[Federal Register Volume 76, Number 27 (Wednesday, February 9, 2011)]
[Notices]
[Pages 7213-7216]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-2790]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File Nos. 092 3088, 082 3208, 092 3089]
ACRAnet, Inc.; SettlementOne Credit Corporation, and Sackett
National Holdings, Inc.; Fajilan and Associates, Inc., d/b/a Statewide
Credit Services, and Robert Fajilan; Analysis of Proposed Consent
Orders To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreements in these three matters settle alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis To
Aid Public Comment describes both the allegations in each draft
complaint and the terms of the consent order--embodied in each consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before March 7, 2011.
ADDRESSES: Interested parties are invited to submit written comments
electronically or in paper form. Comments should refer to ``ACRAnet,
Inc., File No. 092 3088, and/or SettlementOne Credit Corporation, File
No. 082 3208, and/or Statewide Credit Services, File No. 092 3089'' to
facilitate the organization of comments. Please note that your
comment--including your name and your state--will be placed on the
public record of this proceeding, including on the publicly accessible
FTC Web site, at http://www.ftc.gov/os/publiccomments.shtm.
Because comments will be made public, they should not include any
sensitive personal information, such as an individual's Social Security
Number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. Comments also
should not include any sensitive health information, such as medical
records or other individually identifiable health information. In
addition, comments should not include any ``[t]rade secret or any
commercial or financial information which is obtained from any person
and which is privileged or confidential. * * *,'' as provided in
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and Commission Rule
4.10(a)(2), 16 CFR 4.10(a)(2). Comments containing material for which
confidential treatment is requested must be filed in paper form, must
be clearly labeled ``Confidential,'' and must comply with FTC Rule
4.9(c), 16 CFR 4.9(c).\1\
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See FTC Rule 4.9(c), 16 CFR
4.9(c).
---------------------------------------------------------------------------
Because paper mail addressed to the FTC is subject to delay due to
heightened security screening, please consider submitting your comments
in electronic form. Comments filed in electronic form should be
submitted by using one of the following weblinks: https://ftcpublic.commentworks.com/ftc/acranet; https://ftcpublic.commentworks.com/ftc/settlementone; https://ftcpublic.commentworks.com/ftc/statewide, and following the
instructions on the web-based form. To ensure that the Commission
considers an electronic comment, you must file it on the Web-based form
at one of the following weblinks: https://ftcpublic.commentworks.com/ftc/acranet; https://ftcpublic.commentworks.com/ftc/settlementone;
https://ftcpublic.commentworks.com/ftc/statewide. If this Notice
appears at http://www.regulations.gov/search/index.jsp, you may also
file an electronic comment through that Web site. The Commission will
consider all comments that regulations.gov forwards to it. You may also
visit the FTC Web site at http://www.ftc.gov/ to read the Notice and
the news release describing it.
A comment filed in paper form should include the ``to ACRAnet,
Inc., File No. 092 3088, and/or SettlementOne Credit Corporation, File
No. 082 3208, and/or Statewide Credit Services, File No. 092 3089''
reference both in the text and on the envelope, and should be mailed or
delivered to the following address: Federal Trade Commission, Office of
the Secretary, Room H-135 (Annex D), 600 Pennsylvania Avenue, NW.,
Washington, DC 20580. The FTC is requesting that any comment filed in
paper form be sent by courier or overnight service, if possible,
because U.S. postal mail in the Washington area and at the Commission
is subject to delay due to heightened security precautions.
The Federal Trade Commission Act (``FTC Act'') and other laws the
Commission administers permit the collection of public comments to
consider and use in this proceeding as appropriate. The Commission will
consider all timely and responsive public comments that it receives,
whether filed in paper or electronic form. Comments received will be
available to the public on the FTC Web site, to the extent practicable,
at http://www.ftc.gov/os/publiccomments.shtm. As a matter of
discretion, the Commission makes every effort to remove home contact
information for individuals from the public comments it receives before
placing those comments on the FTC Web site. More information, including
routine uses permitted by the Privacy Act, may be found in the FTC's
privacy policy, at http://www.ftc.gov/ftc/privacy.shtm.
