Introducing SharePoint 2007
Download
Report
Transcript Introducing SharePoint 2007
Privacy Academy 2008
Orlando, Florida
Overview
Broad Scope of FCRA
Regardless of how you describe your
business, it’s likely you use and access
consumer reports.
The Non-Traditional CRA
The FCRA and FACT Act cover a wide
range of activities related to
accessing, collecting and using
consumer information.
Background Screening Reports
We will discuss what business
practices are regulated by these
statutes and recent FTC rules
concerning identity theft.
The overall goal of this presentation is
heightened appreciation for the
effects of noncompliance.
We will end with a question and
answer session.
Red-Flag Rules
Identity Theft Prevention
Litigation Trends
Question and Answer Session
Disclaimer
The remarks in this presentation do not
necessarily reflect the views of the Federal
Trade Commission or of any Commissioner,
nor are they intended to be legal advice.
Anyone with specific questions about a
matter should consult legal counsel.
An adventure in definitions
Federal Trade Commission
Nation’s only general jurisdiction consumer
protection agency
Enforcement through federal district court
and administrative litigation
The FCRA
Passed in 1970; significant amendments in
1996 and 2003
“[T]o insure that consumer reporting
agencies exercise their grave responsibilities
with fairness, impartiality, and a respect for
the consumer's right to privacy”
FCRA Guiding Principles
Privacy
Limited access to consumer reports
Same limits on government access, with
certain exceptions
Accuracy
Responsibilities of consumer reporting agencies
and information furnishers
Consumer dispute process
Fairness
Adverse action notices
Obsolete information deleted
Who Is Covered by FCRA
Consumer Reporting Agencies
Furnishers – information sources
Users of consumer reports
And more (merchants using debit/credit
cards; “financial institutions” and “creditors”)
FCRA Enforcement
Civil enforcement by many agencies:
FTC and federal banking agencies
State attorneys general
Consumers: private right of action in some cases
Criminal enforcement: federal or state
prosecutors (e.g., information obtained under
false pretenses, unauthorized disclosure by
credit bureau employees)
Consumer Report Defined
“any written, oral, or other communication of any
information by a consumer reporting agency bearing on a
consumer's credit worthiness, credit standing, credit
capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected
to be used or collected in whole or in part for the purpose of
serving as a factor in establishing the consumer's eligibility
for -- (A) credit or insurance to be used primarily for
personal, family, or household purposes; (B) employment
purposes; or (C) any other purpose authorized under
section 604.”
Definition Dissected
Two basic elements:
Information in report has a “bearing on” one or
more specified consumer characteristics (e.g.,
credit standing)
Report is “used or expected to be used (by the
user) ... for the purpose of ... establishing the
consumer’s eligibility (for purposes allowed by
the FCRA)...”
Some Important Points
Has to be about a consumer – if doesn’t
identify specific consumer, not a consumer
report
Ex. Flagging a specific internet transaction as
potentially fraudulent based on comparison to
aggregate data about internet transactions (e.g.,
time-of-day activity, geographic location, amount
of the transaction, etc.), without reference to an
individual consumer, is not a consumer report
Includes Summaries and Evaluations of Reports
Includes numerical or other evaluation of file
data by a CRA, such as a credit score that
bears on a consumer’s creditworthiness
Includes a list of the names of people meeting
certain characteristics – such as a list of
creditworthy individuals, or individuals on
whom CRAs have derogatory information
Examples of Consumer Reports
Credit report
Rental history
Check writing history/“bad check” lists
Employment history
Medical history
Insurance claims history
Consumer Reporting Agency Defined
“any person which, for monetary fees, dues, or
on a cooperative nonprofit basis, regularly
engages in whole or in part in the practice of
assembling or evaluating consumer credit
information or other information on consumers
for the purpose of furnishing consumer reports
to third parties, and which uses any means or
facility of interstate commerce for the purpose
of preparing or furnishing consumer reports”
Mutually Dependent Definitions
Consumer report = report provided by
consumer reporting agency
Consumer reporting agency = an entity that
provides consumer reports
Some Important Points
Entities that work together for a common
purpose without monetary compensation
may form a CRA
Exchange or data pool
Entities that repackage and/or resell
consumer report information may be CRAs
Evolution of the information industry: A case study
Case Study
In the Matter of Ingenix, Inc.
