some laptops that, compromised security protections in order to deliver ads to consumers.° According to the complaint, beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a preinstalled “man-in-the-middle” software program that interfered with how a user’s browser interacted with websites and created serious security vulnerabilities. In another case announced last month, we alleged that Uber violated its promise to reasonably secure rider and driver data, According to our complaint, Uber allowed its employees to use a single, shared key to access personal information Uber stored in the cloud, failed to encrypt the information, and failed to implement adequate training for its employees. We allege that these failures, among others, led to a breach, where an intruder was able to access sensitive rider and driver data. ‘When we investigate potential law violations related to data security, we examine the reasonableness of a company’s practices as a whole, The mere fact that a breach occurred does not mean thet a company has violated the law. We are investigating Equifax to determine whether there is reason to believe a law violation occurred. In the meantime, the Commission has provided important information and educational ‘materials to consumers. First, immediately following the breach announcement, the FTC released an advisory to consumers about the Equifax breach and what steps they should take to help protect their information from being misused.’ Following its release, this was the most viewed webpage in all of the federal government. Second, we have updated the materials on our Identity Theft. gov website to reference the Equifax breach.* This website provides personalized recovery plans for victims of identity thefi. Prior to the announcement of the Equifax breach, the website received about 6,000 visitors a day; afer the breach was announced, visits to the site spiked dramatically. AC its peak, the site received more than 74,000 visits in a day. ‘Third, in light of reports that scammers were impersonating Equifax to solicit consumers’ personal information, the Commission released an advisory alerting consumers that they should not release their personal information on the phone.” Finally, the Commission released a consumer advisory and updated its fraud alert and credit freeze guidance to better assist consumers as they take steps to protect themselves following the breach.”” We are closely monitoring the situation, and will provide additional guidance as necessary. > Seo generally hip://www. fe, eovltips-advice/business-center resourves?type~cased¢field_consumer_ protection topies_tid=249, © Lenovo, Inc., No. 152 3134 (Sept. 5, 2017) (proposed consent agreement), available at hhups:iwww fle govlenforcement/eases-proceedings!1 52-31 34/lenovo-ine FTC Consumer Blog, The Equifiae Data Breach: What to Do, Sept. 8, 2017, at 1ips:/www. consumer fte.gov blog/20 7/09/equi -breach-what-do, * See Identity Theft.gov, When Information is Lost or Stolen, at htps:/fdenttythe? gov/Info-Lost-or-Stolen (last ited Sept. 18, 2017). ° FTC Consumer Blog, Equifax Isn't Calling, Sept. 14, 2017, ar hutps:/www.consumer.fte.zow/blog/201 7/09 equifix-isnt-caling, © place a Fraud Alert (Sept. 2017), available at hitps:!/www.consumer.fte.gov ‘articles0275-place-fraud-alerts Credit Freeze FAQs (Sept. 2017), available at htipsi/www,consumerfic.gov articles/0497-credit-reeze-fags: Extended Fraud Alerts and Credit Freezes (Sept. 2017), available at htips:/www.consumer.fte,gov/atticles/0279- cextended-fraud-alertsand-credit-freezes; see also FTC Business Blog, Fraud alerts vs. credit freezes: FTC FAQs, ‘The Honorable Mark R. Warner ~ Page 3 In response to your specific questions: 1, Equifax is currently under a consent decree with the Commission for violations of the Fair Credit Reporting Act related to improper handling of consumer information. Does that consent decree provide the Commission with additional remedies in the context of Equifax’s data security practices? ‘As part of our non-public investigation, we are considering whether any FTC order covers the practices at issue and, if so, what remedies may be available. A party that is found to have violated an FTC order may be subject to contempt sanctions and civil penalties. 2. Given the current inability of consumers to cease doing business with a credit reporting agency which displays an arguably cavalier attitude toward cybersecurity, should the Fair Credit Reporting Act be amended to provide the Commission authority to issue rules requiring credit reporting agencies to establish a way for consumers to “opt out” of having their information stored by a particular credit reporting agency? The Commission has not considered or studied the potential impact of an amendment to the FCRA forbidding credit reporting agencies from reporting information about consumers who “opt out” of having their information used by the credit reporting agencies. Before taking a position on such a proposed amendment, the Commission would need to carefully assess the effect it would have on the accuraey and effectiveness of the nation’s credit reporting system. 