FTC

Updated guide from the FTC: fighting identity theft with Red Flags Rule for businesses

On June 12, 2013, the Federal Trade Commission (the “FTC”) issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft. The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required to protect consumers from identity theft.

The FTC enforces the Red Flags Rule with several other agencies. Its guide has tips for organizations under FTC jurisdiction to determine whether they need to design an identity theft prevention program, and can help businesses spot suspicious patterns and prevent the costly consequences of identity theft.

June 27th, 2013|Educational Series, Guidance|

FTC says data brokers willing to sell consumer information and disregard FCRA

On May 7, 2013, the Federal Trade Commission (the “FTC”) announced the results of its testing operation, revealing that 10 companies out of the 45 that the FTC approached seemed to be willing to sell consumer information without complying with the Fair Credit Reporting Act (“FCRA.”) The FTC reported that its staffers asked the companies about buying the information for purposes such as determining creditworthiness, suitability for employment or eligibility for insurance.

Six of the 10 companies appeared willing to sell consumer information for employment purposes, two for insurance decisions and two for pre-screened lists of consumers to use in making firm offers of credit. The data brokers were contacted again by the FTC, but this time in the form of letters, warning that their practices may violate the FCRA. The warning letters are part of an ongoing international effort spearheaded by the Global Privacy Law Enforcement Network, an informal group of consumer protection and privacy agencies.

May 9th, 2013|Criminal Activity, Educational Series|

Most service providers are not subject to Red Flags Rule

The Federal Trade Commission (the “FTC”) interim final rule which became effective February 11, 2013 confirms that most service providers are not subject to the Red Flags Rule. The rule clarifies the meaning of “creditor” ensuring that its definition is consistent with the revised definition of that term in the amended Fair Credit Reporting Act (the “FCRA”). A “creditor” must develop and implement a written identity theft prevention program premised on identifying “red flags” of identity theft only if in the ordinary course of business, the “creditor” regularly: 1) obtains or uses consumer reports in connection with a credit transaction; 2) furnishes information to consumer reporting agencies in connection with a credit transaction; or 3) advances funds to or on behalf of a person, in certain cases.

However, any entity collecting consumer data must remain vigilant in how it collects, uses and safeguards that data. The FTC may pursue enforcement actions under the FTC Act when a company does not take reasonable privacy protection measures scaled to the risk level of their business practices.

March 29th, 2013|Educational Series, Legislation|

CFPB’s takeover of FCRA enforcement requires new notices by January 1, 2013

In July 2012, the newly-created Consumer Financial Protection Bureau (“CFPB”) under the Dodd-Frank Wall Street Reform and Consumer Protection Act assumed rulemaking and enforcement authority of the Fair Credit Reporting Act (“FCRA”) from the Federal Trade Commission (“FTC”).

Although more changes are likely to come, beginning January 1, 2013, businesses, including employers, and consumer reporting agencies, will be required to provide a new version of the “Summary of Rights” form to individuals before taking any adverse action based on the contents of a consumer report. Notably, the adverse action process that must be followed under the FCRA has not changed; the revisions are generally stylistic and substitute “CFPB” for references to the FTC. There is also an updated and expanded list of contacts included at the end of the form.

To download the PDF versions of the updated Summary of Rights, and forms regarding the obligations of users and furnishers of consumer reports, click on the links below.

Summary of Rights under the FCRA.pdf

Obligations of Users of Consumer Reports under the FCRA.pdf

Obligations of Furnishers of Consumer Reports.pdf

January 7th, 2013|Legislation|

FTC’s civil rights testimony recaps FCRA obligations and aggressive enforcement

On December 7, 2012, the Federal Trade Commission (the “FTC”), submitted its written testimony to the U.S. Civil Rights Commission on the use of criminal background checks in employment decisions. The Commission intends to apply the testimony in reviewing the EEOC’s guidance that an employer’s use of an individual’s criminal history in making employment decisions may, in some instances, violate the prohibition against employment discrimination under Title VII of the Civil Rights Act of 1964. The EEOC suggests that minorities are disproportionately likely to have criminal records, which means that when employers use criminal background reports, minorities are possibly affected more than other groups.

