[Federal Register Volume 64, Number 207 (Wednesday, October 27, 1999)]
[Notices]
[Pages 57887-57890]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-28007]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
Privacy Act of 1974; System of Records
AGENCY: Federal Trade Commission (FTC).
ACTION: Notice of new Privacy Act system of records.
-----------------------------------------------------------------------
SUMMARY: The FTC is establishing a new system of records subject to the
Privacy Act of 1974, as amended. This system implements the
requirements of the Identity Theft and Assumption Deterrence Act of
1998. The Commission will use this system to log and acknowledge
complaints submitted by victims of identity theft, to provide
information to such individuals, and to refer their complaints to
appropriate entities.
DATES: Comments must be submitted by November 26, 1999. This system
notice, which is being published in proposed form, shall become final
and effective December 13, 1999, without further notice unless
otherwise amended or repealed by the Commission on the basis of any
comments received.
ADDRESSES: Submit comments in writing to the Office of the Secretary,
Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC
20580, ``FTC File No. P994320, Identity Theft Program-Comment.''
FOR FURTHER INFORMATION CONTACT: Alex Tang, Attorney, Office of the
General Counsel, FTC, 600 Pennsylvania Avenue, NW, Washington, DC
20580, (202) 326-2447. For more information about the Commission's
identity theft program, contact Beth Grossman, (202) 326-3019, or
Joanna Crane, (202) 326-3258, Attorneys, Division of Planning &
Information, Bureau of Consumer Protection, FTC, 600 Pennsylvania
Avenue, NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974,
as amended, 5 U.S.C. 552a, the FTC is publishing this notice of a new
agency system of records, to be designated as FTC-IV-2, ``Identity
Theft Complaint Management System-FTC.'' This system will enable the
FTC to fulfill its statutory responsibilities under section 5 of the
Identity Theft and Assumption Deterrence Act of 1998, Pub. L. 105-318,
112 Stat. 3007, 3010, 18 U.S.C. 1028 note (``ITADA''). The ITADA
designates the FTC as a clearinghouse for the receipt and referral of
identity theft complaints and requires that the FTC establish
procedures: (1) To log and acknowledge receipt of complaints from
individuals who certify that they have a reasonable belief that one or
more of their means of identification have been assumed, stolen, or
otherwise unlawfully acquired in violation of the statute; (2) to
provide informational materials to such individuals; and (3) to refer
such complaints to ``appropriate entities.'' Under the statute, these
entities include, but are not limited to, the three major national
consumer reporting agencies (currently Equifax, Experian and Trans
Union), and appropriate law enforcement agencies for potential law
enforcement action.
The new system of records is designed to meet these statutory
requirements and will be managed and operated by the FTC's Bureau of
Consumer Protection, Division of Planning & Information. The system
consists primarily of a computerized database that will compile and
track identity theft complaints received by the agency. Copies of
identity theft complaints originally received in paper format (e.g., by
mail or fax) will also be considered part of the system, but will be
retained for only a temporary period after they are entered by agency
personnel or contractors into the database.
Records in this system will include complaint information submitted
by identity theft victims or on their behalf by others (e.g., friends
or relatives). Additional sources of information will include other
federal, state and local agencies (``data-contributing agencies'') and
retail businesses that may suspect they are dealing with an individual
or entity engaged in identity theft. The FTC will use the system to log
and acknowledge these complaints, to provide identity theft victims
with information on how to deal with credit or other problems that may
result from
[[Page 57888]]
identity theft, and to evaluate and refer their complaints to
appropriate entities.
Until the system is fully established and operational, data from
these complaints are being compiled and maintained in the Commission's
general consumer complaint database (FTC-IV-1). That database, however,
was not originally designed to serve the special statutory purpose for
which the identity theft complaint system is being created, nor was it
meant to record or track certain identity theft data that the FTC
intends to collect with respect to identity theft complaints. Records
in the identity theft complaint system will also be maintained and
retrieved according to a somewhat broader category of individuals, as
described below. Thus, the Commission is treating these complaint
systems as separate systems of records for Privacy Act purposes, even
if, as a practical matter, the information in both systems will reside
on a common relational database and will be compiled and entered into
the database by many of the same agency and contractor personnel.
Despite the sensitive nature of identity theft complaint data, the
ITADA does not itself contain any provisions to protect the
confidentiality of the data that the Commission is required to compile.
Nonetheless, because these complaints will be collected and maintained
in a system of records pertaining to individuals within the meaning of
the Privacy Act, such records will be disclosed by the Commission only
as authorized by that Act. See 5 U.S.C. 552a(b). The Commission intends
that such disclosures will include certain necessary ``routine uses''
that the Commission has previously published pursuant to subsection
(b)(3) of the Act, 5 U.S.C. 552a(b)(3), and made generally applicable
to all of its FTC Privacy Act systems of records (e.g., use in
government law enforcement litigation, where necessary). See 57 FR
45678 (1992) (Appendix I). Likewise, identity theft complaint data may
also be incorporated, as appropriate, into other systems of records
maintained by the Commission, such as the Commission's general
complaint database (FTC-IV-1, cited earlier) or its legal investigatory
files (FTC-I-1), and would be subject to any ``routine uses''
applicable to those systems.
