[Federal Register Volume 64, Number 207 (Wednesday, October 27, 1999)] [Notices] [Pages 57887-57890] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 99-28007] ======================================================================= ----------------------------------------------------------------------- FEDERAL TRADE COMMISSION Privacy Act of 1974; System of Records AGENCY: Federal Trade Commission (FTC). ACTION: Notice of new Privacy Act system of records. ----------------------------------------------------------------------- SUMMARY: The FTC is establishing a new system of records subject to the Privacy Act of 1974, as amended. This system implements the requirements of the Identity Theft and Assumption Deterrence Act of 1998. The Commission will use this system to log and acknowledge complaints submitted by victims of identity theft, to provide information to such individuals, and to refer their complaints to appropriate entities. DATES: Comments must be submitted by November 26, 1999. This system notice, which is being published in proposed form, shall become final and effective December 13, 1999, without further notice unless otherwise amended or repealed by the Commission on the basis of any comments received. ADDRESSES: Submit comments in writing to the Office of the Secretary, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580, ``FTC File No. P994320, Identity Theft Program-Comment.'' FOR FURTHER INFORMATION CONTACT: Alex Tang, Attorney, Office of the General Counsel, FTC, 600 Pennsylvania Avenue, NW, Washington, DC 20580, (202) 326-2447. For more information about the Commission's identity theft program, contact Beth Grossman, (202) 326-3019, or Joanna Crane, (202) 326-3258, Attorneys, Division of Planning & Information, Bureau of Consumer Protection, FTC, 600 Pennsylvania Avenue, NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, as amended, 5 U.S.C. 552a, the FTC is publishing this notice of a new agency system of records, to be designated as FTC-IV-2, ``Identity Theft Complaint Management System-FTC.'' This system will enable the FTC to fulfill its statutory responsibilities under section 5 of the Identity Theft and Assumption Deterrence Act of 1998, Pub. L. 105-318, 112 Stat. 3007, 3010, 18 U.S.C. 1028 note (``ITADA''). The ITADA designates the FTC as a clearinghouse for the receipt and referral of identity theft complaints and requires that the FTC establish procedures: (1) To log and acknowledge receipt of complaints from individuals who certify that they have a reasonable belief that one or more of their means of identification have been assumed, stolen, or otherwise unlawfully acquired in violation of the statute; (2) to provide informational materials to such individuals; and (3) to refer such complaints to ``appropriate entities.'' Under the statute, these entities include, but are not limited to, the three major national consumer reporting agencies (currently Equifax, Experian and Trans Union), and appropriate law enforcement agencies for potential law enforcement action. The new system of records is designed to meet these statutory requirements and will be managed and operated by the FTC's Bureau of Consumer Protection, Division of Planning & Information. The system consists primarily of a computerized database that will compile and track identity theft complaints received by the agency. Copies of identity theft complaints originally received in paper format (e.g., by mail or fax) will also be considered part of the system, but will be retained for only a temporary period after they are entered by agency personnel or contractors into the database. Records in this system will include complaint information submitted by identity theft victims or on their behalf by others (e.g., friends or relatives). Additional sources of information will include other federal, state and local agencies (``data-contributing agencies'') and retail businesses that may suspect they are dealing with an individual or entity engaged in identity theft. The FTC will use the system to log and acknowledge these complaints, to provide identity theft victims with information on how to deal with credit or other problems that may result from [[Page 57888]] identity theft, and to evaluate and refer their complaints to appropriate entities. Until the system is fully established and operational, data from these complaints are being compiled and maintained in the Commission's general consumer complaint database (FTC-IV-1). That database, however, was not originally designed to serve the special statutory purpose for which the identity theft complaint system is being created, nor was it meant to record or track certain identity theft data that the FTC intends to collect with respect to identity theft complaints. Records in the identity theft complaint system will also be maintained and retrieved according to a somewhat broader category of individuals, as described below. Thus, the Commission is treating these complaint systems as separate systems of records for Privacy Act purposes, even if, as a practical matter, the information in both systems will reside on a common relational database and will be compiled and entered into the database by many of the same agency and contractor personnel. Despite the sensitive nature of identity theft complaint data, the ITADA does not itself contain any provisions to protect the confidentiality of the data that the Commission is required to compile. Nonetheless, because these complaints will be collected and maintained in a system of records pertaining to individuals within the meaning of the Privacy Act, such records will be disclosed by the Commission only as authorized by that Act. See 5 U.S.C. 552a(b). The Commission intends that such disclosures will include certain necessary ``routine uses'' that the Commission has previously published pursuant to subsection (b)(3) of the Act, 5 U.S.C. 552a(b)(3), and made generally applicable to all of its FTC Privacy Act systems of records (e.g., use in government law enforcement litigation, where necessary). See 57 FR 45678 (1992) (Appendix I). Likewise, identity theft complaint data may also be