Notably, in its testimony, the FTC, which shares the authority for enforcing the Fair Credit Reporting Act (“FCRA”) with other federal agencies, including the Consumer Financial Protection Bureau (“CFPB”) does not say anything substantial about civil rights.

The testimony does, however, provide a good recap of the legal rights and obligations prescribed by the FCRA when consumer reports are used for employment purposes, and highlights the FTC’s law enforcement efforts in this area. As its starting point, the testimony reminds that the FCRA imposes several requirements on consumer reporting agencies (“CRAs”) that provide consumer reports to employers, which include ensuring that the employer is in fact using the report for a permissible purpose. In the employment context, permissible purposes are limited to “employment, promotion, reassignment, or retention.” Thus, employers may only obtain a consumer report about applicants or employees, and may not simply use their status as employers to get information about competitors, opposing parties in litigation, or anyone else. Relatedly, under the permissible purpose requirement, CRAs must have reasonable procedures in place to ensure that the consumer report users are who they claim.

The CRAs also must comply with certain procedural requirements, such as giving all users of consumer reports a notice that informs them of their duties under the FCRA. The CRAs must obtain certifications from the employer that: (1) it is in compliance with the FCRA; and (2) it will not use consumer report information in violation of any federal or state equal employment opportunity laws or regulations.

Further, the FCRA mandates that CRAs follow “reasonable procedures to assure maximum possible accuracy of the information

[15 U.S.C. § 1681e(b)].” It does not establish, however, a requirement of absolute accuracy and does not require that the CRAs guarantee that the reports are error-free.

If a CRA provides a report that has negative information about an applicant or employee that is based on public records — for example, tax liens, outstanding judgments, or criminal convictions — that CRA either has to notify the applicant or employee directly that it has provided the information to the employer, or has to adopt strict procedures to ensure that the information is complete and up to date [15 U.S.C. § 1681k(a)(1)-(2)]. Regardless of whether a CRA opts to provide the notice or adopt strict procedures, FCRA § 1681e(b), as noted above, requires CRAs to have “reasonable procedures to assure maximum possible accuracy.”]

The FCRA also places specific obligations upon employers to provide certain disclosures to the applicants or employees, and obtain their written authorization before using consumer reports. If an employer intends to take an adverse action based either in whole or in part on the information in a consumer report, such as denying a job application, reassigning or terminating an employee, or denying a promotion, the employer must provide the applicant or employee with a pre-adverse action notice before taking the action. The pre-adverse action notice must include a copy of the consumer report on which the employer is relying and a summary of rights under the FCRA. The form, which recently was reissued by the CFPB, describes the consumers’ rights under the FCRA, including the right to obtain copies of their consumer reports and dispute information.

Once the employer has taken the adverse action, it must give the applicant or employee a notice that the action was based on information in the consumer report. This adverse action notice must include the name, address, and phone number of the CRA that supplied the report, and must inform the applicant or employee of his or her right to dispute the accuracy or completeness of any information in the report, and the right to obtain a free report from the CRA upon request within 60 days. Even though a consumer has the right to dispute errors, the CRAs and furnishers of information to the CRAs typically are allowed thirty days to investigate the consumer’s dispute, and the information may not be corrected in time to affect the consumer’s consideration for a particular job.

The FTC points out that it has pursued an aggressive law enforcement program to ensure that CRAs, furnishers, and consumer report users (including employers) comply with their responsibilities under the FCRA, providing details of recent lawsuits for FCRA violations that resulted in civil penalties against CRAs ranging from $800,000 to $2.6 million. Its recent actions against employers included charges against railroad contractors for failing to provide pre-adverse action and adverse action notices to employees who were fired and job applicants who were rejected based on information in their consumer reports. Under negotiated settlement orders, the companies were required to pay penalties in the amount of $1,000 per violation, and are subject to specific injunctive, record-keeping, and reporting requirements to ensure compliance with the FCRA.

The FTC’s enforcement actions and the latest wave of class action lawsuits enforce that FCRA compliance must be a priority for employers, CRAs and furnishers of information alike.

