[Federal Register Volume 64, Number 207 (Wednesday, October 27, 1999)]
[Notices]
[Pages 57887-57890]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-28007]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Privacy Act of 1974; System of Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of new Privacy Act system of records.

-----------------------------------------------------------------------

SUMMARY: The FTC is establishing a new system of records subject to the 
Privacy Act of 1974, as amended. This system implements the 
requirements of the Identity Theft and Assumption Deterrence Act of 
1998. The Commission will use this system to log and acknowledge 
complaints submitted by victims of identity theft, to provide 
information to such individuals, and to refer their complaints to 
appropriate entities.

DATES: Comments must be submitted by November 26, 1999. This system 
notice, which is being published in proposed form, shall become final 
and effective December 13, 1999, without further notice unless 
otherwise amended or repealed by the Commission on the basis of any 
comments received.

ADDRESSES: Submit comments in writing to the Office of the Secretary, 
Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 
20580, ``FTC File No. P994320, Identity Theft Program-Comment.''

FOR FURTHER INFORMATION CONTACT: Alex Tang, Attorney, Office of the 
General Counsel, FTC, 600 Pennsylvania Avenue, NW, Washington, DC 
20580, (202) 326-2447. For more information about the Commission's 
identity theft program, contact Beth Grossman, (202) 326-3019, or 
Joanna Crane, (202) 326-3258, Attorneys, Division of Planning & 
Information, Bureau of Consumer Protection, FTC, 600 Pennsylvania 
Avenue, NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, 
as amended, 5 U.S.C. 552a, the FTC is publishing this notice of a new 
agency system of records, to be designated as FTC-IV-2, ``Identity 
Theft Complaint Management System-FTC.'' This system will enable the 
FTC to fulfill its statutory responsibilities under section 5 of the 
Identity Theft and Assumption Deterrence Act of 1998, Pub. L. 105-318, 
112 Stat. 3007, 3010, 18 U.S.C. 1028 note (``ITADA''). The ITADA 
designates the FTC as a clearinghouse for the receipt and referral of 
identity theft complaints and requires that the FTC establish 
procedures: (1) To log and acknowledge receipt of complaints from 
individuals who certify that they have a reasonable belief that one or 
more of their means of identification have been assumed, stolen, or 
otherwise unlawfully acquired in violation of the statute; (2) to 
provide informational materials to such individuals; and (3) to refer 
such complaints to ``appropriate entities.'' Under the statute, these 
entities include, but are not limited to, the three major national 
consumer reporting agencies (currently Equifax, Experian and Trans 
Union), and appropriate law enforcement agencies for potential law 
enforcement action.
    The new system of records is designed to meet these statutory 
requirements and will be managed and operated by the FTC's Bureau of 
Consumer Protection, Division of Planning & Information. The system 
consists primarily of a computerized database that will compile and 
track identity theft complaints received by the agency. Copies of 
identity theft complaints originally received in paper format (e.g., by 
mail or fax) will also be considered part of the system, but will be 
retained for only a temporary period after they are entered by agency 
personnel or contractors into the database.
    Records in this system will include complaint information submitted 
by identity theft victims or on their behalf by others (e.g., friends 
or relatives). Additional sources of information will include other 
federal, state and local agencies (``data-contributing agencies'') and 
retail businesses that may suspect they are dealing with an individual 
or entity engaged in identity theft. The FTC will use the system to log 
and acknowledge these complaints, to provide identity theft victims 
with information on how to deal with credit or other problems that may 
result from