3. In many eases, Equifax collects and maintains sensitive information about consumers as a service to other businesses. Under state data breach notification statutes, a breached service provider need only inform the business it provides service to about the breaches it suffers, and has no obligation to provide public notice that it incurred the breach. In recent breach incidents involving third-party service providers, some companies (¢.g., Heartland, Experian, Anthem, etc.) have provided public notice that their breach affected consumers. Would the FTC support legislation that requires all entities suffering a breach of security that creates a significant risk of financial harm, to make public notice of that breach in order to ensure a more timely and effective form of notice? ‘The FTC has long supported federal legislation that would, among other things require companies in appropriate circumstances to provide notification to consumers when there is a security breach. Our interest in providing notice to consumers is that, in the event of a breach, notice helps them take steps to protect themselves from any harm that may be caused by the misuse of their data. We have not taken a position on whether such notices should be made public. Sept. 14,2017), at hp Awww, te gov news-evenisblogs’businss-bl ‘igs. 4/2017/09 fraud-alerts-vs-credit-freezes-fte- ‘The Honorable Mark R. Warner ~ Page 4 4, Do you interpret the Fair Credit Reporting Act to include heightened data security standards and/or requirements, given Congress's unique concern about the “confidentiality, accuracy ... and proper utilization” of this highly sensitive data? ‘The FCRA requires consumer reporting agencies (CRAs) to maintain “reasonable procedures” to ensure that they provide consumer report information only to those who have a statutorily-specified permissible purpose to receive it.'' For example, in 2011 the FTC brought three cases against companies whose business is reselling consumers’ credit reports (“resellers”), alleging that they did not take reasonable steps to protect consumers’ personal information, and, as a result, hackers were able to access that data.'* According to the complaints, due to their lack of information security policies and procedures, the companies allowed clients without basic security measures, such as firewalls and updated antivirus software, to access their reports. As a result, hackers accessed more than 1,800 credit reports without authorization via the clients? computer networks. In addition, even after becoming aware of the data breaches, the FTC alleged that the companies did not make reasonable efforts to protect against future breaches. $. The Commission has suggested that consumers place a credit freeze with the three major credit bureaus. Does the Commission consider a timestamp to be a sufficiently strong PIN for unfreezing a consumer's account? The FTC has stressed that an important element of reasonable data security is the use of strong authentication procedures, which can help ensure that only authorized individuals can access sensitive data. ‘The use of passwords that an unauthorized user can easily guess does not, meet the standard of a strong authentication procedure. '? a, Has the Commission issued guidance to credit reporting agencies on adequate security and data proteetion measures associated with credit freezes? b. Should this guidance be updated in light of security concerns with the site Equifax maintains to process credit monitoring and freeze requests? The FTC has not issued specific guidance on the security measures associated with credit freezes. Nevertheless, the same standards would apply to all aspects of'a company’s business if it is within the jurisdiction of the FTC. Companies must maintain reasonable procedures to protect consumer information, including reasonable authentication techniques. "15 USC. § 1681b(a), (). " SetilementOne Credit Corp., No. C-4330 (Aug. 19, 2011), available ar hitps:/Avww, fe. gov/enforcementfeases- proceedings/082-3208 settlementone-credit-corporation; ACRAnet Inc., No. C-4331 (Aug. 19, 2011), available at bttps:/wony.fte.gov:enforcementcases-proceedings‘092-3088/acranet-inc-matter; Fajilan & Assoes., Inc, also dibfa ‘Statewide Credit Services, No. C-4332 (Aug. 19, 2011), available at huips:/www fie, govienforcement/cases- xcedings/092-3089/failan-associates-inc-also-dba-statewide-credlit-serviees, See, eg., Twitter, Inc., No. C4316 (Mar. 11,2011), available at utps: ‘www, Re gov/enforcement/enses- proceeding:/092-3093 twitter-ine-corporation (alleging, among other things, that the company let employees use common dictionary words as administrative passwords, as well as passwords they were already using for other accounts); Start with Security: A Guide for Business (June 2015), available ar hips:/;www, fle zovitips. adviee/husiness-center/suidance/start-security-guide-business (advising businesses to insist on complex and unique passwords). ‘The Honorable Mark R. Wamer ~ Page 5 The Commission has recently provided guidance about reasonable authentication techniques through its law enforcement action against tax preparation firm TaxSlayer.'