The commission has brought a series of cases under these laws against businesses that lacked reasonable procedures to protect consumers’ personal information, often following major data compromises. Some cases have specifically involved the security of wireless data networks. In 2005, the Commission settled cases against
retailers DSW, Inc. and BJ’s Wholesale Club, Inc., after charging that their failure to adequately protect sensitive customer data was an unfair practice. Among other things, the commission alleged that both companies failed to use readily
available security measures to prevent unauthorized wireless connections to their computer networks. Both companies agreed to implement comprehensive information-security programs and obtain independent audits of the programs for the next 20 years.
Another major area of concern for the commission involving privacy and the wireless industry has been the use of pretexting and other fraudulent conduct to obtain and sell consumers’ cell phone calling records. Earlier this year, the commission filed five lawsuits in federal courts across the country against online data brokers who allegedly obtained and sold cell and landline telephone records without consumers’ knowledge or consent. The commission was aided greatly in its investigations by a number of telephone carriers. One of those lawsuits was settled in September, with the defendants agreeing to a permanent injunction and disgorgement of ill-gotten gains. While the other lawsuits are pending, the Commission is vigorously investigating others who may be engaged in telephone records pretexting and is working closely with the Federal Communications Commission. That agency has been leading efforts to ensure that wireless and landline carriers bolster their protections against pretexting.
Regulatory Activity
In 2003, Congress enacted the Fair and Accurate Credit Transactions Act (“FACT Act”), which extensively amended the FCRA. One of the principal goals of the FACT Act was to provide consumers with new tools for protecting their identities from unauthorized use, and the statute imposes a number of obligations on businesses. In addition, the FACT Act grants identity theft victims the right to obtain from
creditors and other firms the underlying business records relating to potentially fraudulent transactions. The commission, along with the federal bank regulatory agencies, has the responsibility to implement many of these new requirements through rulemaking and to ensure that businesses comply with their obligations.
Policy and Legislation
Not surprisingly, consumer privacy and data security are frequent topics of debate on Capitol Hill. In 2006, FTC officials testified several times before congressional committees on privacy matters affecting the wireless industry, including with respect to protecting consumers’ cell phone records. The commission has recommended new legislation that would explicitly prohibit pretexting for phone records and grant the agency authority to seek civil penalties against violators.