January 7th, 2013|Educational Series, Legislation|

Agencies jointly support that FCRA Section 1681c does not violate first amendment

On May 3, 2012, the Federal Trade Commission (FTC) joined the Department of Justice (DOJ) and the Consumer Financial Protection Bureau (CFPB) in filing a memorandum brief in support of the constitutionality of the Fair Credit Reporting Act (FCRA), established in 1970 to protect credit report information privacy and to ensure that the information supplied by consumer reporting agencies (CRAs) is as accurate as possible.

In the case of Shamara T. King vs. General Information Services, Inc. (GIS), the CRAs address a provision of the FCRA that balances the Act’s dual purposes, i.e., to protect consumers from privacy invasions caused by the disclosure of sensitive information and to ensure a sufficient flow of information to allow the CRAs to fulfill their vital role.) The provision, Section 1681c, bars CRAs from disclosing arrest records or other adverse information that is more than seven years old, in most cases.

The agencies brief refutes GIS’s argument that this FCRA protection is an unconstitutional restriction of free speech, pointing out that the recent U.S. Supreme Court case law that GIS cites to support its argument, Sorrell v. IMS Health Inc., “does not change the settled First Amendment standards that apply to commercial speech, nor does it suggest that restrictions on the dissemination of data for commercial purposes

[such as those by CRAs] must satisfy stricter standards.” Therefore, the brief concludes, the court should not invalidate the FCRA provision, as it “directly advances the government’s substantial interest in protecting individuals’ privacy” while also accommodating the interest of businesses. The case is pending.

May 21st, 2012|Judgment|

The White House casts “Consumer Privacy Bill of Rights”

Over two years in the making, and backed by online ad powerhouses such as AOL, Microsoft, Yahoo, and even Google, the Bill of Rights announcement on February 22, 2012 pulls together consumer privacy initiatives of both the Federal Trade Commission (FTC) and the Commerce department. Intended to lead to new legislation that fills the gaps of current U.S. privacy laws, the bill promotes a set of standards for the fair handling of private information based on a set of principles that date back to the early 1970s known as the Fair Information Practices.

The Consumer Privacy Bill of Rights applies to personal information, which means any data, including aggregations of data that is identifiable to a specific individual, and to a specific computer or other device. According to the Administration, this bill will establish codes of conduct and call for strong enforcement, ultimately increasing interoperability between the U.S. consumer data privacy framework and that of its international partners. Below are the bill’s highlights.

Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.
Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security. Consumers have a right to a secure and responsible handling of personal data.
Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to ensure that they adhere to the Consumer Privacy Bill of Rights.

March 2nd, 2012|Legislation|

Identity theft again tops FTC’s top complaints list for 2011

Identity theft again tops FTC’s top complaints list for 2011

The Federal Trade Commission (FTC) on February 27, 2012 released its list of top consumer complaints received by the agency in 2011. For the twelfth year in a row, identity theft topped the list at 279,156 complaints or 15%. The breakdown for the next nine complaint categories (from a list of 30) is as follows:

Category	Number	Percentage
Debt collection	180,928	10
Prizes, sweepstakes, and lotteries	100,208	6
Shop-at-home and catalog sales	98,306	5
Banks and lenders	89,341	5
Internet services	81,805	5
Automobile-related	77,435	4
Imposter scams	73,281	4
Telephone and mobile services	70,024	4
Advance-fee loans and credit protection/repair	47,414	3

The FTC records the complaints in its Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. Other federal and state law enforcement including the U.S. Postal Inspection Service, the Department of Justice’s Internet Crime Complaint Center, and the attorneys general offices of Idaho, Michigan, Mississippi, North Carolina, Ohio, Oregon, Tennessee, and Washington also contribute to the database content, along with private-sector organizations such as U.S. and Canadian members of the Better Business Bureau, Western Union and Moneygram, and the Lawyers Committee for Civil Rights Under Law.

February 29th, 2012|Criminal Activity, Educational Series|

Mobile apps may violate Fair Credit Reporting Act

On February 6, 2012, the Federal Trade Commission (FTC) issued warning letters to the marketers of six mobile applications that provide background screening apps that they may be violating the Fair Credit Reporting Act (FCRA.) The FTC said that if the background reports are being used for employment or other FCRA purposes, then the marketers and their clients must comply with the FCRA.