! The Comiission’s complaint alleged that TaxSlayer failed to implement adequate risk-based authentication measures that would have helped reduce the chances of an attack from hackers who had used stolen credentials to try to gain access to TaxSlayer customer accounts. The FTC also alleged that the company did not require consumers to choose strong passwords, exposing customers to the risk that attackers could guess commonly used passwords to access their TaxSlayer accounts, 6. Should Congress limit the ability of credit reporting agencies to sell data outside specific contexts, such as credit, banking, and employment inquiries? ‘The FCRA limits the use of consumer report information to specified “permissible purposes.” 15 U.S.C. §1681b, The FCRA does not limit the use or sale of other data that does not meet the definition of consumer report information. For example, consumer reporting agencies can sel] products to market to consumers on the basis of zip codes. To restrict the sale of such data would require new legislation. To the extent credit reporting agencies are selling data for marketing purposes or other purposes unrelated to making eligibility decisions affecting consumers, they would be acting as data brokers. In May 2014, the Commission released a report on the practices of data brokers. The report found evidence of @ lack of transparency about data broker practices, and recommended that Congress consider enacting legislation that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities.'* 1 continue to support such a recommendation. 7. Does the Commission hold lapses in data security practices in response to a breach to a higher standard than data security practices related to the breach itself? In any breach investigation, we examine a company’s data security practices as a whole, part of which would include a company’s response to the breach. Whether a company’s data security practices are reasonable is a fact-specific inquiry that depends on the sensitivity and volume of consumer information a business holds; the size and complexity of its data operations; and the cost of available tools to improve security and reduce vulnerabilities. 8. Do adequate incentives to use reasonable data security practices, or penalties to deter unreasonable data security practices, exist to counter-balance the profit incentives to collect, centralize, and maintain large quantities of highly sensitive personal information of American consumers? ' Taxslayer, LLC, No. 162 3063 (Aug. 29, 2017) (proposed consent agreement), available at hyns:i/www fle gov/enforcement/cases-proceedinys/ 162-3063 taxslayer. Data Brokers: A Cail for Transparency and Accountability (May 2014), hnips/Avww.fc.gov/system files/dacuments/repwrts/data-brokers-call-transparency-accountability-report-federal- trade-commission-may-20 14/140527databrokerreport pa ‘The Honorable Mark R. Warner ~ Page 6 believe that additional tools are necessary. The Commission has a longstanding, bipartisan call for comprehensive data security legislation that would (1) strengthen its existing data security authority and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach,' Reasonable security practices are critical to preventing data breaches and protecting consumers from identity theft and other harm. ‘Where breaches occur, notifying consumers helps them protect themselves from any harm that may be caused by the misuse of their data. For example, in the case of a breach of a database with Social Security numbers, notifying consumers will enable them to request that fraud alerts be placed in their credit files, obtain copies of their credit reports, sorutinize their monthly account statements, and take other steps to protect themselves. And although most states have breach notification laws in place, having a strong and consistent national requirement would simplify compliance by businesses while ensuring that all consumers are protected. As the nation’s consumer protection agency, the FTC is committed to protecting consumer privacy and promoting data security in the private sector. If you or your staff have additional questions on these matters or wish to share additional information with us, please do not hesitate to contact me or have your staff call Jeanne Bumpus, the Director of our Office of Congressional Relations, at 202-326-2946. Maureen K. Ohlhausen ‘Acting Chairman "© Legislation in both areas — data security and breach notification ~ should give the FTC the ability to seck civil penalties to help deter unlawful conduct, jurisdiction over non-profits and common carriers, and the authority 10 issue implementing rules under the notice and comment rulemaking procedures of the Administrative Procedure Act, $US. § 553

También podría gustarte