[[Page 57888]]

identity theft, and to evaluate and refer their complaints to 
appropriate entities.
    Until the system is fully established and operational, data from 
these complaints are being compiled and maintained in the Commission's 
general consumer complaint database (FTC-IV-1). That database, however, 
was not originally designed to serve the special statutory purpose for 
which the identity theft complaint system is being created, nor was it 
meant to record or track certain identity theft data that the FTC 
intends to collect with respect to identity theft complaints. Records 
in the identity theft complaint system will also be maintained and 
retrieved according to a somewhat broader category of individuals, as 
described below. Thus, the Commission is treating these complaint 
systems as separate systems of records for Privacy Act purposes, even 
if, as a practical matter, the information in both systems will reside 
on a common relational database and will be compiled and entered into 
the database by many of the same agency and contractor personnel.
    Despite the sensitive nature of identity theft complaint data, the 
ITADA does not itself contain any provisions to protect the 
confidentiality of the data that the Commission is required to compile. 
Nonetheless, because these complaints will be collected and maintained 
in a system of records pertaining to individuals within the meaning of 
the Privacy Act, such records will be disclosed by the Commission only 
as authorized by that Act. See 5 U.S.C. 552a(b). The Commission intends 
that such disclosures will include certain necessary ``routine uses'' 
that the Commission has previously published pursuant to subsection 
(b)(3) of the Act, 5 U.S.C. 552a(b)(3), and made generally applicable 
to all of its FTC Privacy Act systems of records (e.g., use in 
government law enforcement litigation, where necessary). See 57 FR 
45678 (1992) (Appendix I). Likewise, identity theft complaint data may 
also be incorporated, as appropriate, into other systems of records 
maintained by the Commission, such as the Commission's general 
complaint database (FTC-IV-1, cited earlier) or its legal investigatory 
files (FTC-I-1), and would be subject to any ``routine uses'' 
applicable to those systems.
    The Commission has also identified certain additional ``routine 
uses'' that are necessary in order to carry out the requirements of the 
ITADA. These ``routine uses'' include referral of the complaint to a 
company that is the subject of the complaint or otherwise associated 
with the complaint, such as the three major national consumer reporting 
agencies, since such entities would be in a position to resolve the 
complaint by taking investigative or corrective action.
    Another ``routine use'' is disclosure of the complaint to other 
federal, state, or local government authorities for law enforcement or 
regulatory purposes. This routine use will allow referral of complaint 
data for investigatory purposes with or without a specific law 
enforcement request from such authorities, as would otherwise be 
required by the Privacy Act. See 5 U.S.C. 552a(b)(7). It will also 
allow routine disclosure of complaint records, as needed, to other 
regulatory agencies at the federal, state or local level so they have 
the information they need to identify methods or patterns of identity 
theft and to develop regulations, policies, or other safeguards or 
remedies to help stop or prevent identity theft. Once the Commission 
makes an authorized disclosure of complaint data to a company or 
another government agency, complainants should be aware that further 
disclosures beyond the Commission's control may not be avoidable as a 
practical or legal matter. The Commission intends to limit this risk by 
sharing complaint information only under confidentiality agreements 
that require that the information be used only for purposes consistent 
with the ITADA (e.g., resolving the individual's complaint, law 
enforcement or regulation, etc.).
    Similarly, neither the ITADA nor the Privacy Act prevents a request 
for public disclosure from being filed under the Freedom of Information 
Act, 5 U.S.C. 552. Identity theft complaint data would normally be 
exempt from disclosure under that statute, however, where such 
disclosure would constitute a clearly unwarranted invasion of personal 
privacy, 5 U.S.C. 552(b)(6), or for other reasons. See, e.g., 5 U.S.C. 
552(b)(7)(A) (investigatory materials that are compiled for law 
enforcement purposes and, if disclosed, could reasonably be expected to 
interfere with law enforcement proceedings).
    Because the categories of individuals covered by the system may 
include, among others, the target of an identity theft complaint, the 
Commission has determined that it is necessary to exempt the system 
from disclosure to such individuals for law enforcement purposes, even 
in cases where the Commission may choose to make the complaint file 
available for review by the complainant or other individual who 
submitted the information. Thus, the Commission proposes to exempt this 
system of records under 5 U.S.C. 552a(k)(2), and is proposing elsewhere 
in the Federal Register to amend its Privacy Act rules, 16 CFR 4.13, to 
include this system in its list of systems covered by that exemption. 
See 16 CFR 4.13(m).
    Accordingly, as set forth below, the Commission proposes a new 
system of records to become effective on the date noted earlier, unless 
the Commission amends or revokes the system on the basis of any 
comments received. Pursuant to 5 U.S.C. 552a(r), the Commission is 
providing notice of this proposal to the appropriate committees of the 
House of Representatives and the Senate, and to the Office of 
Management and Budget.
FTC-IV-2