FOR FURTHER INFORMATION CONTACT: Katherine White (202-326-2252), Bureau
of Consumer Protection, 600 Pennsylvania Avenue, NW., Washington, D.C.
20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 the
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that
the above-captioned consent agreements containing consent orders to
cease and desist, having been filed with and accepted, subject to final
approval, by the Commission, have been placed on the public record for
a period of thirty (30) days. The following
[[Page 7214]]
Analysis To Aid Public Comment describes the terms of the consent
agreements, and the allegations in the draft complaints. An electronic
copy of the full text of each consent agreement package can be obtained
from the FTC Home Page (for February 3, 2011), on the World Wide Web,
at http://www.ftc.gov/os/actions.shtm. Paper copies can be obtained
from the FTC Public Reference Room, Room 130-H, 600 Pennsylvania
Avenue, NW., Washington, DC 20580, either in person or by calling (202)
326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, three agreements containing consent orders from ACRAnet, Inc.
(``ACRAnet''); SettlementOne, Inc. (``SettlementOne''), and its parent
corporation Sackett National Holdings, Inc.; and Fajilan and
Associates, Inc. d/b/a Statewide Credit Services (``statewide'') and
its principal Robert Fajilan (collectively ``respondents'').
The proposed consent orders have been placed on the public record
for thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreements and the comments received, and will decide whether it should
withdraw from the agreements and take appropriate action or make final
the agreements' proposed orders.
According to the Commission's proposed complaints, respondents
contract with the three nationwide consumer reporting agencies,
Experian, Equifax, and TransUnion to obtain consumer reports that they
assemble and merge into a single ``trimerge report.'' The trimerge
reports contain sensitive consumer information such as full name,
current and former addresses, social security number, date of birth,
employer history, credit account histories and information, and account
numbers. Respondents provides the trimerge reports to end user clients
through an online portal. Respondents issue credentials to their
clients, which consist of a user name and password. The end user
clients use these credentials to access respondents' online portals and
receive trimerged reports.
The Commission's complaints allege that respondents engaged in a
number of practices that, taken together, failed to provide reasonable
and appropriate security for consumers' personal information. Among
other things, they failed to: (a) Develop and disseminate comprehensive
written information security policies; (b) assess the risks of allowing
end users with unverified or inadequate security to access consumer
reports through their online portals; (c) implement reasonable steps to
address these risks by, for example, evaluating the security of end
users' computer networks, requiring appropriate information security
measures, and training end user clients; (d) implement reasonable steps
to maintain an effective system of monitoring access to consumer
reports by end users, including by monitoring to detect anomalies and
other suspicious activity; and (e) take appropriate action to correct
existing vulnerabilities or threats to personal information in light of
known risks.
The complaints further allege that hackers were able to exploit
vulnerabilities in the computer networks of multiple end user clients,
putting all consumer reports in those networks at risk. In multiple
breaches, hackers accessed hundreds of consumer reports.
According to the proposed complaints, respondents' practices
violated the Gramm-Leach-Bliley (``GLB'') Safeguards Rule by, among
other things: (1) Failing to design and implement information
safeguards to control the risks to customer information; (2) failing to
regularly test or monitor the effectiveness of existing controls and
procedures; (3) failing to evaluate and adjust the information security
programs in light of known or identified risks; and (4) failing to
develop, implement, and maintain comprehensive information security
programs. In addition, the proposed complaints allege that respondents'
conduct violated sections 604 and 607(e) of the Fair Credit Reporting
Act (``FCRA''). Further, the proposed complaints allege that
respondents' failure to employ reasonable and appropriate measures to
secure the personal information they maintain and sell is an unfair
practice in violation of Section 5 of the Federal Trade Commission Act.
The proposed orders contain provisions designed to prevent
respondents from engaging in similar practices in the future. They also
apply to personal information respondents collect from or about
consumers. The orders name the resellers themselves, ACRAnet,
SettlementOne, and Statewide; in the case of SettlementOne, its parent
corporation Sackett National Holdings; and in the case of Statewide,
its principal Robert Fajilan.
