[Federal Register Volume 76, Number 27 (Wednesday, February 9, 2011)]
[Notices]
[Pages 7213-7216]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-2790]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File Nos. 092 3088, 082 3208, 092 3089]


ACRAnet, Inc.; SettlementOne Credit Corporation, and Sackett 
National Holdings, Inc.; Fajilan and Associates, Inc., d/b/a Statewide 
Credit Services, and Robert Fajilan; Analysis of Proposed Consent 
Orders To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreements in these three matters settle alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices or unfair methods of competition. The attached Analysis To 
Aid Public Comment describes both the allegations in each draft 
complaint and the terms of the consent order--embodied in each consent 
agreement--that would settle these allegations.

DATES: Comments must be received on or before March 7, 2011.

ADDRESSES: Interested parties are invited to submit written comments 
electronically or in paper form. Comments should refer to ``ACRAnet, 
Inc., File No. 092 3088, and/or SettlementOne Credit Corporation, File 
No. 082 3208, and/or Statewide Credit Services, File No. 092 3089'' to 
facilitate the organization of comments. Please note that your 
comment--including your name and your state--will be placed on the 
public record of this proceeding, including on the publicly accessible 
FTC Web site, at http://www.ftc.gov/os/publiccomments.shtm.
    Because comments will be made public, they should not include any 
sensitive personal information, such as an individual's Social Security 
Number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. Comments also 
should not include any sensitive health information, such as medical 
records or other individually identifiable health information. In 
addition, comments should not include any ``[t]rade secret or any 
commercial or financial information which is obtained from any person 
and which is privileged or confidential. * * *,'' as provided in 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and Commission Rule 
4.10(a)(2), 16 CFR 4.10(a)(2). Comments containing material for which 
confidential treatment is requested must be filed in paper form, must 
be clearly labeled ``Confidential,'' and must comply with FTC Rule 
4.9(c), 16 CFR 4.9(c).\1\
---------------------------------------------------------------------------

    \1\ The comment must be accompanied by an explicit request for 
confidential treatment, including the factual and legal basis for 
the request, and must identify the specific portions of the comment 
to be withheld from the public record. The request will be granted 
or denied by the Commission's General Counsel, consistent with 
applicable law and the public interest. See FTC Rule 4.9(c), 16 CFR 
4.9(c).
---------------------------------------------------------------------------

    Because paper mail addressed to the FTC is subject to delay due to 
heightened security screening, please consider submitting your comments 
in electronic form. Comments filed in electronic form should be 
submitted by using one of the following weblinks: https://ftcpublic.commentworks.com/ftc/acranet; https://ftcpublic.commentworks.com/ftc/settlementone; https://ftcpublic.commentworks.com/ftc/statewide, and following the 
instructions on the web-based form. To ensure that the Commission 
considers an electronic comment, you must file it on the Web-based form 
at one of the following weblinks: https://ftcpublic.commentworks.com/ftc/acranet; https://ftcpublic.commentworks.com/ftc/settlementone; 
https://ftcpublic.commentworks.com/ftc/statewide. If this Notice 
appears at http://www.regulations.gov/search/index.jsp, you may also 
file an electronic comment through that Web site. The Commission will 
consider all comments that regulations.gov forwards to it. You may also 
visit the FTC Web site at http://www.ftc.gov/ to read the Notice and 
the news release describing it.
    A comment filed in paper form should include the ``to ACRAnet, 
Inc., File No. 092 3088, and/or SettlementOne Credit Corporation, File 
No. 082 3208, and/or Statewide Credit Services, File No. 092 3089'' 
reference both in the text and on the envelope, and should be mailed or 
delivered to the following address: Federal Trade Commission, Office of 
the Secretary, Room H-135 (Annex D), 600 Pennsylvania Avenue, NW., 
Washington, DC 20580. The FTC is requesting that any comment filed in 
paper form be sent by courier or overnight service, if possible, 
because U.S. postal mail in the Washington area and at the Commission 
is subject to delay due to heightened security precautions.
    The Federal Trade Commission Act (``FTC Act'') and other laws the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding as appropriate. The Commission will 
consider all timely and responsive public comments that it receives, 
whether filed in paper or electronic form. Comments received will be 
available to the public on the FTC Web site, to the extent practicable, 
at http://www.ftc.gov/os/publiccomments.shtm. As a matter of 
discretion, the Commission makes every effort to remove home contact 
information for individuals from the public comments it receives before 
placing those comments on the FTC Web site. More information, including 
routine uses permitted by the Privacy Act, may be found in the FTC's 
privacy policy, at http://www.ftc.gov/ftc/privacy.shtm.