System Name:
    Identity Theft Complaint Management System-FTC.

Security Classification:
    Not applicable.

System/Location:
    Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, 
DC 20580. Records will be compiled and centrally maintained at this 
location, including any identity theft complaints that may be initially 
received or collected by the agency's Regional Offices.

Categories of individuals covered by the system:
    a. Individuals who communicate with the Commission to complain 
about or to request assistance in resolving problems relating to 
identity theft, or to request information concerning identity theft.
    b. Individuals who submit their complaints about identity theft to 
another organization that has agreed to provide its consumer complaint 
information on identity theft to the Commission (a ``data-contributing 
member'').
    c. Individuals who communicate to the Commission on behalf of 
another person who is the victim of identity theft. In such a case, 
both individuals will be covered.
    d. Individuals who are suspected of committing the complained-about 
identity theft.
    e. Individuals who, at the time the records are added to the 
system, are Commission employees or contractors assigned to process or 
respond to correspondence or telephone calls.

Categories of records in the system:
    a. Personal identifying information about the individual who 
communicates with the Commission or data

[[Page 57889]]

contributing agency as a victim of identity theft, including, for 
example, the individual's name, address, telephone number, fax number, 
date of birth, social security or credit card numbers, e-mail address 
and other personal information extracted or summarized from the 
individual's complaint. Personal identifying information about the 
individual who communicates with the Commission or data-contributing 
agency as a reporting individual on behalf of someone else who was the 
victim of the identity theft, including, for example, the reporting 
individual's name, address, phone or fax number and e-mail address.
    b. Name, address, telephone number or other information about an 
individual suspected of having committed the complained-about identity 
theft.
    c. Name, address, telephone number or other information about a 
company that is suspected of having committed identity theft, is the 
subject of a complaint about how it handled the alleged incident of 
identity theft, or is associated with the complaint either as a 
creditor, debt collector, account issuer, credit bureau, or in another 
role (hereinafter, ``company complained about or otherwise associated 
with the complaint''). This company information, although included in 
the system, is not subject to the Privacy Act.
    d. Name and reference number of FTC staff member or contractor who 
entered or updated the complaint information in the Identity Theft 
Complaint Management System.

Authority for maintenance of the system:
    Federal Trade Commission Act, 15 U.S.C. 41 et seq.; section 5 of 
the Identity Theft and Assumption Deterrence Act of 1998, 18 U.S.C. 
1028 note.

Purpose(s):
    To maintain records of complaints and inquiries concerning identity 
theft, in order to: enable the Commission to track and respond to 
complaints and inquiries; enable the Commission to refer complaints to 
appropriate entities, which may include referral to the three major 
national consumer reporting agencies and appropriate law enforcement 
agencies for potential law enforcement action; provide useful 
information that may lead to or be incorporated into law enforcement 
investigations and litigation or for other law enforcement purposes 
(when used in connection with law enforcement activities, also becomes 
part of FTC-I-1, Investigational, Legal and Public Records); provide 
useful information that may contribute to regulation and oversight of 
institutions and systems that play a role in or are affected by 
identity theft; and provide statistical data on the number and types of 
complaints and inquiries about identity theft received by the agency or 
its data-contributing members.