Part I of the proposed orders requires respondents to establish and
maintain a comprehensive information security program that is
reasonably designed to protect the security, confidentiality, and
integrity of personal information collected from or about consumers,
including the security, confidentiality, and integrity of personal
information accessible to end users.\2\ The security program must
contain administrative, technical, and physical safeguards appropriate
to each respondent's size and complexity, the nature and scope of its
activities, and the sensitivity of the personal information collected
from or about consumers. Specifically, the orders require respondents
to:
---------------------------------------------------------------------------
\2\ The proposed order against Statewide includes an individual
respondent, Robert Fajilan. Parts I-VI of this order apply to any
business entity that Mr. Fajilan controls.
---------------------------------------------------------------------------
Designate an employee or employees to coordinate and be
accountable for the information security program.
Identify material internal and external risks to the
security, confidentiality, and integrity of personal information that
could result in the unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.
Design and implement reasonable safeguards to control the
risks identified through risk assessment, and regularly test or monitor
the effectiveness of the safeguards' key controls, systems, and
procedures.
Develop and use reasonable steps to select and retain
service providers capable of appropriately safeguarding personal
information they receive from respondents, and require service
providers by contract to implement and maintain appropriate safeguards.
Evaluate and adjust the information security program in
light of the results of the testing and monitoring, any material
changes to the company's operations or business arrangements, or any
other circumstances that they know or have reason to know may have a
material impact on the effectiveness of their information security
program.
Part II of the proposed orders prohibits respondents from violating
any provision of the GLB Safeguards Rule.
[[Page 7215]]
Part III of the proposed orders requires that respondents, in
connection with the compilation, creation, sale or dissemination of any
consumer report shall: (1) Furnish such consumer report only to those
persons it has reason to believe have a permissible purpose as
described in Section 604(a)(3) of the FCRA, or under such other
circumstances as set forth in Section 604 of the FCRA; and (2) maintain
reasonable procedures to limit the furnishing of such consumer reports
to those with a permissible purpose and ensure that no consumer report
is furnished to any person when there are reasonable grounds to believe
that the consumer report will not be used for a permissible purpose.
Part IV of the proposed orders requires that respondents obtain
within 180 days, and on a biennial basis thereafter for twenty (20)
years, an assessment and report from a qualified, objective,
independent third-party professional, certifying, among other things,
that they have in place a security program that provides protections
that meet or exceed the protections required by Part I of the proposed
order; and their security program is operating with sufficient
effectiveness to provide reasonable assurance that the security,
confidentiality, and integrity of consumers' personal information is
protected.\3\
---------------------------------------------------------------------------
\3\ The proposed order against SettlementOne and Sackett
National Holdings does not require Sackett National Holdings to
obtain an assessment for any subsidiary, division, affiliate,
successor or assign if the personal information such entities
collect, maintain, or store from or about consumers is limited to a
first and last name; a home or other physical address, including
street name and name of city or town; an e-mail address; a telephone
number; or publicly available information regarding property
ownership and appraised home value.
---------------------------------------------------------------------------
Parts V through IX of the proposed orders are reporting and
compliance provisions. Part V requires respondents to retain documents
relating to their compliance with the orders. For most records, the
orders require that the documents be retained for a five-year period.
For the third-party assessments and supporting documents, respondents
must retain the documents for a period of three years after the date
that each assessment is prepared. Part VI requires dissemination of the
orders now and in the future to principals, officers, directors, and
managers, and all employees, agents and representatives who engage in
conduct related to the subject matter of the order. In the ACRAnet and
SettlementOne orders, Part VII ensures notification to the FTC of
changes in corporate status. In the Statewide order, Part VII requires
the individual respondent to notify the FTC of changes in contact
information, business or employment status, and Part VIII requires the
corporate respondent to notify the FTC of changes in corporate status.
Part VIII of the ACRAnet and SettlementOne orders and Part XI of the
Statewide order mandate that respondents submit an initial compliance
report to the FTC, and make available to the FTC subsequent reports.
The last provision of the orders is a provision ``sunsetting'' the
orders after twenty (20) years, with certain exceptions.
