InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Releases Results of Credit Reporting Study
On February 11, the FTC released the results of its study of the U.S. credit reporting industry, including its finding that five percent of consumers had errors on one of their three major credit reports that could lead to them paying more for products. The study also found that (i) one in four consumers identified errors on their credit reports that might affect their credit scores; (ii) one in five consumers had an error that was corrected by a credit reporting agency (CRA) after it was disputed; (iii) four out of five consumers who filed disputes experienced some modification to their credit report, with slightly more than one in 10 noticing a change in their credit score after the agencies modified errors on their credit report; (iv) approximately one in 20 consumers had a maximum score change of more than 25 points and only one in 250 consumers had a maximum score change of more than 100 points. The main types of disputed and confirmed material errors identified by the study were errors in the trade line (consumer accounts) or collections information. The FTC report is the first major study that looks at the full range of participants in the credit reporting and scoring process, including consumers; data furnishers, which include creditors, lenders, debt collection agencies, and the court system; the Fair Isaac Corporation, which develops FICO credit scores; and the national CRAs. The FTC is required to conduct a study of credit report accuracy and provide interim reports every two years, through 2012, with a final report due in 2014. Late last year, the CFPB, which shares jurisdiction over CRAs, published a white paper on its review of how the three largest CRAs manage consumer data and complaints.
FTC Obtains Settlement from Cord Blood Bank in Data Theft Action
On February 5, a federal district court in California approved a settlement recently obtained by the FTC, which (i) requires a California-based firm that operates a cord blood bank to establish a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years, and (ii) prohibits the company from misrepresenting its privacy and security practices. The FTC alleged that the firm violated the FTC Act by failing to use reasonable and appropriate procedures for handling customers’ personal information, despite its privacy policy claims to the contrary. Further, the FTC charged that the firm created unnecessary risks to personal information by transporting portable data storage devices containing personal information in a way that made the information vulnerable to theft, and failed to prevent, detect, and investigate unauthorized access to computer networks. According to the FTC, this resulted in a December 2010 breach in which certain portable devices were stolen from an employee’s personal vehicle and the names, gender, Social Security numbers, dates and times of birth, drivers’ license numbers, credit and debit card numbers, and other personal information of nearly 300,000 customers were compromised. The FTC also alleged that certain of the portable devices could have permitted an intruder to access the firm’s network, which contained sensitive personal health information.
FTC Announces Mobile Privacy Enforcement Action, Issues Mobile Privacy Staff Report
On February 1, the FTC announced that it is requiring a social networking application company to pay $800,000 and make certain compliance enhancements to resolve allegations that the firm (i) misled and deceived users by automatically collecting and storing personal information from users’ mobile device address books even if the users had not selected that option and despite claims that the application collected only certain non-personal user information, and (ii) violated the Children’s Online Privacy Protection Act Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Pursuant to the consent decree, in addition to the monetary penalty, the company must establish a comprehensive privacy program, and obtain independent privacy assessments every other year for the next 20 years.
Concurrently, the FTC released a staff report that provides disclosure policy and other guidance to mobile platforms, application developers, advertising networks and analytics companies, and application developer trade associations. For example, the report urges platforms to (i) provide just-in-time disclosures to consumers and obtain affirmative express consent before allowing applications to access sensitive content like geolocation; (ii) consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers may find sensitive; and (iii) consider developing icons to depict the transmission of user data. With regard to application developers, the report recommends, for example, that developers (i) provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information; and (ii) improve coordination and communication with advertising networks and other third parties that provide services for applications. During a call announcing the report, the FTC explained that the report is intended to influence industry standards, and that the Commission staff will reference the report for future policymaking. The FTC also noted that the National Telecommunications and Information Agency is developing a code of conduct on mobile application transparency, and, if strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with its law enforcement work.
FTC Chairman Announces Plans to Step Down
On February 1, the FTC announced that Chairman John Leibowitz plans to step down on February 15, 2013. Mr. Leibowitz has been a Commissioner since September 2004, and has served as Chairman for the past four years. During his tenure, the FTC has prioritized consumer privacy and financial fraud enforcement and policy development. With regard to privacy initiatives during his time as Chairman, the FTC issued a landmark report setting forth best privacy practices for all businesses, and recently updated the Children’s Online Privacy Protection Rule.