The Commission has also identified certain additional ``routine
uses'' that are necessary in order to carry out the requirements of the
ITADA. These ``routine uses'' include referral of the complaint to a
company that is the subject of the complaint or otherwise associated
with the complaint, such as the three major national consumer reporting
agencies, since such entities would be in a position to resolve the
complaint by taking investigative or corrective action.
Another ``routine use'' is disclosure of the complaint to other
federal, state, or local government authorities for law enforcement or
regulatory purposes. This routine use will allow referral of complaint
data for investigatory purposes with or without a specific law
enforcement request from such authorities, as would otherwise be
required by the Privacy Act. See 5 U.S.C. 552a(b)(7). It will also
allow routine disclosure of complaint records, as needed, to other
regulatory agencies at the federal, state or local level so they have
the information they need to identify methods or patterns of identity
theft and to develop regulations, policies, or other safeguards or
remedies to help stop or prevent identity theft. Once the Commission
makes an authorized disclosure of complaint data to a company or
another government agency, complainants should be aware that further
disclosures beyond the Commission's control may not be avoidable as a
practical or legal matter. The Commission intends to limit this risk by
sharing complaint information only under confidentiality agreements
that require that the information be used only for purposes consistent
with the ITADA (e.g., resolving the individual's complaint, law
enforcement or regulation, etc.).
Similarly, neither the ITADA nor the Privacy Act prevents a request
for public disclosure from being filed under the Freedom of Information
Act, 5 U.S.C. 552. Identity theft complaint data would normally be
exempt from disclosure under that statute, however, where such
disclosure would constitute a clearly unwarranted invasion of personal
privacy, 5 U.S.C. 552(b)(6), or for other reasons. See, e.g., 5 U.S.C.
552(b)(7)(A) (investigatory materials that are compiled for law
enforcement purposes and, if disclosed, could reasonably be expected to
interfere with law enforcement proceedings).
Because the categories of individuals covered by the system may
include, among others, the target of an identity theft complaint, the
Commission has determined that it is necessary to exempt the system
from disclosure to such individuals for law enforcement purposes, even
in cases where the Commission may choose to make the complaint file
available for review by the complainant or other individual who
submitted the information. Thus, the Commission proposes to exempt this
system of records under 5 U.S.C. 552a(k)(2), and is proposing elsewhere
in the Federal Register to amend its Privacy Act rules, 16 CFR 4.13, to
include this system in its list of systems covered by that exemption.
See 16 CFR 4.13(m).
Accordingly, as set forth below, the Commission proposes a new
system of records to become effective on the date noted earlier, unless
the Commission amends or revokes the system on the basis of any
comments received. Pursuant to 5 U.S.C. 552a(r), the Commission is
providing notice of this proposal to the appropriate committees of the
House of Representatives and the Senate, and to the Office of
Management and Budget.
FTC-IV-2
System Name:
Identity Theft Complaint Management System-FTC.
Security Classification:
Not applicable.
System/Location:
Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington,
DC 20580. Records will be compiled and centrally maintained at this
location, including any identity theft complaints that may be initially
received or collected by the agency's Regional Offices.
Categories of individuals covered by the system:
a. Individuals who communicate with the Commission to complain
about or to request assistance in resolving problems relating to
identity theft, or to request information concerning identity theft.
b. Individuals who submit their complaints about identity theft to
another organization that has agreed to provide its consumer complaint
information on identity theft to the Commission (a ``data-contributing
member'').
c. Individuals who communicate to the Commission on behalf of
another person who is the victim of identity theft. In such a case,
both individuals will be covered.
d. Individuals who are suspected of committing the complained-about
identity theft.
e. Individuals who, at the time the records are added to the
system, are Commission employees or contractors assigned to process or
respond to correspondence or telephone calls.
Categories of records in the system:
a. Personal identifying information about the individual who
communicates with the Commission or data
[[Page 57889]]
contributing agency as a victim of identity theft, including, for
example, the individual's name, address, telephone number, fax number,
date of birth, social security or credit card numbers, e-mail address
and other personal information extracted or summarized from the
individual's complaint. Personal identifying information about the
individual who communicates with the Commission or data-contributing
agency as a reporting individual on behalf of someone else who was the
victim of the identity theft, including, for example, the reporting
individual's name, address, phone or fax number and e-mail address.
b. Name, address, telephone number or other information about an
individual suspected of having committed the complained-about identity
theft.
c. Name, address, telephone number or other information about a
company that is suspected of having committed identity theft, is the
subject of a complaint about how it handled the alleged incident of
identity theft, or is associated with the complaint either as a
creditor, debt collector, account issuer, credit bureau, or in another
role (hereinafter, ``company complained about or otherwise associated
with the complaint''). This company information, although included in
the system, is not subject to the Privacy Act.
d. Name and reference number of FTC staff member or contractor who
entered or updated the complaint information in the Identity Theft
Complaint Management System.
