The federal government is obviously serious about enforcing the do-not-call law. The $5 million penalty announced this week against DirecTV was a record. But the stiff fine isn't noteworthy because of its size; it's noteworthy because the offending company had to pay up at all.
So far this year, there have been more than 25 major security breaches, with information on 50 million people exposed by American companies. And so far, none of the offending companies have had to pay anything.
The job of protecting American's privacy falls largely to the Federal Trade Commission. It's been the FTC's style to settle privacy cases by forcing the companies involved to agree to auditing, and to issue a press release that calls out the offender. It's a gentle touch, much gentler than the harsh hand that struck DirecTV this week.
This just in (Dec. 19): Another massive data leak involving 2 million consumers, and a clarification from the Federal Trade Commission. See the bottom of this entry.
Here's a case in point. The only prominent data leak case settled this year involved DSW Shoe Warehouse, which lost financial account information on 1.4 million people. Let's compare the FTC press release issued Dec. 1 on the DSW case with the press release issued this week on the DirecTV case.
- DSW: "The settlement will require DSW to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years."
- DirecTV: "Satellite television provider DIRECTV will pay $5,335,000 to settle FTC charges that, since October 2003, DIRECTV and companies it hired to promote DIRECTV programming have been violating the Do Not Call (DNC) provisions."
That's quite a disparity. Someone might interpret the message this way: Disturb me at dinner with a phone call, pay a $5 million fine; lose all my personal information, face a press release.
To be fair, the Federal Trade Commission has brought a host of cases against firms with shoddy privacy practices. ChoicePoint Inc., the first in this year's string of disclosures, has revealed in a filing with the Securities and Exchange Commission that it is facing an FTC inquiry. Agency spokeswoman Claudia Bourne Farrell said the FTC has "other cases in the pipeline." She also said that some laws and regulations tie the agency's hands: some do not allow the agency to impose a civil penalty on first offense. Other cases coming down the pike may include such penalties, she said.
Other agencies not on the case?
And it's unfair to lay all this on the FTC -- it's not the only agency which could levy fines after the data leaks. Many of the leaks also represent violations of the Gramm-Leach-Bliley Act, which ensures the privacy of financial information. Various banking regulators could issue fines in connection with leaks involving banking operations. Other leaks, involving heath information, violate the Health Insurance Portability and Accountability Act (HIPAA), which protects medical information. The Department of Health and Human Services can impose civil fines. The Justice Department could impose criminal fines.
So far, the silence has been deafening.
It's nearly impossible to say definitively that there's been no data leak-related fines this year, since there have been so many disclosures and so many agencies are involved. But clearly, there hasn't been anything on the order of DirecTV's penalty.
Privacy advocate Chris Hoofnalge says government agencies just aren't doing enough to protect consumers.
"Until there are real fines, there isn't adequate economic incentive to respect people's privacy," he said.
Little has changed
Instead, after a year of bad news in the world of consumer data, very little has changed. Nearly 20 bills have been introduced in Congress to deal with the data leak problem; none have passed. While Americans have been introduced to a new industry -- commercial data brokers such as ChoicePoint -- the firms continue their unfettered trade in America's private information.
"This was the perfect storm to get attention to this issue," said Rob Douglas, who operates PrivacyToday.com. "But it seems the perfect storm has started to move off the radar screen."
Indeed, an industry study released two weeks ago authored by ID Analytics suggested most victims of data leaks didn't end up as victims of identity theft, producing buzz that ID theft fears are overblown. The study missed the point. Twelve months ago, most Americans had never head of ChoicePoint. Today, they still wonder why this company and others like it can make money off of their personal information without their permission -- and why those same companies can lose their personal information with impunity.
There is some reason for optimism. The do-not-call list is one of government's great success stories. There is wide participation by consumers; satisfaction rates are also high, as most people report a large dropoff in bothersome phone calls. And now, the outliers have been warned by the consumers' representative in Washington -- cheating will not be tolerated. If I were a telemarketer, I'd be scared of the FTC. A $5 million fine will do that.
Let's hope Washington adopts the privacy issue with the same vigor, and similar results.
This Just In: Dec. 19, 6 p.m. ET
Another massive leak
During the weekend, word emerged that mortgage firm ABN AMRO Mortgage Group Inc. -- which operates Mortgage.com -- has lost track of a data tape with 2 million customers' identities on it. According to a company statement, the tape was destined for credit bureau Experian in Allen, Texas, chock full consumer data, including Social Security numbers. Banks routinely send such tapes to the credit bureaus with recent payment information to keep credit reports up to date. The story is eerily similar to an incident in June, when CitiFinancial tapes destined for the same Experian office were lost. In that case, 3.9 million identities were exposed.
Also, Joel Winston from the Federal Trade Commission called to offer more details about the agency's position on data leaks and fines. Winston said the agency's hands are tied tightly by Congress, and it often has no authority to levy fines. Cases against data leakers so far have been litigated under the FTC Safeguards Rule, which springs from the Gramm-Leech-Bliley Act, or under the Federal Trade Commission Act. Winston said neither law, as written by Congress, gives the agency the ability to ask for monetary penalities on a first offense. Only if a company breaks a settlement agreement with the FTC can a fine be levied, he said.
Some data leak cases involve information covered by the Fair Credit Reporting Act, allow fines, and the agency is now exploring the possibility of litigating cases using that law.
As Congress ponders a new data security law, the FTC has asked lawmakers for a provision that would give the agency the ability to obtain monetary penalties.
"We think that penalties are an important remedy," he said. Hopefully, Congress will agree.