FOR FURTHER INFORMATION CONTACT: Katherine White (202-326-2252), Bureau 
of Consumer Protection, 600 Pennsylvania Avenue, NW., Washington, D.C. 
20580.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec.  2.34 the 
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that 
the above-captioned consent agreements containing consent orders to 
cease and desist, having been filed with and accepted, subject to final 
approval, by the Commission, have been placed on the public record for 
a period of thirty (30) days. The following

[[Page 7214]]

Analysis To Aid Public Comment describes the terms of the consent 
agreements, and the allegations in the draft complaints. An electronic 
copy of the full text of each consent agreement package can be obtained 
from the FTC Home Page (for February 3, 2011), on the World Wide Web, 
at http://www.ftc.gov/os/actions.shtm. Paper copies can be obtained 
from the FTC Public Reference Room, Room 130-H, 600 Pennsylvania 
Avenue, NW., Washington, DC 20580, either in person or by calling (202) 
326-2222.
    Public comments are invited, and may be filed with the Commission 
in either paper or electronic form. All comments should be filed as 
prescribed in the ADDRESSES section above, and must be received on or 
before the date specified in the DATES section.

Analysis of Agreement Containing Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, three agreements containing consent orders from ACRAnet, Inc. 
(``ACRAnet''); SettlementOne, Inc. (``SettlementOne''), and its parent 
corporation Sackett National Holdings, Inc.; and Fajilan and 
Associates, Inc. d/b/a Statewide Credit Services (``statewide'') and 
its principal Robert Fajilan (collectively ``respondents'').
    The proposed consent orders have been placed on the public record 
for thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreements and the comments received, and will decide whether it should 
withdraw from the agreements and take appropriate action or make final 
the agreements' proposed orders.
    According to the Commission's proposed complaints, respondents 
contract with the three nationwide consumer reporting agencies, 
Experian, Equifax, and TransUnion to obtain consumer reports that they 
assemble and merge into a single ``trimerge report.'' The trimerge 
reports contain sensitive consumer information such as full name, 
current and former addresses, social security number, date of birth, 
employer history, credit account histories and information, and account 
numbers. Respondents provides the trimerge reports to end user clients 
through an online portal. Respondents issue credentials to their 
clients, which consist of a user name and password. The end user 
clients use these credentials to access respondents' online portals and 
receive trimerged reports.
    The Commission's complaints allege that respondents engaged in a 
number of practices that, taken together, failed to provide reasonable 
and appropriate security for consumers' personal information. Among 
other things, they failed to: (a) Develop and disseminate comprehensive 
written information security policies; (b) assess the risks of allowing 
end users with unverified or inadequate security to access consumer 
reports through their online portals; (c) implement reasonable steps to 
address these risks by, for example, evaluating the security of end 
users' computer networks, requiring appropriate information security 
measures, and training end user clients; (d) implement reasonable steps 
to maintain an effective system of monitoring access to consumer 
reports by end users, including by monitoring to detect anomalies and 
other suspicious activity; and (e) take appropriate action to correct 
existing vulnerabilities or threats to personal information in light of 
known risks.
    The complaints further allege that hackers were able to exploit 
vulnerabilities in the computer networks of multiple end user clients, 
putting all consumer reports in those networks at risk. In multiple 
breaches, hackers accessed hundreds of consumer reports.
    According to the proposed complaints, respondents' practices 
violated the Gramm-Leach-Bliley (``GLB'') Safeguards Rule by, among 
other things: (1) Failing to design and implement information 
safeguards to control the risks to customer information; (2) failing to 
regularly test or monitor the effectiveness of existing controls and 
procedures; (3) failing to evaluate and adjust the information security 
programs in light of known or identified risks; and (4) failing to 
develop, implement, and maintain comprehensive information security 
programs. In addition, the proposed complaints allege that respondents' 
conduct violated sections 604 and 607(e) of the Fair Credit Reporting 
Act (``FCRA''). Further, the proposed complaints allege that 
respondents' failure to employ reasonable and appropriate measures to 
secure the personal information they maintain and sell is an unfair 
practice in violation of Section 5 of the Federal Trade Commission Act.
    The proposed orders contain provisions designed to prevent 
respondents from engaging in similar practices in the future. They also 
apply to personal information respondents collect from or about 
consumers. The orders name the resellers themselves, ACRAnet, 
SettlementOne, and Statewide; in the case of SettlementOne, its parent 
corporation Sackett National Holdings; and in the case of Statewide, 
its principal Robert Fajilan.
    Part I of the proposed orders requires respondents to establish and 
maintain a comprehensive information security program that is 
reasonably designed to protect the security, confidentiality, and 
integrity of personal information collected from or about consumers, 
including the security, confidentiality, and integrity of personal 
information accessible to end users.\2\ The security program must 
contain administrative, technical, and physical safeguards appropriate 
to each respondent's size and complexity, the nature and scope of its 
activities, and the sensitivity of the personal information collected 
from or about consumers. Specifically, the orders require respondents 
to:
---------------------------------------------------------------------------