The purpose of the analysis is to aid public comment on the
proposed orders. It is not intended to constitute an official
interpretation of the proposed orders or to modify their terms in any
way.
By direction of the Commission.
Donald S. Clark
Secretary.
Statement of Commissioner Brill, In Which Chairman Leibowitz and
Commissioners Rosch and Ramirez Join
In the Matter of SettlementOne Credit Corporation, et al., In the
Matter of ACRAnet, Inc., In the Matter of Fajilan and Associates, et
al.
The respondents in these three matters are resellers of consumer
reports who failed to take reasonable measures to protect sensitive
consumer credit information. We fully support staff's work on these
matters. We write separately to emphasize that in the future we will
call for imposition of civil penalties against resellers of consumer
reports who do not take adequate measures to fulfill their obligations
to protect information contained in consumer reports, as required by
the Fair Credit Reporting Act (``FCRA'').
The respondents in these three matters treated their legal
obligations to protect consumer information as a paper exercise.
Respondents provided only a cursory review of security measures.
Thereafter, respondents took no further action to ensure that their
customers' security measures adequately protected the information in
the consumer reports. Nor did they provide training on security
measures to end users. Even after discovering security breaches that
should have alerted them to problems with the data security of some
customers, respondents failed to implement measures to check the
security practices of other clients.
The FCRA requires respondents to take reasonable measures to ensure
that consumer reports are given only to entities using the reports for
purposes authorized by the statute.[1] As a result of respondents'
failure to comply with the FCRA, nearly 2,000 credit reports were
improperly accessed. There is not doubt that such unauthorized access
can result in grave consumer harm through identity theft.
The significant impact and cost of identity theft are well
documented. Although reports regarding the impact of identity theft do
not always agree on specific figures, they do reveal tremendous
economic and non-economic consequences for both consumers and the
economy. The Commission itself issued reports in both 2003[2] and
2007.[3] Our 2007 report estimated that in 2005 alone 8.3 million
consumers fell victim to identity theft. We found that 1.8 million of
those victims had new accounts opened in their names. One-quarter of
the ``new account victims'' incurred more than $1,000 in out-of-pocket
expenses and five percent spent 1,200 hours in dealing with the
consequences of the theft. The report concluded that total losses from
identity theft in 2006 totaled $15.6 billion. Beyond these financial
impacts, we also identified non-economic harm to victims in many forms:
Denial of new credit or loans, harassment from collection agencies, the
loss of the time involved in resolving the problems, and being
subjected to criminal investigation. In view of the hardships and costs
brought on by identity theft, measures to prevent it must be rigorously
enforced.
While we view the breaches in these cases with alarm, we are also
cognizant of the fact that these are the first cases in which the
Commission has held resellers responsible for downstream data
protection failures.[4] Looking forward, the actions we announce today
should put resellers--indeed, all of those in the chain of handling
consumer data--on notice of the seriousness with which we view their
legal obligations to proactively protect consumers' data.
The Commission should use all of the tools at its disposal to
protect consumers from the enormous risks posed by security breaches
that may lead to identity theft. In the future, we should not hesitate
to use our authority to seek civil penalties under the FCRA[5] to make
the protection of consumer data a top priority for those who profit
from its collection and dissemination.
[1] 15 U.S.C. 1681b; 15 U.S.C. 1681e(a).
[2] Fed. Trade Comm'n. Identity Theft Survey Report (2003),
available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.
[3] Fed. Trade Comm'n, 2006 Identity Theft Survey Report (2007),
available at http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.
[[Page 7216]]
[4] The Commission has previously taken action where the credit
reporting agency failed to adequately screen purchasers of consumer
credit information. For instance, in United States v. ChoicePoint,
Inc., 09-CV-0198 (N.D. Ga. Oct. 19, 2009), the Commission alleged
that the failure to screen customers led to the sale of 160,000
credit reports to identity thieves posing as customers of
ChoicePoint.
[5] The Fair Credit Reporting Act authorizes the Commission to
seek civil penalties for violations of the Act. 15 U.S.C.
1681s(a)(2)(A).
[FR Doc. 2011-2790 Filed 2-8-11; 8:45 am]
BILLING CODE 6750-01-P