According to the warning letters, the FTC has not made a determination whether the companies indeed are violating the FCRA, but encourages them to review their apps, and their related policies and procedures. The FCRA is designed to protect the privacy of consumer report information and ensure that the information provided by consumer reporting agencies is accurate. Consumer reports are communications that include information about an individual’s character, reputation, or personal characteristics, and are used or expected to be used for purposes such as employment, housing or credit.

Under the FCRA, entities/operations that assemble or evaluate information to provide to third parties qualify as consumer reporting agencies (CRAs.) Mobile apps that supply such information also may qualify as CRAs under the Act. CRAs must take reasonable measures to ensure the user of each report has a ‘permissible purpose’ to use the report, take reasonable steps to ensure the maximum possible accuracy of the information conveyed in the report, and provide users of its reports with information about their obligations under the FCRA. In employment-purpose consumer reports, for example, CRAs must provide employers with information regarding their obligation to give notice to employees and applicants of any adverse action taken on the basis of a consumer report.

February 7th, 2012|Judgment|

Epidemic of fake websites is real

Cyber crime experts report that fake websites are proliferating at the rate of 60,000+ per week or over 3,100,000 per year. And the fraudsters’ malicious exploitations are getting bold and more sophisticated, creating sites that are difficult to discern from those of legitimate businesses or organizations. From banks (which make up about 68% of fraudulent sites) to regulators and news reporting agencies, no entity is immune.

Recently, several local and national newspapers reported on a publicity campaign by a public relations company that purportedly set up a fake news site to promote one of its clients, a public entity, with positive articles and press releases “written in the image of real news” by “journalists” who allegedly do not exist. Although Web experts note that it is fairly common for celebrities and private-sector businesses to generate buzz or improve sales through news coverage, open government advocates called this stunt an egregious breach of trust and ethical standards.

The Federal Trade Commission (FTC) issued warnings a few months ago about scam artists exploiting well-known news organizations by setting up fake news sites to peddle their wares. The sites, which usually display logos of legitimate news organizations, promote everything from bogus weight loss products to work-at-home jobs, anti-aging products and debt reduction plans. The FTC cited several investigations that resulted in charges against the fraudsters, saying that many of the websites are owned by marketers and used to entice consumers to click on links to the sellers’ sites. In its case against acai berry supplement peddlers, the FTC disclosed that the sellers paid the marketers a commission based on the number of consumers they lured to their sites. There was no reporter, no studies, no dramatic weight loss, no satisfied consumers who left comments, and no affiliation with a reputable news source. As a rule, the FTC noted, legitimate news organizations do not endorse products.

The FTC itself, and other regulators have not escaped the fraudsters’ blitz. In April 2011, the FTC brought charges against an individual for multiple violations of the Federal Trade Commission Act for misrepresenting his affiliations with federal agencies, including the FTC, misrepresenting that the services advertised on his websites were government-approved, and making deceptive debt relief claims. The FTC alleged that the individual, a Texas-based “lead generator,” set up several websites through which he associated his business with a fictitious government agency – the “Department of Consumer Services Protection Commission” – that appeared to combine two real government entities, the Federal Trade Commission and the Consumer Financial Protection Bureau. Among other charges, the FTC stated that to further these scams, the websites depicted the FTC’s official seal, copied language about the fictitious agency’s consumer protection mission from the FTC’s site, and claimed that the fake agency “monitors and researches” member companies that provide financial assistance to American consumers.

The scammers and their fake websites are also busy abroad. Earlier this month, international news sources reported that Russian fraudsters set up a counterfeit site of a popular five-star hotel, complete with the real hotel’s photographs, room descriptions and services. According to published reports, they also paid a fee to Google to ensure that their bogus site was listed before the hotel’s genuine site. The fraudulent website purportedly came to an abrupt end after, among other disparities, it was discovered that the room rates were advertised in dollars.

Another story about a flagrant website invasion came in October 2011 from Belgrade, where Serbian media reported that a mock-up of the official Nobel Prize website was set up purportedly by political activists to promote their causes and views.

Fraudulent websites appear daily and no industry or organization is beyond these fraudsters’ reach. Scherzer International, a provider of specialized background investigations for business transactions and employment decisions, includes comprehensive website reviews in its reports. We know how to spot scams, exaggerated claims and other red flags.

November 29th, 2011|Educational Series, Fraud|

Previous 123 Next