incorporated, as appropriate, into other systems of records maintained by the Commission, such as the Commission's general complaint database (FTC-IV-1, cited earlier) or its legal investigatory files (FTC-I-1), and would be subject to any ``routine uses'' applicable to those systems. The Commission has also identified certain additional ``routine uses'' that are necessary in order to carry out the requirements of the ITADA. These ``routine uses'' include referral of the complaint to a company that is the subject of the complaint or otherwise associated with the complaint, such as the three major national consumer reporting agencies, since such entities would be in a position to resolve the complaint by taking investigative or corrective action. Another ``routine use'' is disclosure of the complaint to other federal, state, or local government authorities for law enforcement or regulatory purposes. This routine use will allow referral of complaint data for investigatory purposes with or without a specific law enforcement request from such authorities, as would otherwise be required by the Privacy Act. See 5 U.S.C. 552a(b)(7). It will also allow routine disclosure of complaint records, as needed, to other regulatory agencies at the federal, state or local level so they have the information they need to identify methods or patterns of identity theft and to develop regulations, policies, or other safeguards or remedies to help stop or prevent identity theft. Once the Commission makes an authorized disclosure of complaint data to a company or another government agency, complainants should be aware that further disclosures beyond the Commission's control may not be avoidable as a practical or legal matter. The Commission intends to limit this risk by sharing complaint information only under confidentiality agreements that require that the information be used only for purposes consistent with the ITADA (e.g., resolving the individual's complaint, law enforcement or regulation, etc.). Similarly, neither the ITADA nor the Privacy Act prevents a request for public disclosure from being filed under the Freedom of Information Act, 5 U.S.C. 552. Identity theft complaint data would normally be exempt from disclosure under that statute, however, where such disclosure would constitute a clearly unwarranted invasion of personal privacy, 5 U.S.C. 552(b)(6), or for other reasons. See, e.g., 5 U.S.C. 552(b)(7)(A) (investigatory materials that are compiled for law enforcement purposes and, if disclosed, could reasonably be expected to interfere with law enforcement proceedings). Because the categories of individuals covered by the system may include, among others, the target of an identity theft complaint, the Commission has determined that it is necessary to exempt the system from disclosure to such individuals for law enforcement purposes, even in cases where the Commission may choose to make the complaint file available for review by the complainant or other individual who submitted the information. Thus, the Commission proposes to exempt this system of records under 5 U.S.C. 552a(k)(2), and is proposing elsewhere in the Federal Register to amend its Privacy Act rules, 16 CFR 4.13, to include this system in its list of systems covered by that exemption. See 16 CFR 4.13(m). Accordingly, as set forth below, the Commission proposes a new system of records to become effective on the date noted earlier, unless the Commission amends or revokes the system on the basis of any comments received. Pursuant to 5 U.S.C. 552a(r), the Commission is providing notice of this proposal to the appropriate committees of the House of Representatives and the Senate, and to the Office of Management and Budget. FTC-IV-2 System Name: Identity Theft Complaint Management System-FTC. Security Classification: Not applicable. System/Location: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Records will be compiled and centrally maintained at this location, including any identity theft complaints that may be initially received or collected by the agency's Regional Offices. Categories of individuals covered by the system: a. Individuals who communicate with the Commission to complain about or to request assistance in resolving problems relating to identity theft, or to request information concerning identity theft. b. Individuals who submit their complaints about identity theft to another organization that has agreed to provide its consumer complaint information on identity theft to the Commission (a ``data-contributing member''). c. Individuals who communicate to the Commission on behalf of another person who is the victim of identity theft. In such a case, both individuals will be covered. d. Individuals who are suspected of committing the complained-about identity theft. e. Individuals who, at the time the records are added to the system, are Commission employees or contractors assigned to process or respond to correspondence or telephone calls. Categories of records in the system: a. Personal identifying information about the individual who communicates with the Commission or data [[Page 57889]] contributing agency as a victim of identity theft, including, for example, the individual's name, address, telephone number, fax number, date of birth, social security or credit card numbers, e-mail address and other personal information extracted or summarized from the individual's complaint. Personal identifying information about the individual who communicates with the Commission or data-contributing agency as a reporting individual on behalf of someone else who was the victim of the identity theft, including, for example, the reporting individual's name, address, phone or fax number and e-mail address. b. Name, address, telephone number or other information about an individual suspected of having committed the complained-about identity theft. c. Name, address, telephone number or other information about a company that is suspected of having committed identity theft, is the subject of a complaint about how it handled the alleged incident of identity theft, or is associated with the complaint either as a creditor, debt