In the Matter of Milliman, Inc.
Consent Decisions and Orders issued
February 12, 2008
Where Industry Was
Life insurance companies used service
providers to get medical records
Service providers requested records from
health care providers, put in envelope, and
mailed to insurer
Record Retrieval Companies Are Not CRAs
An entity that performs only mechanical
tasks in connection with transmitting
consumer information is not a CRA because it
does not assemble or evaluate information. A
business that delivers records, without
knowing their content or retaining any
information from them, is not acting as a CRA
even if the recipient uses the records to
evaluate the consumer’s eligibility for
insurance or another permissible purpose.
Ingenix and Milliman
Provide reports on prescription drug
purchase histories of insurance policy
applicants, to insurance companies for
underwriting decisions
Obtain prescription drug histories from
Pharmacy Benefit Managers and create
prescription medical profiles
Why CRA – “Assemble” or “Evaluate”
“Assembled” -- Compiled information
into single report
“Evaluated” -- Analyzed information to
report potential medical conditions that
may be present
Administrative Enforcement Action
Complaints charged Ingenix and Milliman
with violating FCRA by failing to provide
Notice to Users
Notice to Users describes FCRA
responsibilities and obligations of recipients
of reports, including notifying consumers if
adverse action is taken, based in whole or in
part, on information contained in the
consumer report
Consent Order
5 year record keeping obligation
20 year injunction to comply with CRA duties:
Notice to Users
Only furnish reports to those with permissible purpose
Reasonable procedures to assure maximum possible
accuracy of information
Reasonable procedures to handle consumer disputes
Conduct reasonable reinvestigations
Comply with the Disposal Rule
Special Reports: Special Rules
Background Reports Are Consumer Reports
The definition of a “consumer report”
includes more than just consumer credit
information
Criminal background checks, educational
background checks, and license checks are
consumer reports because involve the
individual consumer's “character, general
reputation, personal characteristics, or mode
of living”
Background Screening Companies Are CRAs
Company that provides oral/written reports
to employers about the prior work experience
of applicants
Company that regularly researches criminal
records of job applicants and reports them to
its clients
Special Rules in Employment
Written notice and authorization before
getting report
Pre-adverse action disclosure – copy of
report and Summary of Rights
Adverse Action Notice
Using Consumer Reports: What Employers
Need to Know
What they are and what they’re not.
What They Are
“Red Flag” means:
a pattern, practice, or specific activity that
indicates the possible existence of identity theft
“Red Flag Guidelines and Rules”
Where do they come from?
Fair and Accurate Credit Transactions (“FACT”)
Act of 2003
Amended FCRA
Passed in response to concerns about misuse of
personal information of consumers, including
identity theft
Instructed FTC and agencies to establish
guidelines and rules
Red Flag Guidelines
15 U.S.C. § 1681m(e)(1)(A): “The federal
banking agencies, the National Credit Union
Administration, and the [Federal Trade]
Commission shall jointly . . .
establish and maintain guidelines . . . regarding
identity theft with respect to account holders at,
or customers of, such entities, and update such
guidelines as often as necessary . . . .”
Joint Rulemaking
Final rules published November 9, 2007.
(Press Release)
Effective on January 1, 2008
Full compliance required by November 1, 2008
Identity Theft Prevention Programs
The rules require “financial institutions” and
“creditors” with “covered accounts” to
implement a written Identity Theft Prevention
Program to detect, prevent, and mitigate
identity theft in connection with:
The opening of a covered account or
The existence of a covered account
“Creditors” with “Covered Accounts”
“Anyone who arranges for the extension,
renewal or continuation of credit or any
assignee of an original creditor who
participates in the decision to extend, renew
or continue credit.”
“Creditors” with “Covered Accounts”
A consumer account that “involves or is designed to
permit multiple payments or transactions, such as a
credit card account, mortgage loan, automobile loan,
margin account, cell phone account, utility account,
checking account, or savings account and
“Any other account that the financial institution
or creditor offers or maintains for which there is
a reasonably foreseeable risk to customers or to
the safety and soundness of the financial
institution or creditor from identity theft,
including financial, operational, compliance,
reputation, or litigation risks.”