    \2\ The proposed order against Statewide includes an individual 
respondent, Robert Fajilan. Parts I-VI of this order apply to any 
business entity that Mr. Fajilan controls.
---------------------------------------------------------------------------

     Designate an employee or employees to coordinate and be 
accountable for the information security program.
     Identify material internal and external risks to the 
security, confidentiality, and integrity of personal information that 
could result in the unauthorized disclosure, misuse, loss, alteration, 
destruction, or other compromise of such information, and assess the 
sufficiency of any safeguards in place to control these risks.
     Design and implement reasonable safeguards to control the 
risks identified through risk assessment, and regularly test or monitor 
the effectiveness of the safeguards' key controls, systems, and 
procedures.
     Develop and use reasonable steps to select and retain 
service providers capable of appropriately safeguarding personal 
information they receive from respondents, and require service 
providers by contract to implement and maintain appropriate safeguards.
     Evaluate and adjust the information security program in 
light of the results of the testing and monitoring, any material 
changes to the company's operations or business arrangements, or any 
other circumstances that they know or have reason to know may have a 
material impact on the effectiveness of their information security 
program.
    Part II of the proposed orders prohibits respondents from violating 
any provision of the GLB Safeguards Rule.

[[Page 7215]]

    Part III of the proposed orders requires that respondents, in 
connection with the compilation, creation, sale or dissemination of any 
consumer report shall: (1) Furnish such consumer report only to those 
persons it has reason to believe have a permissible purpose as 
described in Section 604(a)(3) of the FCRA, or under such other 
circumstances as set forth in Section 604 of the FCRA; and (2) maintain 
reasonable procedures to limit the furnishing of such consumer reports 
to those with a permissible purpose and ensure that no consumer report 
is furnished to any person when there are reasonable grounds to believe 
that the consumer report will not be used for a permissible purpose.
    Part IV of the proposed orders requires that respondents obtain 
within 180 days, and on a biennial basis thereafter for twenty (20) 
years, an assessment and report from a qualified, objective, 
independent third-party professional, certifying, among other things, 
that they have in place a security program that provides protections 
that meet or exceed the protections required by Part I of the proposed 
order; and their security program is operating with sufficient 
effectiveness to provide reasonable assurance that the security, 
confidentiality, and integrity of consumers' personal information is 
protected.\3\
---------------------------------------------------------------------------

    \3\ The proposed order against SettlementOne and Sackett 
National Holdings does not require Sackett National Holdings to 
obtain an assessment for any subsidiary, division, affiliate, 
successor or assign if the personal information such entities 
collect, maintain, or store from or about consumers is limited to a 
first and last name; a home or other physical address, including 
street name and name of city or town; an e-mail address; a telephone 
number; or publicly available information regarding property 
ownership and appraised home value.
---------------------------------------------------------------------------

    Parts V through IX of the proposed orders are reporting and 
compliance provisions. Part V requires respondents to retain documents 
relating to their compliance with the orders. For most records, the 
orders require that the documents be retained for a five-year period. 
For the third-party assessments and supporting documents, respondents 
must retain the documents for a period of three years after the date 
that each assessment is prepared. Part VI requires dissemination of the 
orders now and in the future to principals, officers, directors, and 
managers, and all employees, agents and representatives who engage in 
conduct related to the subject matter of the order. In the ACRAnet and 
SettlementOne orders, Part VII ensures notification to the FTC of 
changes in corporate status. In the Statewide order, Part VII requires 
the individual respondent to notify the FTC of changes in contact 
information, business or employment status, and Part VIII requires the 
corporate respondent to notify the FTC of changes in corporate status. 
Part VIII of the ACRAnet and SettlementOne orders and Part XI of the 
Statewide order mandate that respondents submit an initial compliance 
report to the FTC, and make available to the FTC subsequent reports. 
The last provision of the orders is a provision ``sunsetting'' the 
orders after twenty (20) years, with certain exceptions.
    The purpose of the analysis is to aid public comment on the 
proposed orders. It is not intended to constitute an official 
interpretation of the proposed orders or to modify their terms in any 
way.