collector, account issuer, credit bureau, or in another role (hereinafter, ``company complained about or otherwise associated with the complaint''). This company information, although included in the system, is not subject to the Privacy Act. d. Name and reference number of FTC staff member or contractor who entered or updated the complaint information in the Identity Theft Complaint Management System. Authority for maintenance of the system: Federal Trade Commission Act, 15 U.S.C. 41 et seq.; section 5 of the Identity Theft and Assumption Deterrence Act of 1998, 18 U.S.C. 1028 note. Purpose(s): To maintain records of complaints and inquiries concerning identity theft, in order to: enable the Commission to track and respond to complaints and inquiries; enable the Commission to refer complaints to appropriate entities, which may include referral to the three major national consumer reporting agencies and appropriate law enforcement agencies for potential law enforcement action; provide useful information that may lead to or be incorporated into law enforcement investigations and litigation or for other law enforcement purposes (when used in connection with law enforcement activities, also becomes part of FTC-I-1, Investigational, Legal and Public Records); provide useful information that may contribute to regulation and oversight of institutions and systems that play a role in or are affected by identity theft; and provide statistical data on the number and types of complaints and inquiries about identity theft received by the agency or its data-contributing members. Routine uses of records, including categories of users and the purposes of such uses: Records from this system may be disclosed as permitted by 5 U.S.C. 552a(b), and, as authorized by 5 U.S.C. 552a(b)(3), in accordance with the routine uses announced by the Commission in Appendix I of its system notice applicable to all other agency Privacy Act systems of records (57 FR 45678). Additional routine uses for records in this system are as follows, provided that no routine use specified either herein or in Appendix I shall be construed to limit or waive any other routine use published for this system: a. Records may be made available or referred on an automatic or other basis to a company complained about or otherwise associated with the complaint, which may include the three major national consumer reporting agencies. b. Records may be made available or referred on an automatic or other basis to other federal, state, or local government authorities for regulatory or law enforcement purposes. c. Records may be incorporated, as appropriate, into other systems of records maintained by the Commission, including the Commission's consumer complaint database (FTC-IV-1) or its legal investigatory files (FTC-I-1), and subject to the routine uses published for those systems. Disclosure to consumer reporting agencies: Identity theft complaints maintained in this system of records may be referred to consumer reporting agencies (and other appropriate entities) in accordance with the Identity Theft and Assumption Deterrence Act. Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system: Storage: Stored in a computer data base maintained on magnetic disks and tape. Paper records stored in file folders. Retrievability: Indexed by name, area code, phone number, address, state, zip code, social security number and date of birth of consumers who are the victims of identity theft. Also indexed by the name, area code, phone number, address, state, and zip code of individuals, if any, who are identity theft suspects. Also indexed by FTC reference number, by name, address, and telephone number of company complained about or otherwise associated with the complaint, by name of other government entity or consumer reporting agency, if any, contacted by consumer in effort to resolve complaint, by name of FTC office or data-contributing agency receiving complaint, by name of Commission staff member or contractor who entered or updated the information concerning the complaint in the system database, and by other categories of retrieval. Safeguards: Paper records of incoming complaints maintained in lockable rooms and cabinets; access to computerized records by electronic security precautions, including ``user ID'' and password combinations and encrypted communications with external law enforcement agencies. Access restricted to those agency personnel and contractors whose responsibilities require access, or to approved staff members of external law enforcement agencies who have entered into a confidentiality agreement with the Commission. Retention and disposal: Letters retained for a minimum of one year; automated information retained indefinitely. System managers and address: Identity Theft Program Manager, Division of Planning & Information, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Notification procedure: 16 CFR 4.13. Not applicable to the extent the system is exempt under 5 U.S.C. 552a(k)(2), as discussed below. Record access procedures: 16 CFR 4.13. Not applicable to the extent the system is exempt under 5 U.S.C. 552a(k)(2), as discussed below. Contesting record procedures: 16 CFR 4.13. Not applicable to the extent the system is exempt under 5 U.S.C. 552a(k)(2), as discussed below. Record source categories: Individuals who have complained about identity theft and others who may submit complaints on behalf of such individuals; data-contributing agencies; companies complained about or otherwise associated with a complaint. [[Page 57890]] Exemptions claimed for the system: 5 U.S.C. 552a(k)(2). See 16 CFR 4.13(m). This exemption protects records compiled for law enforcement purposes and is intended to prevent unauthorized disclosure to a target of the complaint. The Commission reserves the right to afford, at its discretion, any individual with notification, access, and contesting procedures under the Commission's rules (16 CFR 4.13) with regard to information entered or otherwise submitted by that individual into the system. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc 99-28007 Filed 10-25-99; 10:38 am] BILLING CODE 6750-01-P