Authority for maintenance of the system:
Federal Trade Commission Act, 15 U.S.C. 41 et seq.; section 5 of
the Identity Theft and Assumption Deterrence Act of 1998, 18 U.S.C.
1028 note.
Purpose(s):
To maintain records of complaints and inquiries concerning identity
theft, in order to: enable the Commission to track and respond to
complaints and inquiries; enable the Commission to refer complaints to
appropriate entities, which may include referral to the three major
national consumer reporting agencies and appropriate law enforcement
agencies for potential law enforcement action; provide useful
information that may lead to or be incorporated into law enforcement
investigations and litigation or for other law enforcement purposes
(when used in connection with law enforcement activities, also becomes
part of FTC-I-1, Investigational, Legal and Public Records); provide
useful information that may contribute to regulation and oversight of
institutions and systems that play a role in or are affected by
identity theft; and provide statistical data on the number and types of
complaints and inquiries about identity theft received by the agency or
its data-contributing members.
Routine uses of records, including categories of users and the purposes
of such uses:
Records from this system may be disclosed as permitted by 5 U.S.C.
552a(b), and, as authorized by 5 U.S.C. 552a(b)(3), in accordance with
the routine uses announced by the Commission in Appendix I of its
system notice applicable to all other agency Privacy Act systems of
records (57 FR 45678). Additional routine uses for records in this
system are as follows, provided that no routine use specified either
herein or in Appendix I shall be construed to limit or waive any other
routine use published for this system:
a. Records may be made available or referred on an automatic or
other basis to a company complained about or otherwise associated with
the complaint, which may include the three major national consumer
reporting agencies.
b. Records may be made available or referred on an automatic or
other basis to other federal, state, or local government authorities
for regulatory or law enforcement purposes.
c. Records may be incorporated, as appropriate, into other systems
of records maintained by the Commission, including the Commission's
consumer complaint database (FTC-IV-1) or its legal investigatory files
(FTC-I-1), and subject to the routine uses published for those systems.
Disclosure to consumer reporting agencies:
Identity theft complaints maintained in this system of records may
be referred to consumer reporting agencies (and other appropriate
entities) in accordance with the Identity Theft and Assumption
Deterrence Act.
Policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in the system:
Storage:
Stored in a computer data base maintained on magnetic disks and
tape. Paper records stored in file folders.
Retrievability:
Indexed by name, area code, phone number, address, state, zip code,
social security number and date of birth of consumers who are the
victims of identity theft. Also indexed by the name, area code, phone
number, address, state, and zip code of individuals, if any, who are
identity theft suspects. Also indexed by FTC reference number, by name,
address, and telephone number of company complained about or otherwise
associated with the complaint, by name of other government entity or
consumer reporting agency, if any, contacted by consumer in effort to
resolve complaint, by name of FTC office or data-contributing agency
receiving complaint, by name of Commission staff member or contractor
who entered or updated the information concerning the complaint in the
system database, and by other categories of retrieval.
Safeguards:
Paper records of incoming complaints maintained in lockable rooms
and cabinets; access to computerized records by electronic security
precautions, including ``user ID'' and password combinations and
encrypted communications with external law enforcement agencies. Access
restricted to those agency personnel and contractors whose
responsibilities require access, or to approved staff members of
external law enforcement agencies who have entered into a
confidentiality agreement with the Commission.
Retention and disposal:
Letters retained for a minimum of one year; automated information
retained indefinitely.
System managers and address:
Identity Theft Program Manager, Division of Planning & Information,
Bureau of Consumer Protection, Federal Trade Commission, 600
Pennsylvania Avenue, NW, Washington, DC 20580.
Notification procedure:
16 CFR 4.13. Not applicable to the extent the system is exempt
under 5 U.S.C. 552a(k)(2), as discussed below.
Record access procedures:
16 CFR 4.13. Not applicable to the extent the system is exempt
under 5 U.S.C. 552a(k)(2), as discussed below.
Contesting record procedures:
16 CFR 4.13. Not applicable to the extent the system is exempt
under 5 U.S.C. 552a(k)(2), as discussed below.
Record source categories:
Individuals who have complained about identity theft and others who
may submit complaints on behalf of such individuals; data-contributing
agencies; companies complained about or otherwise associated with a
complaint.
[[Page 57890]]
Exemptions claimed for the system:
5 U.S.C. 552a(k)(2). See 16 CFR 4.13(m). This exemption protects
records compiled for law enforcement purposes and is intended to
prevent unauthorized disclosure to a target of the complaint. The
Commission reserves the right to afford, at its discretion, any
individual with notification, access, and contesting procedures under
the Commission's rules (16 CFR 4.13) with regard to information entered
or otherwise submitted by that individual into the system.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc 99-28007 Filed 10-25-99; 10:38 am]
BILLING CODE 6750-01-P