The Guidelines
Intended to assist financial institutions and creditors in the
formulation and maintenance of a Program that satisfies
the requirements of the Red Flag Rules
Topics include
The Identity Theft Program
Identifying Relevant Red Flags
Detecting Red Flags
Preventing and Mitigating Identity Theft
Updating the Program
Methods for Administering the Program
Other Applicable Legal Requirements
Guideline Highlights
Identifying Red Flags
Categories of Red Flags
Alerts, notifications, or other warnings from consumer
reporting agencies or service providers, such as fraud detection
services
The presentation of suspicious documents
The presentation of suspicious personal identifying
information, such as a suspicious address change
The unusual use of, or other suspicious activity related to, a
covered account
Notice from customers, victims of identity theft, law
enforcement or others regarding possible identity theft
Appendix to Rule has 26 examples for the foregoing
categories.
Guideline Highlights (cont’d)
Procedures to detect Red Flags
Verify identity
Authenticate customers
Monitor transactions
Verify validity of address changes
Guideline Highlights (cont’d)
Appropriate Responses to Red Flags
Monitor accounts
Contact customer
Change passwords
Close and reopen account
Refuse to open account
Do not collect on or sell account
Notify law enforcement
No response
Guideline Highlights (cont’d)
Administering the Program
Oversight involves
Assigning specific responsibility
Reviewing reports
Approving material changes to Program
What They’re Not
Red Flags compliance v. data security
Definition of “financial institution” is not
same under Red Flags and Gramm Leach
Bliley Act
Compliance with HIPAA does not equal
compliance with Red Flags
FTC Activity
June 2008 “FTC Business Alert”
FTC set-up email for questions:
[email protected]
Are you a financial institution or creditor?
Mandatory Compliance
By November 1, 2008 for:
“Financial Institutions”
“Creditors” that hold any consumer account or
other account for which there is a reasonably
foreseeable risk of identity theft
Are you a “Financial Institution”?
A “financial institution” is:
A State or National bank
A State or Federal savings and loan association
A mutual savings bank
A State or Federal credit union
“Any other person that, directly or indirectly, holds
a transaction account belonging to a consumer”
15 U.S.C. § 1681a(t) (emphasis added)
Transaction Account
“The term ‘transaction account’ means a deposit
or account on which the depositor or account
holder is permitted to make withdrawals by
negotiable or transferable instrument, payment
orders of withdrawal, telephone transfers, or
other similar items for the purpose of making
payments or transfers to third persons or others.
Such term includes demand deposits, negotiable
order of withdrawal accounts, savings deposits
subject to automatic transfers, and share draft
accounts.”
12 USCS § 461(b)(1)(C) (also known as section 19(b)
of the Federal Reserve Act)
Creditor
FCRA says,
“[t]he term[]…’creditor’ ha[s] the same meaning[]
as in section 702 of the Equal Credit Opportunity
Act.”
See 15 U.S.C. § 1681a(r)(5)
Are you a “Creditor”?
A “creditor” is:
Any person who regularly extends, renews or
continues credit
Any person who regularly arranges for the
extension, renewal, or continuation of credit
Any assignee of an original creditor who
participates in the decision to extend, renew, or
continue credit
15 U.S.C. §1691a(e) (also known as the Equal
Credit Opportunity Act, Definitions)
Step 1: Risk Assessment
Do you offer or maintain “covered accounts”?
How do you open “covered accounts”?
How do you provide access to your accounts?
What experiences do you have with
identity theft?
Step 2: Develop Program to
Identify red flags and incorporate
into Program
Detect red flags included in Program
Respond to red flags when detected
Periodically update program to address
changing risks
Step 3: Administer Program by
Obtaining approval of initial Program from
Board or appropriate Board committee
Ensuring adequate oversight
Training appropriate staff
Overseeing service provider agreements
Message from the Federal Trade Commission
“By now, the message should be clear: companies that
collect sensitive consumer information have a responsibility
to keep it secure.”