By direction of the Commission.
Donald S. Clark
Secretary.

Statement of Commissioner Brill, In Which Chairman Leibowitz and 
Commissioners Rosch and Ramirez Join

In the Matter of SettlementOne Credit Corporation, et al., In the 
Matter of ACRAnet, Inc., In the Matter of Fajilan and Associates, et 
al.

    The respondents in these three matters are resellers of consumer 
reports who failed to take reasonable measures to protect sensitive 
consumer credit information. We fully support staff's work on these 
matters. We write separately to emphasize that in the future we will 
call for imposition of civil penalties against resellers of consumer 
reports who do not take adequate measures to fulfill their obligations 
to protect information contained in consumer reports, as required by 
the Fair Credit Reporting Act (``FCRA'').
    The respondents in these three matters treated their legal 
obligations to protect consumer information as a paper exercise. 
Respondents provided only a cursory review of security measures. 
Thereafter, respondents took no further action to ensure that their 
customers' security measures adequately protected the information in 
the consumer reports. Nor did they provide training on security 
measures to end users. Even after discovering security breaches that 
should have alerted them to problems with the data security of some 
customers, respondents failed to implement measures to check the 
security practices of other clients.
    The FCRA requires respondents to take reasonable measures to ensure 
that consumer reports are given only to entities using the reports for 
purposes authorized by the statute.[1] As a result of respondents' 
failure to comply with the FCRA, nearly 2,000 credit reports were 
improperly accessed. There is not doubt that such unauthorized access 
can result in grave consumer harm through identity theft.
    The significant impact and cost of identity theft are well 
documented. Although reports regarding the impact of identity theft do 
not always agree on specific figures, they do reveal tremendous 
economic and non-economic consequences for both consumers and the 
economy. The Commission itself issued reports in both 2003[2] and 
2007.[3] Our 2007 report estimated that in 2005 alone 8.3 million 
consumers fell victim to identity theft. We found that 1.8 million of 
those victims had new accounts opened in their names. One-quarter of 
the ``new account victims'' incurred more than $1,000 in out-of-pocket 
expenses and five percent spent 1,200 hours in dealing with the 
consequences of the theft. The report concluded that total losses from 
identity theft in 2006 totaled $15.6 billion. Beyond these financial 
impacts, we also identified non-economic harm to victims in many forms: 
Denial of new credit or loans, harassment from collection agencies, the 
loss of the time involved in resolving the problems, and being 
subjected to criminal investigation. In view of the hardships and costs 
brought on by identity theft, measures to prevent it must be rigorously 
enforced.
    While we view the breaches in these cases with alarm, we are also 
cognizant of the fact that these are the first cases in which the 
Commission has held resellers responsible for downstream data 
protection failures.[4] Looking forward, the actions we announce today 
should put resellers--indeed, all of those in the chain of handling 
consumer data--on notice of the seriousness with which we view their 
legal obligations to proactively protect consumers' data.
    The Commission should use all of the tools at its disposal to 
protect consumers from the enormous risks posed by security breaches 
that may lead to identity theft. In the future, we should not hesitate 
to use our authority to seek civil penalties under the FCRA[5] to make 
the protection of consumer data a top priority for those who profit 
from its collection and dissemination.

    [1] 15 U.S.C. 1681b; 15 U.S.C. 1681e(a).
    [2] Fed. Trade Comm'n. Identity Theft Survey Report (2003), 
available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.
    [3] Fed. Trade Comm'n, 2006 Identity Theft Survey Report (2007), 
available at http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.

[[Page 7216]]

    [4] The Commission has previously taken action where the credit 
reporting agency failed to adequately screen purchasers of consumer 
credit information. For instance, in United States v. ChoicePoint, 
Inc., 09-CV-0198 (N.D. Ga. Oct. 19, 2009), the Commission alleged 
that the failure to screen customers led to the sale of 160,000 
credit reports to identity thieves posing as customers of 
ChoicePoint.
    [5] The Fair Credit Reporting Act authorizes the Commission to 
seek civil penalties for violations of the Act. 15 U.S.C. 
1681s(a)(2)(A).

[FR Doc. 2011-2790 Filed 2-8-11; 8:45 am]
BILLING CODE 6750-01-P