Routine uses of records, including categories of users and the purposes 
of such uses:
    Records from this system may be disclosed as permitted by 5 U.S.C. 
552a(b), and, as authorized by 5 U.S.C. 552a(b)(3), in accordance with 
the routine uses announced by the Commission in Appendix I of its 
system notice applicable to all other agency Privacy Act systems of 
records (57 FR 45678). Additional routine uses for records in this 
system are as follows, provided that no routine use specified either 
herein or in Appendix I shall be construed to limit or waive any other 
routine use published for this system:
    a. Records may be made available or referred on an automatic or 
other basis to a company complained about or otherwise associated with 
the complaint, which may include the three major national consumer 
reporting agencies.
    b. Records may be made available or referred on an automatic or 
other basis to other federal, state, or local government authorities 
for regulatory or law enforcement purposes.
    c. Records may be incorporated, as appropriate, into other systems 
of records maintained by the Commission, including the Commission's 
consumer complaint database (FTC-IV-1) or its legal investigatory files 
(FTC-I-1), and subject to the routine uses published for those systems.

Disclosure to consumer reporting agencies:
    Identity theft complaints maintained in this system of records may 
be referred to consumer reporting agencies (and other appropriate 
entities) in accordance with the Identity Theft and Assumption 
Deterrence Act.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Stored in a computer data base maintained on magnetic disks and 
tape. Paper records stored in file folders.

Retrievability:
    Indexed by name, area code, phone number, address, state, zip code, 
social security number and date of birth of consumers who are the 
victims of identity theft. Also indexed by the name, area code, phone 
number, address, state, and zip code of individuals, if any, who are 
identity theft suspects. Also indexed by FTC reference number, by name, 
address, and telephone number of company complained about or otherwise 
associated with the complaint, by name of other government entity or 
consumer reporting agency, if any, contacted by consumer in effort to 
resolve complaint, by name of FTC office or data-contributing agency 
receiving complaint, by name of Commission staff member or contractor 
who entered or updated the information concerning the complaint in the 
system database, and by other categories of retrieval.

Safeguards:
    Paper records of incoming complaints maintained in lockable rooms 
and cabinets; access to computerized records by electronic security 
precautions, including ``user ID'' and password combinations and 
encrypted communications with external law enforcement agencies. Access 
restricted to those agency personnel and contractors whose 
responsibilities require access, or to approved staff members of 
external law enforcement agencies who have entered into a 
confidentiality agreement with the Commission.

Retention and disposal:
    Letters retained for a minimum of one year; automated information 
retained indefinitely.

System managers and address:
    Identity Theft Program Manager, Division of Planning & Information, 
Bureau of Consumer Protection, Federal Trade Commission, 600 
Pennsylvania Avenue, NW, Washington, DC 20580.

Notification procedure:
    16 CFR 4.13. Not applicable to the extent the system is exempt 
under 5 U.S.C. 552a(k)(2), as discussed below.

Record access procedures:
    16 CFR 4.13. Not applicable to the extent the system is exempt 
under 5 U.S.C. 552a(k)(2), as discussed below.

Contesting record procedures:
    16 CFR 4.13. Not applicable to the extent the system is exempt 
under 5 U.S.C. 552a(k)(2), as discussed below.

Record source categories:
    Individuals who have complained about identity theft and others who 
may submit complaints on behalf of such individuals; data-contributing 
agencies; companies complained about or otherwise associated with a 
complaint.

[[Page 57890]]

Exemptions claimed for the system: 
    5 U.S.C. 552a(k)(2). See 16 CFR 4.13(m). This exemption protects 
records compiled for law enforcement purposes and is intended to 
prevent unauthorized disclosure to a target of the complaint. The 
Commission reserves the right to afford, at its discretion, any 
individual with notification, access, and contesting procedures under 
the Commission's rules (16 CFR 4.13) with regard to information entered 
or otherwise submitted by that individual into the system.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc 99-28007 Filed 10-25-99; 10:38 am]
BILLING CODE 6750-01-P