(FTC Chairman, Deborah Platt Majoras, March 27, 2008)
Using its authority under Section 5 of the FTC Act (which
prohibits unfair or deceptive practices), the Commission has
brought a number of cases to enforce promises in privacy
statements, including promises about the security of
consumers’ personal information. The Commission has also
used its unfairness authority to challenge information
practices that cause substantial consumer injury.
Privacy Initiatives
Traps for the Unwary
Private Right of Action?
Dissention over whether FACT Act eliminated private rights
of action for all violations of § 1681m. See Perry v. First Nat.
Bank, 459 F.3d 816, 820 (7th Cir. 2006).
No question Congress declined to provide private right of
action for violations of the red flag requirements and
guidelines set forth in § 1681m(e). See id. at 821; White v. ELoan, Inc., 409 F. Supp. 2d 1183, 1185-86 (N.D. Cal. 2006).
15 U.S.C. § 1681s-2(c)(3) provides that 15 U.S.C. §§ 1681n
and 1681o – which establish rights of action for willful and
negligent violations of the FCRA respectively – “do not
apply to any violation of…subsection (e) of section 1681m
of this title.”
The Beverly Litigation
FACTS:
Named Plaintiff applied to Wal-Mart
Application denied due to criminal record:
He was shown as a felon when he had been
convicted of a misdemeanor
Others in the class were shown as felons based on
records of other people with the same name but
different birth dates, SSNs
Inaccuracies blamed on ChoicePoint’s internal
controls
Beverly v. ChoicePoint, Inc.
CLAIM AGAINST CHOICEPOINT:
Two option for CRA that reports public record
information for employment purposes:
Notify the consumer “at the time such public report
information is reported”
Maintain “strict procedures designed to insure that [the]
information . . . is complete and up to date”
ChoicePoint gave notice, but not until after it had
sent the reports to Wal-Mart
No court decision yet
Beverly v. Wal-Mart Stores, Inc.
CLAIM AGAINST WAL-MART:
Wal-Mart did not give sufficient time to dispute
the erroneous information
9/1/05: ChoicePoint, on Wal-Mart’s behalf, sent
notice to Beverly of contemplated adverse action
This included a copy of Beverly’s criminal history
report, as required by the FCRA
9/6/05: ChoicePoint, on Wal-Mart’s behalf, sent
notice to Beverly of adverse action
Due to Labor Day, both letters arrived on 9/7
The Beverly Litigation
IRONY:
Beverly called ChoicePoint on 9/7 to dispute
ChoicePoint sent Wal-Mart a corrected report
Wal-Mart hired Beverly
Beverly v. Wal-Mart Stores, Inc.
COURT DECISION: Court Opinion
Under the FCRA, an employer must give the
consumer “a reasonable period to respond” to the
initial notice and consumer report
Wal-Mart delegated this duty to ChoicePoint
ChoicePoint did not take into account postal delays that
would be caused by the holiday weekend
Ultimately, Wal-Mart is responsible for that mistake
Motion for summary judgment denied
Beverly v. Wal-Mart Stores, Inc.
LESSONS:
FCRA imposes technical obligations on CRAs and
employers
Employer can delegate its duties but remains
responsible
Courts interpret FCRA in light of its purpose
Consumers must be able to dispute inaccuracies
before the report is used against them
FCRA can be a trap for well-meaning and
sophisticated employers
Did we cover all of your questions, and/or generate new ones?
For More Information
Rebecca E. Kuehn
Jennifer R. Rossi
Assistant Director
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Ave., N.W., NJ-3158
Washington, D.C. 20580
202.326.2017
[email protected]
www.ftc.gov
Business Litigator
Consumer Financial Services Team Leader
Robinson & Cole LLP
280 Trumbull Street
Hartford, CT 06103-3597
860.275.8355
[email protected]
www.rc.com
Fair Credit Reporting Act
FTC Fair Credit Reporting Act Page
FTC Business Alert: New ‘Red Flag’ Requirements for Financial
Institutions and Creditors Will Help Fight Identity Theft
Any additional questions please ask.