NCRA Comments on the FTC's Proposed Settlements in Three Cases
|Re:||In the Matter of SettlementOne Credit Corporation, et al., File No. 082 3208|
|In the Matter of ACRAnet, Inc., File No. 092 3088|
|In the Matter of Fajilan and Associates, et al. File No. 092 3089|
The National Credit Reporting Association, Inc. (NCRA) appreciates the opportunity to comment on the Federal Trade Commission's ("FTC") proposed settlements in the three above-referenced matters.
Background on NCRA
NCRA is a non-profit trade association, founded in 1992, representing the consumer reporting industry, especially credit reporting companies that provide products and services to the housing industry with hybrid, multi-data source reports for mortgage lending and tenant screening. NCRA represents approximately 80% of the credit reporting agencies in the United States that product the specialized mortgage credit reports as required by the Department of Housing and Urban Development, Fannie Mae,and Freddie Mac for mortgage loan underwriting. The respondents in these actions are all "resellers" of consumer reports within the meannig of the Fair Credit Reporting Act ("FCRA"). Respondents ACRAnet and SettlementOne are members of NCRA.
As resellers of consumer reports, NCRA members obtain reports from the three nationwide consumer reporting agencies and create combined, or "trimerge," reports. The trimerge reports are sold to mortgage brokers, mortgage lenders and other end-users in the mortgage industry for use in connection with consumers' mortgage loan applications.
NCRA members take very seriously their obligation to safeguard consumer information, and agree with the FTC's statements about risks associated with identify theft. For that reason, our members devote significant resources and effort, including investment in sophisticated technology systems, to protect consumer data within their control.
The Reseller Respondents
None of the respondents in these matters admitted to any of the complaint allegations. each company made a business decision to settle on the terms of the negotiated order, rather than incur the signifiant legal fees and expenses of defending and FTC enforcement action. For that reason, NCRA objects to the FTC's press release and particularly to the statement of Commissional Brill, joined by Chairman and Commissioners Rosch and Ramirez (the "Commissioners' Statement"). These FTC statements are replete with derogatory factual assertions to which the respondents have had no opportunity to respond, and the statements leave the public with the inaccurate impression that the named resellers were negligent in their compliance with the FCRA and the Gramm-Leach-Bliley Act ("GLBA") Safeguards Rule. The Commission's statements are particularly troubling because each of the respondents cooperated fully with the FTC's investigation of those who were responsible for the security breeches.
Dispite the impression created by the FTC's press release and the Commissioners' Statement, each of these three resellers had implemented and maintained an information security program that was reasonably designed to protect the security, confidentiality, and integrity of customer information, as required under the GLBA Safeguards Rule. Each reseller maintained reasonable procedures to limit the provision of consumer reports to end-users who had a permissible purpose for the reports in accordance with the FCRA. Moreover, each reseller required its end-users to agree by written contract that they would implement and maintain adequate information security systems, controls and procedures, including firewalls and other appropriate data security measures. These written agreements provided that an end-user's violation of these contractual obligations could result in suspension of the end-user's access to the reseller's portal or termination of the agreement. The termination of the supply of necessary credit information provided by the reseller cannot be minimized as this is a serious consequence to the end user. The Commissioners' statment ignores hundreds of years of contract law as nothing more than a "paper exercise". The contracts appropriately place the responsibility of securing at the end users facility upon the end user. By implementing vigorous internal security measures and contractually mandating that end users act simimlarly, the resellers clearly met their legal obligations under the FCRA and the GLBA to protect consumer information.
The Missing Parties in the Proposed Orders
None of the unprotected computer systems involved in the data breaches that led to these enforcement actions were within the ownership or control of these resellers. The FTC's complaints allege that the breaches occured because the end-users lacked adequate firewalls or other security controls. Thus, the alleged failures of these independent third parties, and not the resellers' actions, contributed to the security breaches. These end-users apparently did not meet their own legal obligations under the FCRA and the GLBA to consumers, and they appear to have breached their contractual obligations tot he resellers. In fact the end users had (or claimed to have) reasonable security measures when they were contracted by NCRA's member resellers. It was a period of time after the contracted users failed to maintain such security systems. For these reasons, NCRA believes the the Commission's enforcement actions targeted the wrong parties in these matters.
These proposed orders essentially required the respondent resellers to comply with their legal obligations under the GLBA and the FCRA - obligations that the resellers had endeavored to meet even prior to the the FTC's enforcement actions further, no fault was found within the resellers information security systems.Because the end-users are not subject to these consent orders, the FTC's enforcement actions with no protect consumers with responct to the security and confidentiality of consumer information held by these end-users. It is important to understand that, as mortgage brokers and mortgage lenders, these end-users receive and maintain consumers' indentifying information and highly confidential financial information from applications, employers and others, in addition to consumer reports from resellers. These mortgage brokers and lenders are subject to the same GLBA and FCRA laws as the resellers. Yet, the FTC's orders will not require these end-users to implement any measures to compliy with these laws. Clearly, the FTC has brought the wrong parties under order.
The Commissioners' Statement
Despite the fact that the FTC's orders apply only to the resellers, the Commissioners' Statement asserts that "these are the first cases in which the Commission has held resellers responsible for downstream data protection failures." This statement is at odds with the terms of the content orders and, for the most part, even the complaint's allegations. NCRA is troubled by the Commissioners' apparent plan to hold resellers responsible for the potential failures of independent third parties to protect consumer data. The Commissioners statement is creating policy not supported by the laws it assers to support its actions.
In addition, the Commissioners state that they will seek civil penalties in future cases involving "resellers - indeed, all of those in the chain of handling consumer data" based on their "legal obligations to proactively protect consumers' data." The FCRA imposes certain legal requirements on resellers in providing reports to end-users with permissible pruposes. However, FCRA does not require resellers or others in the chain of handling consumer data to "proactively protect consumers' data." Resellers' data security obligations with respect to consumer information are governs by the GLBA Safeguards Rule, which does not provide for civil penalties for violations of its requirements.
The FTC can best promote the important objective of protecting consumer information by focusing on entities that are best able to provide this protection. The Commission should hold resellers responsible for consumer information and access to that information within their control, but the Commission should also hold end users responsible for thier own data security. In this case, the FTC ignores end-uers altogether and instead would require resellers to assume responsiblity for third parties' internal data security measures. Not only will this impose an unfair and unworkable burden on resellers, it would also create a system that leaves consumers more vulnerable than they would be if the FTC required each entity to take responsibility for its own data security systems. The position of the FTC may actually discourage end users from taking security steps to protect their consumers information and attempts to place this responsibility on the resellers (which in many cases is a much smaller company than the end user) who have no real ability to protect the consumers informationonce it reaches the end users computer systems.