FTC Releases Debt Buyer Study
On January 30, the FTC released the results of a first-of-its-kind empirical study of the debt buying industry. The FTC looked at more than 5,000 portfolios of consumer debt with a face value of $143 billion, the majority of which was credit card debt, but which also included mortgage, medical, utility, telecommunications, and other debt. The report identifies a number of “key findings” related to (i) prices buyers paid for debt, (ii) information and account documentation that buyers received in the transaction, (iii) consumer disputes of debts, and (iv) debt age and statute of limitations. The FTC believes additional study of small debt buyers is required, as are reviews of debt buyers’ litigation practices and the accuracy of the information debt buyers receive and use to collect debts. While the report does not announce any specific policy or enforcement measures, the FTC notes that it continues to receive a high level of complaints about debt collectors, more than for any other industry, and that the sufficiency and accuracy of debt information remains a significant consumer protection concern
Senate Confirms FHA Commissioner and Other Key Agency Nominees
On December 30, the Senate confirmed Carol Galante as Assistant Secretary of Housing and Urban Development and Federal Housing Administration Commissioner. Ms. Galante, who was nominated for the position in October 2011, has been serving in an acting role. Her confirmation was made possible after certain Senators, including Bob Corker (R-TN), who had expressed concerns about the pace of reforms at the FHA, secured a commitment from Ms. Galante to (i) place a moratorium on the full drawdown reverse mortgage program, (ii) substantially increase underwriting criteria for borrowers with FICO scores between 580 and 620 by establishing a meaningful maximum debt-to-income ratio, (iii) increase the down payment requirement and the insurance pricing for loans between $625,000 and $729,000, and (iv) increase underwriting requirements for borrowers who have been foreclosed upon within the last seven years. On January 1, as described in media reports, the Senate confirmed Joshua Wright as FTC Commissioner and Mignon Clyburn as FCC Commissioner, and also confirmed Richard Berner for the new position of Director of the Treasury Department’s Office of Financial Research.
FTC Announces Departure of Consumer Protection Director
On December 17, the FTC announced that the Director of its Bureau of Consumer Protection, David Vladeck, will leave the agency on December 31, 2012. Since taking the position in 2009, Mr. Vladeck has led the Bureau’s focus on financial fraud and consumer privacy. Charles Harwood, who currently serves as a Deputy Director in the Bureau, will take over as Acting Director of the Bureau of Consumer Protection. The FTC also announced that Eileen Harrington, the agency’s Executive Director, will retire at the end of year, and that Pat Bak, who currently serves as Deputy Executive Director, will serve as Acting Executive Director.
FTC Orders Data Brokers to Provide Consumer Data Practices Information
On December 18, the FTC issued orders requiring nine data brokerage companies to provide information about (i) the nature and sources of the consumer information the data brokers collect, (ii) how they use, maintain, and disseminate the information, and (iii) the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold. The FTC states that it plans to use the data to study privacy practices in the data broker industry, and to make recommendations as to how the industry could improve its privacy practices. Earlier this year, members of the House and Senate issued separate requests for similar material. The brokers targeted by the various requests and orders overlap only in part.
FTC Finalizes Children's Online Privacy Rule Amendments
On December 19, the FTC announced final amendments to the Children’s Online Privacy Protection Act Rule. According to the FTC’s release, the final amendments (i) include geolocation information, photographs, and videos in the list of “personal information” that cannot be collected from children under 13 without parental notice and consent, (ii) offer companies a streamlined, voluntary, and transparent approval process for new ways of getting parental consent, (iii) close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent, (iv) require compliance by such third parties in some of those cases, (v) require compliance by persistent identifiers that can recognize users over time and across different websites or online services, (vi) require that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential, (vii) require that covered website operators adopt reasonable procedures for data retention and deletion, and (viii) strengthen the FTC’s oversight of self-regulatory safe harbor programs. The amendments also modify several other key definitions in the rule. Notably, the revised definition of “operator” clarifies that the rule covers a child-directed site or service that integrates outside services that collect personal information from its visitors, but it does not extend liability to platforms that merely offer the public access to child-directed apps. FTC Commissioner Maureen Ohlhausen voted against the amendments and issued a dissenting statement in which she argued that the new definition of “operator” goes beyond what Congress authorized by imposing obligations on websites or online services that do not collect personal information from children or have access to or control of such information collected by a third party.
President, Congress Extend Cross-Border Fraud Enforcement Law
On December 4, President Obama signed a bill, H.R. 6131, that extends through December 2020, a law that enhances the FTC’s ability to address cross-border fraud, and particularly to fight spam, spyware, and Internet fraud and deception. Originally passed in December 2006 and set to expire in December 2013, the U.S. SAFE WEB Act amended the FTC Act to include within the definition of "unfair or deceptive acts or practices" certain acts or practices involving foreign commerce. Further, the law authorizes the FTC to (i) disclose certain privileged or confidential information to foreign law enforcement agencies, and (ii) provide investigative assistance to a foreign law enforcement agency pursuing violations of laws prohibiting fraudulent or deceptive commercial practices or other practices substantially similar to practices prohibited by laws administered by the FTC without requiring that the conduct identified constitute a violation of U.S. laws.