| April 15, 1997 Secretary RE: Data Base Study -- Comment, P974806 Dear Sir: The National Consumers League respectfully submits these comments in response to the Federal Trade Commission's notice of March 4, 1997 requesting public comment and announcing a public workshop on consumer information privacy. These comments are directed specifically to the issue of computer data bases. NCL is a private, nonprofit, membership organization representing consumers in the marketplace and the workplace since its founding in 1899. Request to Participate in Public Workshop Because privacy of data base information has significant implications for consumers in terms of fraud, their ability to obtain products and services, and other concerns, NCL also asks to participate in Session One of the public workshop on this subject that will be held by the Federal Trade Commission in June. Information Collection and Use 1.10 Whenever data bases are created, there is potential for theft of consumers' credit identities. For example, Reuter News reported on November 20, 1996 that several Social Security Administration employees had been charged with giving confidential consumer information to credit card thieves in exchange for cash bribes. This information, including consumers' social security numbers and their mothers' maiden names, was used to activate credit cards that had been sent to consumers but stolen by thieves before reaching them. Brian Gimlett, head of the New York office of the U.S. Secret Service, was quoted as saying that the incident illustrated "the reality that employees of government agencies or corporations who have access to personal information may take advantage of their position of trust to steal personal information and sell it for financial gain." This potential is obviously not limited to employees of entities that create and maintain data bases containing consumers' personal information. Individuals can use their computers to "hack" into corporate or government data bases out of curiosity, with malicious intent, or to gather information for fraudulent purposes, such as identity theft. Retailers, landlords, creditors and their employees who have access to consumer data base information for permissible purposes can also misuse it or pass it to others. For instance, auto salespeople have been caught in the act of obtaining consumers' credit reports and selling the information to thieves who then assumed the consumers' identities to get credit in their names. 1.11 It is difficult to compare the risks of collection, compilation, sale and use of this information with the benefits. It cannot be calculated by simply measuring corporate losses due to credit card or other types of fraud against the amount of credit that is extended legitimately to consumers. Victims of identity theft must spend considerable time and money notifying creditors and credit reporting bureaus, providing affidavits, closing accounts and opening new ones, etc. And how does one measure the loss of peace of mind that consumers experience when they discover that their personal information has been stolen and can never be retrieved? 1.12 Data base creators address this risk through their internal policies and security systems. For example, the National Consumers League operates the National Fraud Information Center, which gathers information about possible telemarketing and Internet fraud from consumers via the telephone or the Internet and relays that information to law enforcement agencies. By policy, the NFIC does not request unnecessary information from consumers, such as their social security numbers, credit card numbers or bank account numbers, and no information is entered into the system without disclosure of the fact that it will be shared with law enforcement agencies and the consumers' consent. Any written information that consumers send to the NFIC is shredded after being inputted. Law enforcement agencies must use identification numbers to obtain reports, and access is not provided by remote log-in. The NFIC web site has various "firewalls" to protect it. Only a limited number of employees have physical access to the data base. Even the physical location of the NFIC is not publicly disclosed. Are these policies and procedures foolproof? While we have not had any problems with breach of security or inappropriate use of our data, we cannot say with absolute certainty that there is no risk, nor can the creator of any data base. Furthermore, there is not necessarily any uniformity in how data bases are managed or the levels of protection provided. 1.16 While there is no guaranty the security of consumer information contained in data bases, privacy issues can be addressed by policies and procedures such as those described above. Voluntary policies for disclosure and privacy protection are important, but minimum legal requirements for data base practices would help to ensure uniformity and accountability. Consumer education is also vital in addressing this privacy issue. Consumers must understand the implications of supplying personal information which will be maintained in data bases. For example, one company that was selling music through a toll-free number created a data base for customer accounts using their social security numbers as identifiers. When we questioned the wisdom of this, company representatives responding by saying that in focus groups, consumers chose social security numbers as the easiest things for them to remember when calling to order. It did not occur to either the company or the consumers that including social security numbers in the data base could expose them to potential abuse by employees or others. 1.18 The ultimate use of consumers' personal information is not always disclosed to them; in fact, they may not have even provided that information to a data base directly. Last year there was a great deal of furor over the possibility that P-Trak, the Lexis-Nexis data base, was providing people's social security numbers to "legal professionals" for various purposes. While the company explained that social security numbers were no longer included in its records, other information such as an individual's maiden and assumed names, current and previous addresses, month and year of birth, and telephone number is available from the service. This information is gathered from public sources, but consumers are not informed when they provide such information that it may be compiled and sold down the line, or for what purposes. Information can also be gathered by private sources and sold to others without disclosing to consumers its ultimate use. 1.19 Because privacy policies are voluntary, how much choice and control consumers have over what information is collected by data base operators and how it is used varies widely. 1.20 Consumers cannot have effective mechanisms to remove their information from data bases unless they know that information about them is being compiled and by whom. In addition to this information, consumers need to be given toll-free numbers or other no-cost methods to notify data bases if they wish to remove their information, check it for accuracy, or correct mistakes. Self-Regulation 1.29 Self-regulatory efforts have been useful in encouraging data base operators to establish effective privacy policies and procedures. However, they are limited by the fact that not all data bases adopt them and that there is no meaningful penalty for failing to adopt or adhere to them. Data base operators are not necessarily subject to market pressure from consumers, especially if their customers are mainly other businesses. The basic need to have minimum mandatory standards for data base operators and information suppliers is reflected in the recent amendments to the Fair Credit Reporting Act, which places greater responsibility for notice, accuracy of information, and consumer access to information on both credit bureaus and creditors. Consumer and Business Education 1.34 The principle message that should be conveyed in consumer education is that people cannot be passive about their personal privacy. They need to understand the risks involved in the misuse of such information so that they will be compelled to question why it is needed and how it will be used; obviously the previously mentioned music service customers were unaware of the possible pitfalls of using their social security numbers as their account numbers. Often consumer education about privacy attempts to "sell" consumers on the benefits of data collection and its use and downplays the risks. While there are often benefits for consumers stemming from data collection and distribution, effective consumer education must be balanced and should center on taking charge of one's private life. However, this will be a hollow educational message unless consumers actually get meaningful disclosures and have real choices to exercise. Respectfully submitted, Linda F. Golodner, President Susan Grant, Vice President Public Policy |